Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Disable Weak SSL Ciphers

Marvin Street2
Marvin Street September 5, 2012

I have JIRA 4.4.1. I'm trying to figure out how to properly disable weak ssl ciphers in Apache. I've tried the steps listed here: https://confluence.atlassian.com/display/JIRAKB/Default+SSL+ciphers+too+weak, but they aren't working for me. Can anyone assist?

Answer
Watch
Like Be the first to like this
1906 views

1 answer

1 accepted

0 votes
Answer accepted
Radu Dumitriu
Radu Dumitriu
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 5, 2012

Are you talking about Tomcat or apache httpd ?

http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html#onlystrong

on tomcat:

<connector port="443" maxhttpheadersize="8192" address="12.34.56.78" enablelookups="false" disableuploadtimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="SSL" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" keystoreFile="whateverkeystorefile.key" keystorePass="keystorePassword" truststoreFile="whatevertruststorefile.trst" truststorePass="truststorePassword"/>

View More Comments
Marvin Street2
Marvin Street September 5, 2012

Tomcat. And I tried exactly that. It's not working for me.

Like
Radu Dumitriu
Radu Dumitriu
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 5, 2012

Enable a single SSL cipher. Say: ciphers="SSL_RSA_WITH_RC4_128_MD5"

If it works, it means that the string is wrong (maybe a comma or something ?). Ciphers are case-sensitive, any error in the string makes Tomcat to ignore them. Add them one by one, separated by comma.

Like
Marvin Street2
Marvin Street September 10, 2012

I realize what happened. I was using the wrong test for SSL ciphers. Everything was configured fine.

Like
Deleted user August 1, 2014

This is an old discussion, but I'm having a similar problem on Jira 5.2.5...

I'm trying to disable all weak ciphers.

in the connecter sections of server.xml, I have sslProtocol="TLSv1" and for ciphers I have just:

ciphers="TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA""

When I run nmap I get:

Host is up (0.043s latency).
PORT STATE SERVICE
8443/tcp open https-alt
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_DES_CBC_SHA - weak
| TLS_RSA_WITH_RC4_128_MD5 - strong
| compressors:
| NULL
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_DES_CBC_SHA - weak
| TLS_RSA_WITH_RC4_128_MD5 - strong
| compressors:
| NULL
|_ least strength: weak

Nmap done: 1 IP address (1 host up) scanned in 12.28 seconds

Any ideas?

I did cut down to only the first cipher as a test, but I still end up with week ciphers.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events