Disabling Specific Ciphers In Jenkins

Issue

Disabling Specific Ciphers In Jenkins

Environment

  • Jenkins
  • Jenkins LTS
  • CloudBees Jenkins Enterprise (CJE)
  • CloudBees Jenkins Operations Center (CJOC)

Resolution

Any specific ciphers that need to be disabled will need to be disabled at the Java Virtual Machine (JVM) level. Due to this fact it is best to review the documentation for the specific Java version being used in your enviornment. For example, there were various changes to enforce the security in latest Java versions and to not accept the use unsafe certificates by default. Please see the examples below with regards to Java 8:

jdk1.8.0_51
jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768

\>= jdk1.8.0_60
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768

\>= jdk1.8.0_71
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

Please also note that Oracle JDK stores this information here:$JAVA_HOME/jre/lib/security/java.security

For example, to disable a specific cipher, the name of the cipher should be added to the following line in the java.security file:

jdk.tls.disabledAlgorithms=SSLv3

changed to

jdk.tls.disabledAlgorithms=3DES_EDE_CBC, SSLv3, DSA, RSA keySize < 2048

The link to official Oracle Java Secure Socket Extension (JSEE)
Reference Guide is included below.

Oracle Java 8 JSEE Reference Guide

About SSHD

It is currently not possible to disable the ciphers for the Jenkins SSHD module. The ciphers for the SSHD deamon are set in the code of the sshd-module.

There is an open issue to remove unsafe ciphers: JENKINS-39805. In the meantime, we recommend to disable SSHD if it is not used.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.