• Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • core
    • Jenkins ver. 2.170
      Linux, Chrome 73.0.3683.86, IE 11.112.17134.0, Firefox 67.0b4 (64-bit)

      Jenkins ver. 2.170

      Running from shell:

      java -jar jenkins.war --httpPort=-1 --httpsPort=8443 --httpsKeyStore=jenkin.jks --httpsKeyStorePassword=TopSecret

       

      Opening from Browser getting an error:

      Chrome: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

      FireFox: Error code: SSL_ERROR_NO_CYPHER_OVERLAP 

      IE: Your TLS security settings aren’t set to the defaults

       

          [JENKINS-56747] Error: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

          Gil Br created issue -
          Oleg Nenashev made changes -
          Component/s New: core [ 15593 ]
          Component/s Original: security-inspector-plugin [ 21938 ]

          Oleg Nenashev added a comment -

          Using the embedded Jenkins HTTPs engine is not really advised for Jenkins. Please consider using an external HTTPs endpoint powered by nginx or whatever.

          CC olamy , might be related to the recent Winstone update

           

          Oleg Nenashev added a comment - Using the embedded Jenkins HTTPs engine is not really advised for Jenkins. Please consider using an external HTTPs endpoint powered by nginx or whatever. CC olamy , might be related to the recent Winstone update  
          Daniel Beck made changes -
          Labels Original: security New: regression security

          Olivier Lamy added a comment -

          gberesta71 I need more details:

          • You upgraded from which version?
          • what is your java version?
          • please note the coming 2.169 will have a new option to configure cipher (due to security issues recent version has been more strict regarding cipher list exclusion) (see https://github.com/eclipse/jetty.project/issues/2807 so this might the cause of your problem?) with coming 2.169 you will be able to change the cipher exclusion list see JENKINS-56591 )

           

          Olivier Lamy added a comment - gberesta71 I need more details: You upgraded from which version? what is your java version? please note the coming 2.169 will have a new option to configure cipher (due to security issues recent version has been more strict regarding cipher list exclusion) (see https://github.com/eclipse/jetty.project/issues/2807  so this might the cause of your problem?) with coming 2.169 you will be able to change the cipher exclusion list see  JENKINS-56591 )  

          Gil Br added a comment -

          Hi Olivier,

           

          I've upgraded to 2.169

          I started testing the secured option from 2.168 (no early trail)

          Now running:

          java -jar jenkins.war --httpPort=-1 --httpsPort=8443 --httpsKeyStore=jenkin.jks --httpsKeyStorePassword=TopSecret --excludeCipherSuites="^SSL_.*$"

          Same result...

          Can you hint what needed to be the value here of excludeCipherSuites?

          Added logfile: nohup.txt

           

          Best Regards,

          Gil

          Gil Br added a comment - Hi Olivier,   I've upgraded to 2.169 I started testing the secured option from 2.168 (no early trail) Now running: java -jar jenkins.war --httpPort=-1 --httpsPort=8443 --httpsKeyStore=jenkin.jks --httpsKeyStorePassword=TopSecret --excludeCipherSuites="^SSL_.*$" Same result... Can you hint what needed to be the value here of excludeCipherSuites? Added logfile: nohup.txt   Best Regards, Gil

          Gil Br added a comment -

          Using --excludeCipherSuites=".*"

          I get:

          ERR_SSL_PROTOCOL_ERROR

           

          WARNING: No supported ciphers from [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_128_GCM_SHA256, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]

          Gil Br added a comment - Using --excludeCipherSuites=".*" I get: ERR_SSL_PROTOCOL_ERROR   WARNING: No supported ciphers from [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_128_GCM_SHA256, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]

          Olivier Lamy added a comment -

          gberesta71 using 

          --excludeCipherSuites=".*" 

          you are excluding all ciphers which is not what you want

          This option is the excluded/no supported cipher suites.

          So if you want to accept all use (note it's only a space but it's definitely not recommend!)

          --excludeCipherSuites=" " 

          To use the previous Jetty exclusions:

          --excludeCipherSuites="^.*_(MD5|SHA|SHA1)$" 

          see Jetty change here: https://github.com/eclipse/jetty.project/commit/5e07592a692e7400cd641e608decd8e0c942872d

          Olivier Lamy added a comment - gberesta71  using  --excludeCipherSuites= ".*" you are excluding all ciphers which is not what you want This option is the excluded/no supported cipher suites. So if you want to accept all use (note it's only a space but it's definitely not recommend!) --excludeCipherSuites= " " To use the previous Jetty exclusions: --excludeCipherSuites= "^.*_(MD5|SHA|SHA1)$" see Jetty change here:  https://github.com/eclipse/jetty.project/commit/5e07592a692e7400cd641e608decd8e0c942872d

          Gil Br added a comment -

          Many thanks for the explanation, however...

           

          Tried:

          --excludeCipherSuites="^.*_(MD5|SHA|SHA1)$"

          Got error:

          WARNING: Weak cipher suite TLS_RSA_WITH_AES_128_GCM_SHA256 enabled for SslContextFactory@50029372[provider=null,keyStore=null,trustStor e=null]

          ERR_SSL_VERSION_OR_CIPHER_MISMATCH

          Tried:

          --excludeCipherSuites=" "

          WARNING: Weak cipher suite SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA enabled for SslContextFactory@50029372[provider=null,keyStore=null,trustStore=null]

          ERR_SSL_VERSION_OR_CIPHER_MISMATCH

           

          Gil

          Any other suggestions - information?

           

          Gil Br added a comment - Many thanks for the explanation, however...   Tried: --excludeCipherSuites="^.*_(MD5|SHA|SHA1)$" Got error: WARNING: Weak cipher suite TLS_RSA_WITH_AES_128_GCM_SHA256 enabled for SslContextFactory@50029372 [provider=null,keyStore=null,trustStor e=null] ERR_SSL_VERSION_OR_CIPHER_MISMATCH Tried: --excludeCipherSuites=" " WARNING: Weak cipher suite SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA enabled for SslContextFactory@50029372 [provider=null,keyStore=null,trustStore=null] ERR_SSL_VERSION_OR_CIPHER_MISMATCH   Gil Any other suggestions - information?  

          Olivier Lamy added a comment -

          weird

          what is the java version? (you can see it in the output of the start)

          I don't mind this warning because you do not exclude non safe cipher

          WARNING: Weak cipher suite SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA enabled for  

          But is this from Chrome? ERR_SSL_VERSION_OR_CIPHER_MISMATCH ?

          do you have an up2date version?

          What is your architecture? are you accessing jenkins via a proxy?

           

           

          Olivier Lamy added a comment - weird what is the java version? (you can see it in the output of the start) I don't mind this warning because you do not exclude non safe cipher WARNING: Weak cipher suite SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA enabled for   But is this from Chrome? ERR_SSL_VERSION_OR_CIPHER_MISMATCH ? do you have an up2date version? What is your architecture? are you accessing jenkins via a proxy?    

            olamy Olivier Lamy
            gberesta71 Gil Br
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: