Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-23925

SSL weak ciphers

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Won't Fix
    • Component/s: core
    • Labels:
      None
    • Environment:
      Debian wheezy amd64
    • Similar Issues:

      Description

      sslscan detects following weak (<128bits) ciphers (when using jetty/https):

      Supported Server Cipher(s):
      Accepted SSLv3 56 bits EDH-RSA-DES-CBC-SHA
      Accepted SSLv3 56 bits DES-CBC-SHA
      Accepted SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
      Accepted SSLv3 40 bits EXP-DES-CBC-SHA
      Accepted SSLv3 40 bits EXP-RC4-MD5
      Accepted TLSv1 56 bits EDH-RSA-DES-CBC-SHA
      Accepted TLSv1 56 bits DES-CBC-SHA
      Accepted TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
      Accepted TLSv1 40 bits EXP-DES-CBC-SHA
      Accepted TLSv1 40 bits EXP-RC4-MD5

      Some IT departements are rather strict and do not allow weak ciphers.

      An option in /etc/default/jenkins allowing to set jetty's 'excludeCipherSuites' (or to disable all weak ciphers) would be great.

        Attachments

          Issue Links

            Activity

            Hide
            danielbeck Daniel Beck added a comment -

            How can this be reproduced? I just tried with 1.574 and java -jar jenkins.war --httpsPort=8888, and sslscan reports:

            $ sslscan localhost:8888
                               _
                       ___ ___| |___  ___ __ _ _ __
                      / __/ __| / __|/ __/ _` | '_ \
                      \__ \__ \ \__ \ (_| (_| | | | |
                      |___/___/_|___/\___\__,_|_| |_|
            
                              Version 1.8.0
                         http://www.titania.co.uk
                    Copyright Ian Ventura-Whiting 2009
            
            Testing SSL server localhost on port 8888
            
              Supported Server Cipher(s):
                Rejected  N/A              SSLv2  168 bits  DES-CBC3-MD5
                Rejected  N/A              SSLv2  56 bits   DES-CBC-MD5
                Rejected  N/A              SSLv2  40 bits   EXP-RC2-CBC-MD5
                Rejected  N/A              SSLv2  128 bits  RC2-CBC-MD5
                Rejected  N/A              SSLv2  40 bits   EXP-RC4-MD5
                Rejected  N/A              SSLv2  128 bits  RC4-MD5
                Rejected  N/A              SSLv3  128 bits  ADH-SEED-SHA
                Rejected  N/A              SSLv3  128 bits  DHE-RSA-SEED-SHA
                Rejected  N/A              SSLv3  128 bits  DHE-DSS-SEED-SHA
                Rejected  N/A              SSLv3  128 bits  SEED-SHA
                Rejected  N/A              SSLv3  256 bits  ADH-AES256-SHA
                Rejected  N/A              SSLv3  256 bits  DHE-RSA-AES256-SHA
                Rejected  N/A              SSLv3  256 bits  DHE-DSS-AES256-SHA
                Rejected  N/A              SSLv3  256 bits  AES256-SHA
                Rejected  N/A              SSLv3  128 bits  ADH-AES128-SHA
                Accepted  SSLv3  128 bits  DHE-RSA-AES128-SHA
                Rejected  N/A              SSLv3  128 bits  DHE-DSS-AES128-SHA
                Accepted  SSLv3  128 bits  AES128-SHA
                Rejected  N/A              SSLv3  168 bits  ADH-DES-CBC3-SHA
                Rejected  N/A              SSLv3  56 bits   ADH-DES-CBC-SHA
                Rejected  N/A              SSLv3  40 bits   EXP-ADH-DES-CBC-SHA
                Rejected  N/A              SSLv3  128 bits  ADH-RC4-MD5
                Rejected  N/A              SSLv3  40 bits   EXP-ADH-RC4-MD5
                Accepted  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
                Rejected  N/A              SSLv3  56 bits   EDH-RSA-DES-CBC-SHA
                Rejected  N/A              SSLv3  40 bits   EXP-EDH-RSA-DES-CBC-SHA
                Rejected  N/A              SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
                Rejected  N/A              SSLv3  56 bits   EDH-DSS-DES-CBC-SHA
                Rejected  N/A              SSLv3  40 bits   EXP-EDH-DSS-DES-CBC-SHA
                Accepted  SSLv3  168 bits  DES-CBC3-SHA
                Rejected  N/A              SSLv3  56 bits   DES-CBC-SHA
                Rejected  N/A              SSLv3  40 bits   EXP-DES-CBC-SHA
                Rejected  N/A              SSLv3  40 bits   EXP-RC2-CBC-MD5
                Accepted  SSLv3  128 bits  RC4-SHA
                Accepted  SSLv3  128 bits  RC4-MD5
                Rejected  N/A              SSLv3  40 bits   EXP-RC4-MD5
                Rejected  N/A              SSLv3  0 bits    NULL-SHA
                Rejected  N/A              SSLv3  0 bits    NULL-MD5
                Rejected  N/A              TLSv1  128 bits  ADH-SEED-SHA
                Rejected  N/A              TLSv1  128 bits  DHE-RSA-SEED-SHA
                Rejected  N/A              TLSv1  128 bits  DHE-DSS-SEED-SHA
                Rejected  N/A              TLSv1  128 bits  SEED-SHA
                Rejected  N/A              TLSv1  256 bits  ADH-AES256-SHA
                Rejected  N/A              TLSv1  256 bits  DHE-RSA-AES256-SHA
                Rejected  N/A              TLSv1  256 bits  DHE-DSS-AES256-SHA
                Rejected  N/A              TLSv1  256 bits  AES256-SHA
                Rejected  N/A              TLSv1  128 bits  ADH-AES128-SHA
                Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
                Rejected  N/A              TLSv1  128 bits  DHE-DSS-AES128-SHA
                Accepted  TLSv1  128 bits  AES128-SHA
                Rejected  N/A              TLSv1  168 bits  ADH-DES-CBC3-SHA
                Rejected  N/A              TLSv1  56 bits   ADH-DES-CBC-SHA
                Rejected  N/A              TLSv1  40 bits   EXP-ADH-DES-CBC-SHA
                Rejected  N/A              TLSv1  128 bits  ADH-RC4-MD5
                Rejected  N/A              TLSv1  40 bits   EXP-ADH-RC4-MD5
                Accepted  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
                Rejected  N/A              TLSv1  56 bits   EDH-RSA-DES-CBC-SHA
                Rejected  N/A              TLSv1  40 bits   EXP-EDH-RSA-DES-CBC-SHA
                Rejected  N/A              TLSv1  168 bits  EDH-DSS-DES-CBC3-SHA
                Rejected  N/A              TLSv1  56 bits   EDH-DSS-DES-CBC-SHA
                Rejected  N/A              TLSv1  40 bits   EXP-EDH-DSS-DES-CBC-SHA
                Accepted  TLSv1  168 bits  DES-CBC3-SHA
                Rejected  N/A              TLSv1  56 bits   DES-CBC-SHA
                Rejected  N/A              TLSv1  40 bits   EXP-DES-CBC-SHA
                Rejected  N/A              TLSv1  40 bits   EXP-RC2-CBC-MD5
                Accepted  TLSv1  128 bits  RC4-SHA
                Accepted  TLSv1  128 bits  RC4-MD5
                Rejected  N/A              TLSv1  40 bits   EXP-RC4-MD5
                Rejected  N/A              TLSv1  0 bits    NULL-SHA
                Rejected  N/A              TLSv1  0 bits    NULL-MD5
            
              Prefered Server Cipher(s):
                SSLv3  128 bits  DHE-RSA-AES128-SHA
                TLSv1  128 bits  DHE-RSA-AES128-SHA
            
              SSL Certificate:
                Version: 2
                Serial Number: 1658787448
                Signature Algorithm: sha1WithRSAEncryption
                Issuer: /C=Unknown/O=Unknown/OU=Unknown/CN=Test site
                Not valid before: Aug 22 03:04:14 2014 GMT
                Not valid after: Aug 19 03:04:14 2024 GMT
                Subject: /C=Unknown/O=Unknown/OU=Unknown/CN=Test site
                Public Key Algorithm: rsaEncryption
                RSA Public Key: (1024 bit)
                  Modulus (1024 bit):
                      00:8c:4c:61:a4:a7:c5:7d:db:75:b5:4e:45:e5:70:
                      6d:9e:84:f3:f5:47:58:77:c3:ab:bb:8b:38:a1:87:
                      2d:76:f5:38:cb:37:dc:f8:a4:ea:ac:f2:0a:f9:e1:
                      1a:e3:72:f7:9c:15:99:58:0e:cf:21:a0:15:45:7d:
                      58:79:a0:87:5e:69:1c:f5:b9:3b:8a:9a:a9:4a:4f:
                      91:b5:f2:d2:15:99:7f:d7:98:bd:30:ff:88:ee:9a:
                      c3:c6:e4:36:e0:be:4a:a1:64:17:e8:33:1b:79:2c:
                      67:2b:91:e8:76:2e:d5:bf:c3:c9:8c:e9:d8:a9:67:
                      30:76:e3:fa:51:7e:86:77:d3
                  Exponent: 65537 (0x10001)
              Verify Certificate:
                self signed certificate
            

            This is with a temporary, self-signed certificate as I didn't bother creating a real one.

            Show
            danielbeck Daniel Beck added a comment - How can this be reproduced? I just tried with 1.574 and java -jar jenkins.war --httpsPort=8888 , and sslscan reports: $ sslscan localhost:8888 _ ___ ___| |___ ___ __ _ _ __ / __/ __| / __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | | |___/___/_|___/\___\__,_|_| |_| Version 1.8.0 http: //www.titania.co.uk Copyright Ian Ventura-Whiting 2009 Testing SSL server localhost on port 8888 Supported Server Cipher(s): Rejected N/A SSLv2 168 bits DES-CBC3-MD5 Rejected N/A SSLv2 56 bits DES-CBC-MD5 Rejected N/A SSLv2 40 bits EXP-RC2-CBC-MD5 Rejected N/A SSLv2 128 bits RC2-CBC-MD5 Rejected N/A SSLv2 40 bits EXP-RC4-MD5 Rejected N/A SSLv2 128 bits RC4-MD5 Rejected N/A SSLv3 128 bits ADH-SEED-SHA Rejected N/A SSLv3 128 bits DHE-RSA-SEED-SHA Rejected N/A SSLv3 128 bits DHE-DSS-SEED-SHA Rejected N/A SSLv3 128 bits SEED-SHA Rejected N/A SSLv3 256 bits ADH-AES256-SHA Rejected N/A SSLv3 256 bits DHE-RSA-AES256-SHA Rejected N/A SSLv3 256 bits DHE-DSS-AES256-SHA Rejected N/A SSLv3 256 bits AES256-SHA Rejected N/A SSLv3 128 bits ADH-AES128-SHA Accepted SSLv3 128 bits DHE-RSA-AES128-SHA Rejected N/A SSLv3 128 bits DHE-DSS-AES128-SHA Accepted SSLv3 128 bits AES128-SHA Rejected N/A SSLv3 168 bits ADH-DES-CBC3-SHA Rejected N/A SSLv3 56 bits ADH-DES-CBC-SHA Rejected N/A SSLv3 40 bits EXP-ADH-DES-CBC-SHA Rejected N/A SSLv3 128 bits ADH-RC4-MD5 Rejected N/A SSLv3 40 bits EXP-ADH-RC4-MD5 Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA Rejected N/A SSLv3 56 bits EDH-RSA-DES-CBC-SHA Rejected N/A SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA Rejected N/A SSLv3 168 bits EDH-DSS-DES-CBC3-SHA Rejected N/A SSLv3 56 bits EDH-DSS-DES-CBC-SHA Rejected N/A SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA Accepted SSLv3 168 bits DES-CBC3-SHA Rejected N/A SSLv3 56 bits DES-CBC-SHA Rejected N/A SSLv3 40 bits EXP-DES-CBC-SHA Rejected N/A SSLv3 40 bits EXP-RC2-CBC-MD5 Accepted SSLv3 128 bits RC4-SHA Accepted SSLv3 128 bits RC4-MD5 Rejected N/A SSLv3 40 bits EXP-RC4-MD5 Rejected N/A SSLv3 0 bits NULL-SHA Rejected N/A SSLv3 0 bits NULL-MD5 Rejected N/A TLSv1 128 bits ADH-SEED-SHA Rejected N/A TLSv1 128 bits DHE-RSA-SEED-SHA Rejected N/A TLSv1 128 bits DHE-DSS-SEED-SHA Rejected N/A TLSv1 128 bits SEED-SHA Rejected N/A TLSv1 256 bits ADH-AES256-SHA Rejected N/A TLSv1 256 bits DHE-RSA-AES256-SHA Rejected N/A TLSv1 256 bits DHE-DSS-AES256-SHA Rejected N/A TLSv1 256 bits AES256-SHA Rejected N/A TLSv1 128 bits ADH-AES128-SHA Accepted TLSv1 128 bits DHE-RSA-AES128-SHA Rejected N/A TLSv1 128 bits DHE-DSS-AES128-SHA Accepted TLSv1 128 bits AES128-SHA Rejected N/A TLSv1 168 bits ADH-DES-CBC3-SHA Rejected N/A TLSv1 56 bits ADH-DES-CBC-SHA Rejected N/A TLSv1 40 bits EXP-ADH-DES-CBC-SHA Rejected N/A TLSv1 128 bits ADH-RC4-MD5 Rejected N/A TLSv1 40 bits EXP-ADH-RC4-MD5 Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA Rejected N/A TLSv1 56 bits EDH-RSA-DES-CBC-SHA Rejected N/A TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA Rejected N/A TLSv1 168 bits EDH-DSS-DES-CBC3-SHA Rejected N/A TLSv1 56 bits EDH-DSS-DES-CBC-SHA Rejected N/A TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA Accepted TLSv1 168 bits DES-CBC3-SHA Rejected N/A TLSv1 56 bits DES-CBC-SHA Rejected N/A TLSv1 40 bits EXP-DES-CBC-SHA Rejected N/A TLSv1 40 bits EXP-RC2-CBC-MD5 Accepted TLSv1 128 bits RC4-SHA Accepted TLSv1 128 bits RC4-MD5 Rejected N/A TLSv1 40 bits EXP-RC4-MD5 Rejected N/A TLSv1 0 bits NULL-SHA Rejected N/A TLSv1 0 bits NULL-MD5 Prefered Server Cipher(s): SSLv3 128 bits DHE-RSA-AES128-SHA TLSv1 128 bits DHE-RSA-AES128-SHA SSL Certificate: Version: 2 Serial Number : 1658787448 Signature Algorithm: sha1WithRSAEncryption Issuer: /C=Unknown/O=Unknown/OU=Unknown/CN=Test site Not valid before: Aug 22 03:04:14 2014 GMT Not valid after: Aug 19 03:04:14 2024 GMT Subject: /C=Unknown/O=Unknown/OU=Unknown/CN=Test site Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:8c:4c:61:a4:a7:c5:7d:db:75:b5:4e:45:e5:70: 6d:9e:84:f3:f5:47:58:77:c3:ab:bb:8b:38:a1:87: 2d:76:f5:38:cb:37:dc:f8:a4:ea:ac:f2:0a:f9:e1: 1a:e3:72:f7:9c:15:99:58:0e:cf:21:a0:15:45:7d: 58:79:a0:87:5e:69:1c:f5:b9:3b:8a:9a:a9:4a:4f: 91:b5:f2:d2:15:99:7f:d7:98:bd:30:ff:88:ee:9a: c3:c6:e4:36:e0:be:4a:a1:64:17:e8:33:1b:79:2c: 67:2b:91:e8:76:2e:d5:bf:c3:c9:8c:e9:d8:a9:67: 30:76:e3:fa:51:7e:86:77:d3 Exponent: 65537 (0x10001) Verify Certificate: self signed certificate This is with a temporary, self-signed certificate as I didn't bother creating a real one.
            Hide
            aeschbacher aeschbacher added a comment -

            After further investigation, it appears that sslscan discovers weak ciphers only if jenkins.war is started with java6. It is not the case with java7.

            For Debian Wheezy, this means
            java 6: 1.6.0_32 (weak ciphers discovered by sslscan)
            java 7: 1.7.0_65 (no weak ciphers)

            So I guess the ticket can be closed.

            Show
            aeschbacher aeschbacher added a comment - After further investigation, it appears that sslscan discovers weak ciphers only if jenkins.war is started with java6. It is not the case with java7. For Debian Wheezy, this means java 6: 1.6.0_32 (weak ciphers discovered by sslscan) java 7: 1.7.0_65 (no weak ciphers) So I guess the ticket can be closed.
            Hide
            danielbeck Daniel Beck added a comment -

            No pressing need to implement this as a change in Java version is sufficient.

            Show
            danielbeck Daniel Beck added a comment - No pressing need to implement this as a change in Java version is sufficient.

              People

              • Assignee:
                Unassigned
                Reporter:
                aeschbacher aeschbacher
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: