https JIRA "weak ephemeral Diffie-Hellman public key”

KP11
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
September 4, 2015

I have read several articles that state to upgrade to java 1.8 and add 

-Djdk.tls.ephemeralDHKeySize=2048 in tomcat startup.

Some articles say JIRA 5.2.4.1 does not work with Java 1.8.. We are upgrading end of year to cloud 

Can this  issue be related to certifcates as well. We need to fix the issue before the upgrade. Any other workarounds  besides Java upgrade?

2 answers

1 vote
no_longer_in_sudoers_file
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 4, 2015

Have you considered putting nginx or apache in front of your JIRA instance to abstract away your SSL handling from JAVA?  This gives you a few more tools for managing these problems.

KP11
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
September 4, 2015

We can test that on our dev system. Thanks

KP11
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
September 4, 2015

I saw this workaround. It does notdetail where exactly the line goes To workaround the problem, please add the cipher below to disable the weak Diffie-Hellman cipher. Open server.xml via $JIRA_INSTALL/conf directory. Add the following to the HTTPS connector port: ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" (info) Reference for more strong cipher settings - Security tools report the default SSL Ciphers are too weak Save it and restart JIRA. https://confluence.atlassian.com/display/JIRAKB/Server+has+a+weak,+ephemeral+Diffie-Hellman+public+key

0 votes
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 4, 2015

I'm afraid not, if you want to upgrade Java, you need to upgrade Jira.

KP11
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
September 4, 2015

I saw this workaround. It does notdetail where exactly the line goes To workaround the problem, please add the cipher below to disable the weak Diffie-Hellman cipher. Open server.xml via $JIRA_INSTALL/conf directory. Add the following to the HTTPS connector port: ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" (info) Reference for more strong cipher settings - Security tools report the default SSL Ciphers are too weak Save it and restart JIRA. https://confluence.atlassian.com/display/JIRAKB/Server+has+a+weak,+ephemeral+Diffie-Hellman+public+key

KP11
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
September 4, 2015

<Connector port="8963" maxHttpHeaderSize="8192" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" sslProtocol="TLSv1" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" clientAuth="false" SSLEnabled="true" URIEncoding="UTF-8" keyAlias="server" keystoreFile="conf/jira.jks" keystorePass="solumina" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256, TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA, TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384, TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA, TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA, TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256, TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA"

KP11
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
September 4, 2015

There is already a cipher key.

KP11
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
September 4, 2015

I was going to add it to the line? Any know issues with this workaround?

Suggest an answer

Log in or Sign up to answer