Disable Weak SSL Ciphers

I have JIRA 4.4.1. I'm trying to figure out how to properly disable weak ssl ciphers in Apache. I've tried the steps listed here: https://confluence.atlassian.com/display/JIRAKB/Default+SSL+ciphers+too+weak, but they aren't working for me. Can anyone assist?

1 answer

1 accepted

Are you talking about Tomcat or apache httpd ?

http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html#onlystrong

on tomcat:

<connector port="443" maxhttpheadersize="8192" address="12.34.56.78" enablelookups="false" disableuploadtimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="SSL" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" keystoreFile="whateverkeystorefile.key" keystorePass="keystorePassword" truststoreFile="whatevertruststorefile.trst" truststorePass="truststorePassword"/>

Tomcat. And I tried exactly that. It's not working for me.

Enable a single SSL cipher. Say: ciphers="SSL_RSA_WITH_RC4_128_MD5"

If it works, it means that the string is wrong (maybe a comma or something ?). Ciphers are case-sensitive, any error in the string makes Tomcat to ignore them. Add them one by one, separated by comma.

I realize what happened. I was using the wrong test for SSL ciphers. Everything was configured fine.

This is an old discussion, but I'm having a similar problem on Jira 5.2.5...

I'm trying to disable all weak ciphers.

in the connecter sections of server.xml, I have sslProtocol="TLSv1" and for ciphers I have just:

ciphers="TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA""

When I run nmap I get:

Host is up (0.043s latency).
PORT STATE SERVICE
8443/tcp open https-alt
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_DES_CBC_SHA - weak
| TLS_RSA_WITH_RC4_128_MD5 - strong
| compressors:
| NULL
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_DES_CBC_SHA - weak
| TLS_RSA_WITH_RC4_128_MD5 - strong
| compressors:
| NULL
|_ least strength: weak

Nmap done: 1 IP address (1 host up) scanned in 12.28 seconds

Any ideas?

I did cut down to only the first cipher as a test, but I still end up with week ciphers.

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Posted Friday in Off-topic

Friday Fun: Riddle me this

Happy Friday, Funmakers! We had a Community Team offsite in Austin this week, and my mind feels primed for thinkin' from all the brainstorming we did!  So, this week's Friday Fun thread w...

162 views 21 5
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you