Disabling Specific Ciphers In Jenkins

Issue

Disabling Specific Ciphers In Jenkins

Environment

  • Jenkins
  • Jenkins LTS
  • CloudBees Jenkins Enterprise (CJE)
  • CloudBees Jenkins Operations Center (CJOC)

Resolution

Any specific ciphers that need to be disabled will need to be disabled at the Java Virtual Machine (JVM) level. Due to this fact it is best to review the documentation for the specific Java version being used in your enviornment. For example, there were various changes to enforce the security in latest Java versions and to not accept the use unsafe certificates by default. Please see the examples below with regards to Java 8:

jdk1.8.0_51
jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768

\>= jdk1.8.0_60
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768

\>= jdk1.8.0_71
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

Please also note that Oracle JDK stores this information here:$JAVA_HOME/jre/lib/security/java.security

For example, to disable a specific cipher, the name of the cipher should be added to the following line in the java.security file:

jdk.tls.disabledAlgorithms=SSLv3

changed to

jdk.tls.disabledAlgorithms=3DES_EDE_CBC, SSLv3, DSA, RSA keySize < 2048

The link to official Oracle Java Secure Socket Extension (JSEE)
Reference Guide is included below.

Oracle Java 8 JSEE Reference Guide

About SSHD

It is currently not possible to disable the ciphers for the Jenkins SSHD module. The ciphers for the SSHD deamon are set in the code of the sshd-module.

There is an open issue to remove unsafe ciphers: JENKINS-39805. In the meantime, we recommend to disable SSHD if it is not used.

Have more questions? Submit a request

1 Comments

  • 0
    Avatar
    Steven Christenson

    From guess and fail strategy, discovered that the following java.security settings worked well. However the java.security file which is normally owned by root must have read permission for ALL or it does not get used. When the permissions are incorrect, or there is a misconfiguration since Jenkins 2.7x FireFox was reporting "no overlapping cyphers" and failing to connect. Note that I commented out the "jdk.tls.legacyAlgorithms" as it really doesn't make sense to allow them to be used at all if you're trying to be secure.

        jdk.tls.disabledAlgorithms=RC4, DES-CBC3-SHA keySize < 256, SSLv3, DSA, RSA keySize < 2048
        
        # jdk.tls.legacyAlgorithms= \
        # K_NULL, C_NULL, M_NULL, \
        # DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
        # DH_RSA_EXPORT, RSA_EXPORT, \
        # DH_anon, ECDH_anon, \
        # RC4_128, RC4_40, DES_CBC, DES40_CBC

    Edited by Steven Christenson
Please sign in to leave a comment.