I have JIRA 4.4.1. I'm trying to figure out how to properly disable weak ssl ciphers in Apache. I've tried the steps listed here: https://confluence.atlassian.com/display/JIRAKB/Default+SSL+ciphers+too+weak, but they aren't working for me. Can anyone assist?
Are you talking about Tomcat or apache httpd ?
http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html#onlystrong
on tomcat:
<connector port="443" maxhttpheadersize="8192" address="12.34.56.78" enablelookups="false" disableuploadtimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="SSL" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" keystoreFile="whateverkeystorefile.key" keystorePass="keystorePassword" truststoreFile="whatevertruststorefile.trst" truststorePass="truststorePassword"/>
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Enable a single SSL cipher. Say: ciphers="SSL_RSA_WITH_RC4_128_MD5"
If it works, it means that the string is wrong (maybe a comma or something ?). Ciphers are case-sensitive, any error in the string makes Tomcat to ignore them. Add them one by one, separated by comma.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I realize what happened. I was using the wrong test for SSL ciphers. Everything was configured fine.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
This is an old discussion, but I'm having a similar problem on Jira 5.2.5...
I'm trying to disable all weak ciphers.
in the connecter sections of server.xml, I have sslProtocol="TLSv1" and for ciphers I have just:
ciphers="TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA""
When I run nmap I get:
Host is up (0.043s latency).
PORT STATE SERVICE
8443/tcp open https-alt
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_DES_CBC_SHA - weak
| TLS_RSA_WITH_RC4_128_MD5 - strong
| compressors:
| NULL
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_DES_CBC_SHA - weak
| TLS_RSA_WITH_RC4_128_MD5 - strong
| compressors:
| NULL
|_ least strength: weak
Nmap done: 1 IP address (1 host up) scanned in 12.28 seconds
Any ideas?
I did cut down to only the first cipher as a test, but I still end up with week ciphers.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.