Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-31242

server uses weak ephemeral Diffie-Hellman key in the server exchange handshake

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Daniel Beck asked me to create this issue.

      Jenkins cannot be accessed after Chrome was updated to v45 and FireFox was updated to v39?

      Chrome reports:

      "This error can occur when connecting to a secure (HTTPS) server. It means that the server is trying to set up a secure connection but, due to a disastrous misconfiguration, the connection wouldn't be secure at all!

      In this case the server needs to be fixed. Google Chrome won't use insecure connections in order to protect your privacy."

      Firefox v39.0 reports:

      "An error occurred during a connection to 'servername:portnumber'. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)."

      I can connect using IE and Safari though.

      The Jenkins logs do not provide messages at the time when the attempt to connect is made.

      I tried looking at the Jenkins configuration and using Google searches, but could not find where to change the setting in Jenkins to force Jenkins to use the stronger key.

      We already are using 1024-bit certificates.

      I am using the default installation/configuration of Jenkins which I understand is Jetty. But I have configured it to use https on a port that our IT department requires me to use.

      Therefore, the command that runs is (some info modified for brevity and security):

      java -Dcom.sun.akuma.Daemon=daemonized -Djava.awt.headless=true
      -DJENKINS_HOME=/var/lib/jenkins -jar /usr/lib/jenkins/jenkins.war --logfile=jenkins.log --webroot=/var/cache/jenkins/war --daemon --httpPort=-1 --httpsPort=ourportnumber --httpsKeyStore=locationOfOurKeyStore --httpsKeyStorePassword=xxx --httpsListenAddress:0.0.0.0 --ajp13Port=a_port_number --debug=5 --handlerCountMax=100 --handlerCountMaxIdle=20

      I had thought the Jetty config file would be in/var/cache/Jenkins/war or in /usr/lib/jenkins/jenkins.war but I didn't see the cipher related entries in .xml files in the former and didn't want to change anything in the latter. I also looked in /var/lib/jenkins but didn't see anything that matched what I thought I was looking for there either.

      My real question then is what do I modify in our Jenkins implementation to get around this issue? Assuming that there is something to modify...

      Roger Moore

        Attachments

          Activity

          Hide
          duality72 duality72 added a comment -

          In our case, upgrading the Java we were using to run Jenkins from Java 7 to Java 8 fixed the issue.

          Show
          duality72 duality72 added a comment - In our case, upgrading the Java we were using to run Jenkins from Java 7 to Java 8 fixed the issue.
          Hide
          rmoore Roger Moore added a comment -

          That has since worked for me too!

          Show
          rmoore Roger Moore added a comment - That has since worked for me too!
          Hide
          rmoore Roger Moore added a comment -

          Upgrading the version of Java to something higher than 1.7-51 eliminated the problem

          Show
          rmoore Roger Moore added a comment - Upgrading the version of Java to something higher than 1.7-51 eliminated the problem

            People

            • Assignee:
              Unassigned
              Reporter:
              rmoore Roger Moore
            • Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: