Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-71733

The remote host allows SSL/TLS connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits.

XMLWordPrintable

      We use Jenkins Jenkins 2.375.2 on OpenJDK11

      and we getting vulnerability The remote host allows SSL/TLS connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits.

      On port 8443

      Vulnerable connection combinations :

        SSL/TLS version  : TLSv1.2
        Cipher suite     : TLS1_DHE_RSA_WITH_AES_256_CBC_SHA256
        Diffie-Hellman MODP size (bits) : 1024
          Warning - This is a known static Oakley Group2 modulus. This may make
          the remote host more vulnerable to the Logjam attack.
        Logjam attack difficulty : Hard (would require nation-state resources)

        SSL/TLS version  : TLSv1.2
        Cipher suite     : TLS1_DHE_RSA_WITH_AES_128_CBC_SHA256
        Diffie-Hellman MODP size (bits) : 1024
          Warning - This is a known static Oakley Group2 modulus. This may make
          the remote host more vulnerable to the Logjam attack.
        Logjam attack difficulty : Hard (would require nation-state resources)

        SSL/TLS version  : TLSv1.2
        Cipher suite     : TLS12_DHE_RSA_WITH_AES_256_GCM_SHA384
        Diffie-Hellman MODP size (bits) : 1024
          Warning - This is a known static Oakley Group2 modulus. This may make
          the remote host more vulnerable to the Logjam attack.
        Logjam attack difficulty : Hard (would require nation-state resources)

        SSL/TLS version  : TLSv1.2
        Cipher suite     : TLS12_DHE_RSA_WITH_AES_128_GCM_SHA256
        Diffie-Hellman MODP size (bits) : 1024
          Warning - This is a known static Oakley Group2 modulus. This may make
          the remote host more vulnerable to the Logjam attack.
        Logjam attack difficulty : Hard (would require nation-state resources)

        SSL/TLS version  : TLSv1.2
        Cipher suite     : TLS12_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
        Diffie-Hellman MODP size (bits) : 1024
          Warning - This is a known static Oakley Group2 modulus. This may make
          the remote host more vulnerable to the Logjam attack.
        Logjam attack difficulty : Hard (would require nation-state resources)

       

       

       

      I updated java.security file with below configuration

       
      [root@daldpmaster101 ~]# java -version
      openjdk version "11.0.19" 2023-04-18 LTS

      /etc/java/java-11-openjdk/java-11-openjdk-11.0.19.0.7-1.el8_7.x86_64/conf/security/java.security

      jdk.tls.disabledAlgorithms=SSLv2Hello, TLSv1, TLSv1.1, SSLv3, RC4, MD5withRSA, DH keySize < 2048, EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS1_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS1_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS12_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS12_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS12_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, DH_anon, ECDH_anon, anon, NULL, include jdk.disabled.namedCurves

      but still not fixed

      please let me know if you have any steps for this to fix

            phreakadelle Stephan Watermeyer
            sandeepm257 Sandeep Manikkara
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: