I was able to remediate the weak ciphers finding by updating
jdk.tls.disabledAlgorithms as below:
jdk.tls.disabledAlgorithms=MD5,SSLv3,DSA, DESede,DES,3DES, RSA keySize <
2048, CBC, TLSv1, TLSv1.1, RC4, 3DES_EDE_CBC, RC4, MD5withRSA, DH keySize <
1024, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \
EC keySize < 224, anon, NULL, \
On Wednesday, June 2, 2021 at 10:49:07 AM UTC-4 [email protected] wrote:
> In our web scans, we are seeing weak ciphers-enabled vulnerability.
> *example:* Netsparker Enterprise detected that weak ciphers are enabled
> during
> secure communication (SSL).
> You should allow only strong ciphers on your webserver to protect
> secure communication with your visitors.
> List of Supported Weak Ciphers
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006B)
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xC028)
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xC027)
>
> I tried the remediation suggested in the following link and updated java.
> security file as below but no luck. The vulnerability keeps appearing. Am I
> missing anything?
> https://support.cloudbees.com/hc/en-us/articles/216526298-Disabling-Specific-Ciphers-In-Jenkins
>
> jdk.tls.disabledAlgorithms=MD5,SSLv3,DSA, DESede,DES,3DES, RSA keySize <
> 2048, CBC, TLSv1, TLSv1.1, RC4,DES-CBC3-SHA keySize <256,
> 3DES_EDE_CBC,RC4,,MD5withRSA, DH keySize < 1024, \
> EC keySize < 224, anon, NULL, \
>
> Windows -2012R2 server
> Jdk1.8.0_281
> Jenkins url: https:<hostname>:8443
>
--
You received this message because you are subscribed to the Google Groups
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-users/fc61d0a7-ef1f-4347-b134-0898779e5772n%40googlegroups.com.
