Disable Weak SSL Ciphers

I have JIRA 4.4.1. I'm trying to figure out how to properly disable weak ssl ciphers in Apache. I've tried the steps listed here: https://confluence.atlassian.com/display/JIRAKB/Default+SSL+ciphers+too+weak, but they aren't working for me. Can anyone assist?

1 answer

1 accepted

Are you talking about Tomcat or apache httpd ?

http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html#onlystrong

on tomcat:

<connector port="443" maxhttpheadersize="8192" address="12.34.56.78" enablelookups="false" disableuploadtimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="SSL" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" keystoreFile="whateverkeystorefile.key" keystorePass="keystorePassword" truststoreFile="whatevertruststorefile.trst" truststorePass="truststorePassword"/>

Tomcat. And I tried exactly that. It's not working for me.

Enable a single SSL cipher. Say: ciphers="SSL_RSA_WITH_RC4_128_MD5"

If it works, it means that the string is wrong (maybe a comma or something ?). Ciphers are case-sensitive, any error in the string makes Tomcat to ignore them. Add them one by one, separated by comma.

I realize what happened. I was using the wrong test for SSL ciphers. Everything was configured fine.

This is an old discussion, but I'm having a similar problem on Jira 5.2.5...

I'm trying to disable all weak ciphers.

in the connecter sections of server.xml, I have sslProtocol="TLSv1" and for ciphers I have just:

ciphers="TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA""

When I run nmap I get:

Host is up (0.043s latency).
PORT STATE SERVICE
8443/tcp open https-alt
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_DES_CBC_SHA - weak
| TLS_RSA_WITH_RC4_128_MD5 - strong
| compressors:
| NULL
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_DES_CBC_SHA - weak
| TLS_RSA_WITH_RC4_128_MD5 - strong
| compressors:
| NULL
|_ least strength: weak

Nmap done: 1 IP address (1 host up) scanned in 12.28 seconds

Any ideas?

I did cut down to only the first cipher as a test, but I still end up with week ciphers.

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published Thursday in Marketplace Apps

Tips on how to choose the best estimation method for your planning

Planning and grooming sessions all come with their own sets of rules. Team members meet to estimate stories or other work items, all according to an agreed-upon process. And with every session comes ...

78 views 0 11
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you