Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

  • Global
  • Personal

Recognition

  • Give kudos
  • Received
  • Given

Leaderboard

  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

JIRA server weak Diffie-Hellman (DH) key exchange parameters Edited

I have a on premise JIRA server, the version is 6.3.15 and jdk1.6.0_24. On Qualys when we did the test, the site rating is B.

 

This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B. 

We are using TLS1.2 and we tried adding ciphers in server.xml as suggested:

 

<Connector
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA"
/>

or 

https://confluence.atlassian.com/kb/security-tools-report-the-default-ssl-ciphers-are-too-weak-755140945.html

 

However the issue still persists. Can you please advise on this. How to fix this issue.

1 answer

0 votes
Daniel Ebers Community Leader Dec 30, 2020

Hi @akshay sharma

to be honest - I am not sure the looking on this particular topic is worth the time.

Assuming you are after a good grade in Qualys and/or a secure environment fixing this thing will only a drop on a hot stone - version 6.3.15 is outdated as per now and contains bugs (security relevant) that never will get fixes, as the version reached "end of life".

The better option would be to upgrade to a more recent version.
https://confluence.atlassian.com/adminjiraserver/upgrading-jira-applications-938846936.html

Even if you get the SSL configuration fixed then there will be surely other (valid) reasons why you are getting a downvote in a security assessment. I'd rather go for the whole picture - to be honest.

Regards,
Daniel

I completely agree with Daniel here, you have three options

  • Spend months working out how to upgrade the Tomcat running your Jira and making the Jira part of the package work on the new version
  • Move your Jira install behind a proxy, so that the proxy does all the SSL work and is of a version that does not have this issue.  This will not help with the other security issues Jira 6 has though
  • Upgrade to a version of Jira that this has been fixed in - I'd recommend the latest long-term-support release.

Suggest an answer

Log in or Sign up to answer
TAGS

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you