Disable Weak SSL Ciphers

I have JIRA 4.4.1. I'm trying to figure out how to properly disable weak ssl ciphers in Apache. I've tried the steps listed here: https://confluence.atlassian.com/display/JIRAKB/Default+SSL+ciphers+too+weak, but they aren't working for me. Can anyone assist?

1 answer

1 accepted

0 votes
Accepted answer

Are you talking about Tomcat or apache httpd ?

http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html#onlystrong

on tomcat:

<connector port="443" maxhttpheadersize="8192" address="12.34.56.78" enablelookups="false" disableuploadtimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="SSL" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" keystoreFile="whateverkeystorefile.key" keystorePass="keystorePassword" truststoreFile="whatevertruststorefile.trst" truststorePass="truststorePassword"/>

Tomcat. And I tried exactly that. It's not working for me.

Enable a single SSL cipher. Say: ciphers="SSL_RSA_WITH_RC4_128_MD5"

If it works, it means that the string is wrong (maybe a comma or something ?). Ciphers are case-sensitive, any error in the string makes Tomcat to ignore them. Add them one by one, separated by comma.

I realize what happened. I was using the wrong test for SSL ciphers. Everything was configured fine.

This is an old discussion, but I'm having a similar problem on Jira 5.2.5...

I'm trying to disable all weak ciphers.

in the connecter sections of server.xml, I have sslProtocol="TLSv1" and for ciphers I have just:

ciphers="TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA""

When I run nmap I get:

Host is up (0.043s latency).
PORT STATE SERVICE
8443/tcp open https-alt
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_DES_CBC_SHA - weak
| TLS_RSA_WITH_RC4_128_MD5 - strong
| compressors:
| NULL
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_DES_CBC_SHA - weak
| TLS_RSA_WITH_RC4_128_MD5 - strong
| compressors:
| NULL
|_ least strength: weak

Nmap done: 1 IP address (1 host up) scanned in 12.28 seconds

Any ideas?

I did cut down to only the first cipher as a test, but I still end up with week ciphers.

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Tuesday in Featured Groups

Want to know how Atlassians monitor their enterprise deployments?

At Atlassian, we believe in our own products – that's why we use them, even at the enterprise level. Doing so gives us first-hand experience of how they perform at scale; to do this, we monitor each ...

113 views 4 9
View post

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you