HI Roger, If you upgrade to the latest LTS this issue goes away. I see this on very old instance of Jenkins running 1.455 we are still running. After upgrade to v. 1.580.3 with SSL left as is with existing .keystore, I am not seeing this anymore.
-Indra On 10/28/15, 11:14 AM, "[email protected] on behalf of Roger Moore" <[email protected] on behalf of [email protected]> wrote: >The deed is done. It was my first submission, so please let me know if I >screwed it up... > >https://issues.jenkins-ci.org/browse/JENKINS-31242 > >-----Original Message----- >From: [email protected] >[mailto:[email protected]] On Behalf Of Daniel Beck >Sent: Wednesday, October 28, 2015 10:30 AM >To: [email protected] >Subject: Re: unable to access Jenkins in Firefox and Chrome after latest >browser updates because of "weak ephemeral Diffie-Hellman public key" > >Could you file an improvement against the 'winstone' component in our >issue tracker? > >https://wiki.jenkins-ci.org/display/JENKINS/How+to+report+an+issue > >On 28.10.2015, at 17:50, Roger Moore <[email protected]> wrote: > >> Thank for the reply, Daniel. >> >> I am using the default installation/configuration of Jenkins which I >>understand is Jetty. But I have configured it to use https on a port >>that our IT department requires me to use. And, we are running on CentOS >>7. >> >> Therefore, the command that runs is (some info modified for brevity and >>security): >> >> java -Dcom.sun.akuma.Daemon=daemonized -Djava.awt.headless=true >>-DJENKINS_HOME=/var/lib/jenkins -jar /usr/lib/jenkins/jenkins.war >>--logfile=jenkins.log --webroot=/var/cache/jenkins/war --daemon >>--httpPort=-1 --httpsPort=ourportnumber >>--httpsKeyStore=locationOfOurKeyStore --httpsKeyStorePassword=xxx >>--httpsListenAddress:0.0.0.0 --ajp13Port=a_port_number --debug=5 >>--handlerCountMax=100 --handlerCountMaxIdle=20 >> >> I had thought the Jetty config file would be in /var/cache/Jenkins/war >>or in /usr/lib/jenkins/jenkins.war but I didn't see the cipher related >>entries in .xml files in the former and didn't want to change anything >>in the latter. I also looked in /var/lib/jenkins but didn't see anything >>that matched what I thought I was looking for there either. >> >> -----Original Message----- >> From: [email protected] >>[mailto:[email protected]] On Behalf Of Daniel Beck >> Sent: Wednesday, October 28, 2015 9:25 AM >> To: [email protected] >> Subject: Re: unable to access Jenkins in Firefox and Chrome after >>latest browser updates because of "weak ephemeral Diffie-Hellman public >>key" >> >> To clarify, you're using the embedded Jetty-Winstone to run Jenkins >>(i.e. java -jar jenkins.war), including SSL/TLS? >> >> On 28.10.2015, at 17:17, Roger Moore <[email protected]> wrote: >> >>> Thanks Brent. I had found similar discussions but not on that message >>>list. >>> >>> After reading that though, and from the other things I¹ve found, it >>>seems the correct fix is to change the setting on the Jenkins server >>>because we already are using 1024-bit certificates. >>> >>> I had found a page that discusses how to fix the issue on Jetty >>>implementations, but the specified file did not exist (or perhaps I >>>couldn¹t find it) in Jenkins. >>> >>> My real question then is what do I modify in our Jenkins >>>implementation to get around this issue? Assuming that there is >>>something to modifyŠ >>> >>> From: [email protected] >>>[mailto:[email protected]] On Behalf Of Brent Atkinson >>> Sent: Tuesday, October 27, 2015 4:27 PM >>> To: [email protected] >>> Subject: Re: unable to access Jenkins in Firefox and Chrome after >>>latest browser updates because of "weak ephemeral Diffie-Hellman public >>>key" >>> >>> https://productforums.google.com/forum/#!topic/chrome/o3vZD-Mg2Ic >>> >>> On Tue, Oct 27, 2015 at 1:31 PM, Roger Moore <[email protected]> >>>wrote: >>> Has anyone else seen a problem accessing Jenkins after Chrome was >>>updated to v45? Chrome reports: >>> >>> "This error can occur when connecting to a secure (HTTPS) server. It >>>means that the server is trying to set up a secure connection but, due >>>to a disastrous misconfiguration, the connection wouldn't be secure at >>>all! >>> >>> In this case the server needs to be fixed. Google Chrome won't use >>>insecure connections in order to protect your privacy." >>> >>> A similar error occurs in Firefox v39.0, which reports: >>> >>> "An error occurred during a connection to 'servername:portnumber'. SSL >>>received a weak ephemeral Diffie-Hellman key in Server Key Exchange >>>handshake message. (Error code: >>>ssl_error_weak_server_ephemeral_dh_key)." >>> >>> I can connect using IE and Safari though. >>> >>> The Jenkins logs do not provide messages at the time when the attempt >>>to connect is made. >>> >>> I tried looking at the Jenkins configuration and using Google >>>searches, but could not find where to change the setting in Jenkins to >>>force Jenkins to use the stronger key. >>> >>> Any suggestions would be appreciated. >>> >>> >>> >>> Roger Moore >>> >>> -- >>> You received this message because you are subscribed to the Google >>>Groups "Jenkins Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>>an email to [email protected]. >>> To view this discussion on the web visit >>>https://groups.google.com/d/msgid/jenkinsci-users/SN1PR08MB198183FA4F85C >>>5148C4BEEEEB6220%40SN1PR08MB1981.namprd08.prod.outlook.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> You received this message because you are subscribed to the Google >>>Groups "Jenkins Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>>an email to [email protected]. >>> To view this discussion on the web visit >>>https://groups.google.com/d/msgid/jenkinsci-users/CALyHw0HLs%2BOi8_58-W6 >>>gAwfSK0k-%3DOgRi_M4bSngm4tOs319EA%40mail.gmail.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> You received this message because you are subscribed to the Google >>>Groups "Jenkins Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>>an email to [email protected]. >>> To view this discussion on the web visit >>>https://groups.google.com/d/msgid/jenkinsci-users/SN1PR08MB1981952157545 >>>5091AD09AD5B6210%40SN1PR08MB1981.namprd08.prod.outlook.com. >>> For more options, visit https://groups.google.com/d/optout. >> >> -- >> You received this message because you are subscribed to the Google >>Groups "Jenkins Users" group. >> To unsubscribe from this group and stop receiving emails from it, send >>an email to [email protected]. >> To view this discussion on the web visit >>https://groups.google.com/d/msgid/jenkinsci-users/C5C8527B-0103-4D90-BD3A >>-5E60BC15235D%40beckweb.net. >> For more options, visit https://groups.google.com/d/optout. >> >> -- >> You received this message because you are subscribed to the Google >>Groups "Jenkins Users" group. >> To unsubscribe from this group and stop receiving emails from it, send >>an email to [email protected]. >> To view this discussion on the web visit >>https://groups.google.com/d/msgid/jenkinsci-users/SN1PR08MB19811F65BD1C20 >>8F5840C691B6210%40SN1PR08MB1981.namprd08.prod.outlook.com. >> For more options, visit https://groups.google.com/d/optout. >> > >-- >You received this message because you are subscribed to the Google Groups >"Jenkins Users" group. >To unsubscribe from this group and stop receiving emails from it, send an >email to [email protected]. >To view this discussion on the web visit >https://groups.google.com/d/msgid/jenkinsci-users/78F57B4C-5F2C-41C1-9161- >1D31C04BEF4E%40beckweb.net. >For more options, visit https://groups.google.com/d/optout. > >-- >You received this message because you are subscribed to the Google Groups >"Jenkins Users" group. >To unsubscribe from this group and stop receiving emails from it, send an >email to [email protected]. >To view this discussion on the web visit >https://groups.google.com/d/msgid/jenkinsci-users/SN1PR08MB19811C64DAE05DC >07F3DCDD4B6210%40SN1PR08MB1981.namprd08.prod.outlook.com. >For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/D257ABAF.328CC%25ingunawa%40cisco.com. For more options, visit https://groups.google.com/d/optout.
