When we upgraded to 1.580.3. We simply download the RHEL RPM package and install it. We make sure to give the location of our existing .keystore set for “JENKINS_HTTPS_KEYSTORE=“ in the /etc/sysconfig/jenkins. We install Oracle JDK 7 to run Jenkins. I have been using Oracle JDK 7 to run Jenkins even in older version. I never rely on openJDK or JRE that comes with the RHEL.
-Indra On 10/29/15, 11:29 AM, "jenkinsci-users@googlegroups.com on behalf of Roger Moore" <jenkinsci-users@googlegroups.com on behalf of rmoo...@ra.rockwell.com> wrote: >Hi Indra, thanks for your reply. We are currently running 1.596. > >When you upgraded to 1.580.3, did that change your version of Java too? > >-----Original Message----- >From: jenkinsci-users@googlegroups.com >[mailto:jenkinsci-users@googlegroups.com] On Behalf Of Indra Gunawan >(ingunawa) >Sent: Thursday, October 29, 2015 10:58 AM >To: jenkinsci-users@googlegroups.com >Subject: Re: unable to access Jenkins in Firefox and Chrome after latest >browser updates because of "weak ephemeral Diffie-Hellman public key" > >HI Roger, > >If you upgrade to the latest LTS this issue goes away. I see this on >very old instance of Jenkins running 1.455 we are still running. After >upgrade to v. 1.580.3 with SSL left as is with existing .keystore, I am >not seeing this anymore. > >-Indra > >On 10/28/15, 11:14 AM, "jenkinsci-users@googlegroups.com on behalf of >Roger Moore" <jenkinsci-users@googlegroups.com on behalf of >rmoo...@ra.rockwell.com> wrote: > >>The deed is done. It was my first submission, so please let me know if >>I screwed it up... >> >>https://issues.jenkins-ci.org/browse/JENKINS-31242 >> >>-----Original Message----- >>From: jenkinsci-users@googlegroups.com >>[mailto:jenkinsci-users@googlegroups.com] On Behalf Of Daniel Beck >>Sent: Wednesday, October 28, 2015 10:30 AM >>To: jenkinsci-users@googlegroups.com >>Subject: Re: unable to access Jenkins in Firefox and Chrome after >>latest browser updates because of "weak ephemeral Diffie-Hellman public >>key" >> >>Could you file an improvement against the 'winstone' component in our >>issue tracker? >> >>https://wiki.jenkins-ci.org/display/JENKINS/How+to+report+an+issue >> >>On 28.10.2015, at 17:50, Roger Moore <rmoo...@ra.rockwell.com> wrote: >> >>> Thank for the reply, Daniel. >>> >>> I am using the default installation/configuration of Jenkins which I >>>understand is Jetty. But I have configured it to use https on a port >>>that our IT department requires me to use. And, we are running on >>>CentOS 7. >>> >>> Therefore, the command that runs is (some info modified for brevity >>>and >>>security): >>> >>> java -Dcom.sun.akuma.Daemon=daemonized -Djava.awt.headless=true >>>-DJENKINS_HOME=/var/lib/jenkins -jar /usr/lib/jenkins/jenkins.war >>>--logfile=jenkins.log --webroot=/var/cache/jenkins/war --daemon >>>--httpPort=-1 --httpsPort=ourportnumber >>>--httpsKeyStore=locationOfOurKeyStore --httpsKeyStorePassword=xxx >>>--httpsListenAddress:0.0.0.0 --ajp13Port=a_port_number --debug=5 >>>--handlerCountMax=100 --handlerCountMaxIdle=20 >>> >>> I had thought the Jetty config file would be in >>>/var/cache/Jenkins/war or in /usr/lib/jenkins/jenkins.war but I didn't >>>see the cipher related entries in .xml files in the former and didn't >>>want to change anything in the latter. I also looked in >>>/var/lib/jenkins but didn't see anything that matched what I thought I >>>was looking for there either. >>> >>> -----Original Message----- >>> From: jenkinsci-users@googlegroups.com >>>[mailto:jenkinsci-users@googlegroups.com] On Behalf Of Daniel Beck >>> Sent: Wednesday, October 28, 2015 9:25 AM >>> To: jenkinsci-users@googlegroups.com >>> Subject: Re: unable to access Jenkins in Firefox and Chrome after >>>latest browser updates because of "weak ephemeral Diffie-Hellman >>>public key" >>> >>> To clarify, you're using the embedded Jetty-Winstone to run Jenkins >>>(i.e. java -jar jenkins.war), including SSL/TLS? >>> >>> On 28.10.2015, at 17:17, Roger Moore <rmoo...@ra.rockwell.com> wrote: >>> >>>> Thanks Brent. I had found similar discussions but not on that >>>>message list. >>>> >>>> After reading that though, and from the other things I¹ve found, it >>>>seems the correct fix is to change the setting on the Jenkins server >>>>because we already are using 1024-bit certificates. >>>> >>>> I had found a page that discusses how to fix the issue on Jetty >>>>implementations, but the specified file did not exist (or perhaps I >>>>couldn¹t find it) in Jenkins. >>>> >>>> My real question then is what do I modify in our Jenkins >>>>implementation to get around this issue? Assuming that there is >>>>something to modifyŠ >>>> >>>> From: jenkinsci-users@googlegroups.com >>>>[mailto:jenkinsci-users@googlegroups.com] On Behalf Of Brent Atkinson >>>> Sent: Tuesday, October 27, 2015 4:27 PM >>>> To: jenkinsci-users@googlegroups.com >>>> Subject: Re: unable to access Jenkins in Firefox and Chrome after >>>>latest browser updates because of "weak ephemeral Diffie-Hellman >>>>public key" >>>> >>>> https://productforums.google.com/forum/#!topic/chrome/o3vZD-Mg2Ic >>>> >>>> On Tue, Oct 27, 2015 at 1:31 PM, Roger Moore >>>><rmoo...@ra.rockwell.com> >>>>wrote: >>>> Has anyone else seen a problem accessing Jenkins after Chrome was >>>>updated to v45? Chrome reports: >>>> >>>> "This error can occur when connecting to a secure (HTTPS) server. It >>>>means that the server is trying to set up a secure connection but, >>>>due to a disastrous misconfiguration, the connection wouldn't be >>>>secure at all! >>>> >>>> In this case the server needs to be fixed. Google Chrome won't use >>>>insecure connections in order to protect your privacy." >>>> >>>> A similar error occurs in Firefox v39.0, which reports: >>>> >>>> "An error occurred during a connection to 'servername:portnumber'. >>>>SSL received a weak ephemeral Diffie-Hellman key in Server Key >>>>Exchange handshake message. (Error code: >>>>ssl_error_weak_server_ephemeral_dh_key)." >>>> >>>> I can connect using IE and Safari though. >>>> >>>> The Jenkins logs do not provide messages at the time when the >>>>attempt to connect is made. >>>> >>>> I tried looking at the Jenkins configuration and using Google >>>>searches, but could not find where to change the setting in Jenkins >>>>to force Jenkins to use the stronger key. >>>> >>>> Any suggestions would be appreciated. >>>> >>>> >>>> >>>> Roger Moore >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>>Groups "Jenkins Users" group. >>>> To unsubscribe from this group and stop receiving emails from it, >>>>send an email to jenkinsci-users+unsubscr...@googlegroups.com. >>>> To view this discussion on the web visit >>>>https://groups.google.com/d/msgid/jenkinsci-users/SN1PR08MB198183FA4F >>>>85C 5148C4BEEEEB6220%40SN1PR08MB1981.namprd08.prod.outlook.com. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>>Groups "Jenkins Users" group. >>>> To unsubscribe from this group and stop receiving emails from it, >>>>send an email to jenkinsci-users+unsubscr...@googlegroups.com. >>>> To view this discussion on the web visit >>>>https://groups.google.com/d/msgid/jenkinsci-users/CALyHw0HLs%2BOi8_58 >>>>-W6 gAwfSK0k-%3DOgRi_M4bSngm4tOs319EA%40mail.gmail.com. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>>Groups "Jenkins Users" group. >>>> To unsubscribe from this group and stop receiving emails from it, >>>>send an email to jenkinsci-users+unsubscr...@googlegroups.com. >>>> To view this discussion on the web visit >>>>https://groups.google.com/d/msgid/jenkinsci-users/SN1PR08MB1981952157 >>>>545 5091AD09AD5B6210%40SN1PR08MB1981.namprd08.prod.outlook.com. >>>> For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> You received this message because you are subscribed to the Google >>>Groups "Jenkins Users" group. >>> To unsubscribe from this group and stop receiving emails from it, >>>send an email to jenkinsci-users+unsubscr...@googlegroups.com. >>> To view this discussion on the web visit >>>https://groups.google.com/d/msgid/jenkinsci-users/C5C8527B-0103-4D90-B >>>D3A >>>-5E60BC15235D%40beckweb.net. >>> For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> You received this message because you are subscribed to the Google >>>Groups "Jenkins Users" group. >>> To unsubscribe from this group and stop receiving emails from it, >>>send an email to jenkinsci-users+unsubscr...@googlegroups.com. >>> To view this discussion on the web visit >>>https://groups.google.com/d/msgid/jenkinsci-users/SN1PR08MB19811F65BD1 >>>C20 8F5840C691B6210%40SN1PR08MB1981.namprd08.prod.outlook.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >>-- >>You received this message because you are subscribed to the Google >>Groups "Jenkins Users" group. >>To unsubscribe from this group and stop receiving emails from it, send >>an email to jenkinsci-users+unsubscr...@googlegroups.com. >>To view this discussion on the web visit >>https://groups.google.com/d/msgid/jenkinsci-users/78F57B4C-5F2C-41C1-91 >>61- >>1D31C04BEF4E%40beckweb.net. >>For more options, visit https://groups.google.com/d/optout. >> >>-- >>You received this message because you are subscribed to the Google >>Groups "Jenkins Users" group. >>To unsubscribe from this group and stop receiving emails from it, send >>an email to jenkinsci-users+unsubscr...@googlegroups.com. >>To view this discussion on the web visit >>https://groups.google.com/d/msgid/jenkinsci-users/SN1PR08MB19811C64DAE0 >>5DC 07F3DCDD4B6210%40SN1PR08MB1981.namprd08.prod.outlook.com. >>For more options, visit https://groups.google.com/d/optout. > >-- >You received this message because you are subscribed to the Google Groups >"Jenkins Users" group. >To unsubscribe from this group and stop receiving emails from it, send an >email to jenkinsci-users+unsubscr...@googlegroups.com. >To view this discussion on the web visit >https://groups.google.com/d/msgid/jenkinsci-users/D257ABAF.328CC%25ingunaw >a%40cisco.com. >For more options, visit https://groups.google.com/d/optout. > >-- >You received this message because you are subscribed to the Google Groups >"Jenkins Users" group. >To unsubscribe from this group and stop receiving emails from it, send an >email to jenkinsci-users+unsubscr...@googlegroups.com. >To view this discussion on the web visit >https://groups.google.com/d/msgid/jenkinsci-users/CY1PR08MB1976EBF0AB7F004 >DD656BFC2B6200%40CY1PR08MB1976.namprd08.prod.outlook.com. >For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/D257D9CB.3298B%25ingunawa%40cisco.com. For more options, visit https://groups.google.com/d/optout.
