Could you file an improvement against the 'winstone' component in our issue tracker?
https://wiki.jenkins-ci.org/display/JENKINS/How+to+report+an+issue On 28.10.2015, at 17:50, Roger Moore <[email protected]> wrote: > Thank for the reply, Daniel. > > I am using the default installation/configuration of Jenkins which I > understand is Jetty. But I have configured it to use https on a port that our > IT department requires me to use. And, we are running on CentOS 7. > > Therefore, the command that runs is (some info modified for brevity and > security): > > java -Dcom.sun.akuma.Daemon=daemonized -Djava.awt.headless=true > -DJENKINS_HOME=/var/lib/jenkins -jar /usr/lib/jenkins/jenkins.war > --logfile=jenkins.log --webroot=/var/cache/jenkins/war --daemon --httpPort=-1 > --httpsPort=ourportnumber --httpsKeyStore=locationOfOurKeyStore > --httpsKeyStorePassword=xxx --httpsListenAddress:0.0.0.0 > --ajp13Port=a_port_number --debug=5 --handlerCountMax=100 > --handlerCountMaxIdle=20 > > I had thought the Jetty config file would be in /var/cache/Jenkins/war or in > /usr/lib/jenkins/jenkins.war but I didn't see the cipher related entries in > .xml files in the former and didn't want to change anything in the latter. I > also looked in /var/lib/jenkins but didn't see anything that matched what I > thought I was looking for there either. > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Daniel Beck > Sent: Wednesday, October 28, 2015 9:25 AM > To: [email protected] > Subject: Re: unable to access Jenkins in Firefox and Chrome after latest > browser updates because of "weak ephemeral Diffie-Hellman public key" > > To clarify, you're using the embedded Jetty-Winstone to run Jenkins (i.e. > java -jar jenkins.war), including SSL/TLS? > > On 28.10.2015, at 17:17, Roger Moore <[email protected]> wrote: > >> Thanks Brent. I had found similar discussions but not on that message list. >> >> After reading that though, and from the other things I’ve found, it seems >> the correct fix is to change the setting on the Jenkins server because we >> already are using 1024-bit certificates. >> >> I had found a page that discusses how to fix the issue on Jetty >> implementations, but the specified file did not exist (or perhaps I couldn’t >> find it) in Jenkins. >> >> My real question then is what do I modify in our Jenkins implementation to >> get around this issue? Assuming that there is something to modify… >> >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Brent Atkinson >> Sent: Tuesday, October 27, 2015 4:27 PM >> To: [email protected] >> Subject: Re: unable to access Jenkins in Firefox and Chrome after latest >> browser updates because of "weak ephemeral Diffie-Hellman public key" >> >> https://productforums.google.com/forum/#!topic/chrome/o3vZD-Mg2Ic >> >> On Tue, Oct 27, 2015 at 1:31 PM, Roger Moore <[email protected]> wrote: >> Has anyone else seen a problem accessing Jenkins after Chrome was updated to >> v45? Chrome reports: >> >> "This error can occur when connecting to a secure (HTTPS) server. It means >> that the server is trying to set up a secure connection but, due to a >> disastrous misconfiguration, the connection wouldn't be secure at all! >> >> In this case the server needs to be fixed. Google Chrome won't use insecure >> connections in order to protect your privacy." >> >> A similar error occurs in Firefox v39.0, which reports: >> >> "An error occurred during a connection to 'servername:portnumber'. SSL >> received a weak ephemeral Diffie-Hellman key in Server Key Exchange >> handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)." >> >> I can connect using IE and Safari though. >> >> The Jenkins logs do not provide messages at the time when the attempt to >> connect is made. >> >> I tried looking at the Jenkins configuration and using Google searches, but >> could not find where to change the setting in Jenkins to force Jenkins to >> use the stronger key. >> >> Any suggestions would be appreciated. >> >> >> >> Roger Moore >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-users/SN1PR08MB198183FA4F85C5148C4BEEEEB6220%40SN1PR08MB1981.namprd08.prod.outlook.com. >> For more options, visit https://groups.google.com/d/optout. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-users/CALyHw0HLs%2BOi8_58-W6gAwfSK0k-%3DOgRi_M4bSngm4tOs319EA%40mail.gmail.com. >> For more options, visit https://groups.google.com/d/optout. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-users/SN1PR08MB19819521575455091AD09AD5B6210%40SN1PR08MB1981.namprd08.prod.outlook.com. >> For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-users/C5C8527B-0103-4D90-BD3A-5E60BC15235D%40beckweb.net. > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-users/SN1PR08MB19811F65BD1C208F5840C691B6210%40SN1PR08MB1981.namprd08.prod.outlook.com. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/78F57B4C-5F2C-41C1-9161-1D31C04BEF4E%40beckweb.net. For more options, visit https://groups.google.com/d/optout.
