JIRA server weak Diffie-Hellman (DH) key exchange parameters

akshay sharma December 29, 2020

I have a on premise JIRA server, the version is 6.3.15 and jdk1.6.0_24. On Qualys when we did the test, the site rating is B.

 

This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B. 

We are using TLS1.2 and we tried adding ciphers in server.xml as suggested:

 

<Connector
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA"
/>

or 

https://confluence.atlassian.com/kb/security-tools-report-the-default-ssl-ciphers-are-too-weak-755140945.html

 

However the issue still persists. Can you please advise on this. How to fix this issue.

1 answer

0 votes
Daniel Ebers
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
December 30, 2020

Hi @akshay sharma

to be honest - I am not sure the looking on this particular topic is worth the time.

Assuming you are after a good grade in Qualys and/or a secure environment fixing this thing will only a drop on a hot stone - version 6.3.15 is outdated as per now and contains bugs (security relevant) that never will get fixes, as the version reached "end of life".

The better option would be to upgrade to a more recent version.
https://confluence.atlassian.com/adminjiraserver/upgrading-jira-applications-938846936.html

Even if you get the SSL configuration fixed then there will be surely other (valid) reasons why you are getting a downvote in a security assessment. I'd rather go for the whole picture - to be honest.

Regards,
Daniel

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
December 30, 2020

I completely agree with Daniel here, you have three options

  • Spend months working out how to upgrade the Tomcat running your Jira and making the Jira part of the package work on the new version
  • Move your Jira install behind a proxy, so that the proxy does all the SSL work and is of a version that does not have this issue.  This will not help with the other security issues Jira 6 has though
  • Upgrade to a version of Jira that this has been fixed in - I'd recommend the latest long-term-support release.

Suggest an answer

Log in or Sign up to answer