I have added ciphers to the Connector in our conf/server.xml configuration as I wanted to limit TLS to 256-bit ciphers of AES. Our Atlassian Jira instance is using RC4_128 with SHA1 and ECDHE_RSA key exchange. The certificate supports 256-bit keys.
Adding the ciphers did not help. It is still using the RC4_128 algorithm.
<Connector SSLEnabled="true" acceptCount="100" clientAuth="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keyAlias="alias" keystoreFile="/
home/jira/.keystore" keystorePass="*********" keystoreType="JKS" maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="8443" protocol="org.apache.coyo
te.http11.Http11Protocol" scheme="https" secure="true" sslProtocol="TLS" useBodyEncodingForURI="true" ciphers="TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, T
LS_ECDHE_RSA_WITH_AES_256_CBC_SHA" />
The ciphers where taken from:
https://confluence.atlassian.com/display/JIRAKB/Default+SSL+ciphers+too+weak
Hi, I found in this site that if you want to disable weak encryption ciphers, you should add SSLCipherSuite="ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW"
to your connector.
Cheers
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Since we are running SLES 11, OpenSSL does not support TLS, so we still need SSLv3 enabled, but I reckon Jira uses Tomcat which does support TLS.
Using SSLCipherSuit="kEDH:ALL:!kRSA:!ADH:!RC4:!LOW:!EXP:HIGH:!MD5:!aNULL:!AESGCM:@STRENGTH"
openssl ciphers -v 'kEDH:ALL:!kRSA:!ADH:!RC4:!LOW:!EXP:HIGH:!MD5:!aNULL:!AESGCM:@STRENGTH'
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
I would also like to disable AES-128 and only use 256-bit.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
My new Connector configuration
<Connector SSLEnabled="true" acceptCount="100" clientAuth="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keyAlias="kspt" keystoreFile="/home/jira/.keystore" keystorePass="********" keystoreType="JKS" maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslEnabledProtocols="T
LSv1.2" SSLProtocol="TLSv1.2" useBodyEncodingForURI="true" SSLDisableCompression="true" SSLCipherSuite="EECDH+AES:!aNULL:!eNULL:!RC4:!DES:!3DES:!DSS:!SSLv2:!SSLv3" />
This SSLCipherSuite should use only the following cipher suites from openssl listing:
openssl ciphers -v 'EECDH+AES:!aNULL:!eNULL:!RC4:!DES:!3DES:!DSS:!SSLv2:!SSLv3'
If I try to use AESGCM instead of only AES I get the following exception when trying to access Jira
mai 14, 2014 10:52:07 AM org.apache.tomcat.util.net.NioEndpoint setSocketOptions
SEVERE:
javax.net.ssl.SSLHandshakeException: No appropriate protocol
at sun.security.ssl.Handshaker.activate(Unknown Source)
at sun.security.ssl.SSLEngineImpl.kickstartHandshake(Unknown Source)
at sun.security.ssl.SSLEngineImpl.beginHandshake(Unknown Source)
at org.apache.tomcat.util.net.SecureNioChannel.reset(SecureNioChannel.java:89)
at org.apache.tomcat.util.net.SecureNioChannel.<init>(SecureNioChannel.java:71)
at org.apache.tomcat.util.net.NioEndpoint.setSocketOptions(NioEndpoint.java:666)
at org.apache.tomcat.util.net.NioEndpoint$Acceptor.run(NioEndpoint.java:808)
at java.lang.Thread.run(Unknown Source
Also this SSLCipherSuite configuration does not give me any high marks on https://www.ssllabs.com/ssltestAvailable protocols: SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2. Available ciphers RC4, 3DES, ECDHE and non-ECDHE, 128bit only.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.