Hi there,

      I was wondering if we can have the SSL subsystem move away from TLS 1.2 and use forward secrecy and either AES-GCM or CHACHA20_POLY1305 as per the depreciation of TLS features / algorithms?
      I am by no means an expert but I noticed when I enabled HTTPS on the default jenkins install (from a fresh apt-get on a new machine) and imported my SSL certificates into the keystore, that the first warning that Chrome gave was about the outdated TLS 1.2 connection method.

          [JENKINS-29288] TLS 1.2 depreciation

          Daniel Beck added a comment -

          I think the configuration for this is done through JSSE.
          http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#DisabledAlgorithms

          Instructions for a different application seems relevant here as well: http://www.papercut.com/kb/Main/SSLCipherConfiguration

          Daniel Beck added a comment - I think the configuration for this is done through JSSE. http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#DisabledAlgorithms Instructions for a different application seems relevant here as well: http://www.papercut.com/kb/Main/SSLCipherConfiguration

          Ian Moroney added a comment -

          This isn't quite correct for the scope of this issue but may be getting close.
          The issue isn't surrounding bad certificate algorithms, but specifically the connection algorithms being used.

          Perhaps a more appropriate thing to modify would be jdk.tls.disabledAlgorithms

          jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768

          and / or
          jdk.tls.client.protocols perhaps?

          Ian Moroney added a comment - This isn't quite correct for the scope of this issue but may be getting close. The issue isn't surrounding bad certificate algorithms, but specifically the connection algorithms being used. Perhaps a more appropriate thing to modify would be jdk.tls.disabledAlgorithms jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768 and / or jdk.tls.client.protocols perhaps?

            Unassigned Unassigned
            lazarix Ian Moroney
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: