When we upgraded to 1.580.3. We simply download the RHEL RPM package and install it. We make sure to give the location of our existing .keystore set for “JENKINS_HTTPS_KEYSTORE=“ in the /etc/sysconfig/jenkins. We install Oracle JDK 7 to run Jenkins. I have been using Oracle JDK 7 to run Jenkins even in older version. I never rely on openJDK or JRE that comes with the RHEL.
-Indra On 10/29/15, 11:29 AM, "[email protected] on behalf of Roger Moore" <[email protected] on behalf of [email protected]> wrote: >Hi Indra, thanks for your reply. We are currently running 1.596. > >When you upgraded to 1.580.3, did that change your version of Java too? > >-----Original Message----- >From: [email protected] >[mailto:[email protected]] On Behalf Of Indra Gunawan >(ingunawa) >Sent: Thursday, October 29, 2015 10:58 AM >To: [email protected] >Subject: Re: unable to access Jenkins in Firefox and Chrome after latest >browser updates because of "weak ephemeral Diffie-Hellman public key" > >HI Roger, > >If you upgrade to the latest LTS this issue goes away. I see this on >very old instance of Jenkins running 1.455 we are still running. After >upgrade to v. 1.580.3 with SSL left as is with existing .keystore, I am >not seeing this anymore. > >-Indra > >On 10/28/15, 11:14 AM, "[email protected] on behalf of >Roger Moore" <[email protected] on behalf of >[email protected]> wrote: > >>The deed is done. It was my first submission, so please let me know if >>I screwed it up... >> >>https://issues.jenkins-ci.org/browse/JENKINS-31242 >> >>-----Original Message----- >>From: [email protected] >>[mailto:[email protected]] On Behalf Of Daniel Beck >>Sent: Wednesday, October 28, 2015 10:30 AM >>To: [email protected] >>Subject: Re: unable to access Jenkins in Firefox and Chrome after >>latest browser updates because of "weak ephemeral Diffie-Hellman public >>key" >> >>Could you file an improvement against the 'winstone' component in our >>issue tracker? >> >>https://wiki.jenkins-ci.org/display/JENKINS/How+to+report+an+issue >> >>On 28.10.2015, at 17:50, Roger Moore <[email protected]> wrote: >> >>> Thank for the reply, Daniel. >>> >>> I am using the default installation/configuration of Jenkins which I >>>understand is Jetty. But I have configured it to use https on a port >>>that our IT department requires me to use. And, we are running on >>>CentOS 7. >>> >>> Therefore, the command that runs is (some info modified for brevity >>>and >>>security): >>> >>> java -Dcom.sun.akuma.Daemon=daemonized -Djava.awt.headless=true >>>-DJENKINS_HOME=/var/lib/jenkins -jar /usr/lib/jenkins/jenkins.war >>>--logfile=jenkins.log --webroot=/var/cache/jenkins/war --daemon >>>--httpPort=-1 --httpsPort=ourportnumber >>>--httpsKeyStore=locationOfOurKeyStore --httpsKeyStorePassword=xxx >>>--httpsListenAddress:0.0.0.0 --ajp13Port=a_port_number --debug=5 >>>--handlerCountMax=100 --handlerCountMaxIdle=20 >>> >>> I had thought the Jetty config file would be in >>>/var/cache/Jenkins/war or in /usr/lib/jenkins/jenkins.war but I didn't >>>see the cipher related entries in .xml files in the former and didn't >>>want to change anything in the latter. I also looked in >>>/var/lib/jenkins but didn't see anything that matched what I thought I >>>was looking for there either. >>> >>> -----Original Message----- >>> From: [email protected] >>>[mailto:[email protected]] On Behalf Of Daniel Beck >>> Sent: Wednesday, October 28, 2015 9:25 AM >>> To: [email protected] >>> Subject: Re: unable to access Jenkins in Firefox and Chrome after >>>latest browser updates because of "weak ephemeral Diffie-Hellman >>>public key" >>> >>> To clarify, you're using the embedded Jetty-Winstone to run Jenkins >>>(i.e. java -jar jenkins.war), including SSL/TLS? >>> >>> On 28.10.2015, at 17:17, Roger Moore <[email protected]> wrote: >>> >>>> Thanks Brent. I had found similar discussions but not on that >>>>message list. >>>> >>>> After reading that though, and from the other things I¹ve found, it >>>>seems the correct fix is to change the setting on the Jenkins server >>>>because we already are using 1024-bit certificates. >>>> >>>> I had found a page that discusses how to fix the issue on Jetty >>>>implementations, but the specified file did not exist (or perhaps I >>>>couldn¹t find it) in Jenkins. >>>> >>>> My real question then is what do I modify in our Jenkins >>>>implementation to get around this issue? Assuming that there is >>>>something to modifyŠ >>>> >>>> From: [email protected] >>>>[mailto:[email protected]] On Behalf Of Brent Atkinson >>>> Sent: Tuesday, October 27, 2015 4:27 PM >>>> To: [email protected] >>>> Subject: Re: unable to access Jenkins in Firefox and Chrome after >>>>latest browser updates because of "weak ephemeral Diffie-Hellman >>>>public key" >>>> >>>> https://productforums.google.com/forum/#!topic/chrome/o3vZD-Mg2Ic >>>> >>>> On Tue, Oct 27, 2015 at 1:31 PM, Roger Moore >>>><[email protected]> >>>>wrote: >>>> Has anyone else seen a problem accessing Jenkins after Chrome was >>>>updated to v45? Chrome reports: >>>> >>>> "This error can occur when connecting to a secure (HTTPS) server. It >>>>means that the server is trying to set up a secure connection but, >>>>due to a disastrous misconfiguration, the connection wouldn't be >>>>secure at all! >>>> >>>> In this case the server needs to be fixed. Google Chrome won't use >>>>insecure connections in order to protect your privacy." >>>> >>>> A similar error occurs in Firefox v39.0, which reports: >>>> >>>> "An error occurred during a connection to 'servername:portnumber'. >>>>SSL received a weak ephemeral Diffie-Hellman key in Server Key >>>>Exchange handshake message. (Error code: >>>>ssl_error_weak_server_ephemeral_dh_key)." >>>> >>>> I can connect using IE and Safari though. >>>> >>>> The Jenkins logs do not provide messages at the time when the >>>>attempt to connect is made. >>>> >>>> I tried looking at the Jenkins configuration and using Google >>>>searches, but could not find where to change the setting in Jenkins >>>>to force Jenkins to use the stronger key. >>>> >>>> Any suggestions would be appreciated. >>>> >>>> >>>> >>>> Roger Moore >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>>Groups "Jenkins Users" group. >>>> To unsubscribe from this group and stop receiving emails from it, >>>>send an email to [email protected]. >>>> To view this discussion on the web visit >>>>https://groups.google.com/d/msgid/jenkinsci-users/SN1PR08MB198183FA4F >>>>85C 5148C4BEEEEB6220%40SN1PR08MB1981.namprd08.prod.outlook.com. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>>Groups "Jenkins Users" group. >>>> To unsubscribe from this group and stop receiving emails from it, >>>>send an email to [email protected]. >>>> To view this discussion on the web visit >>>>https://groups.google.com/d/msgid/jenkinsci-users/CALyHw0HLs%2BOi8_58 >>>>-W6 gAwfSK0k-%3DOgRi_M4bSngm4tOs319EA%40mail.gmail.com. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>>Groups "Jenkins Users" group. >>>> To unsubscribe from this group and stop receiving emails from it, >>>>send an email to [email protected]. >>>> To view this discussion on the web visit >>>>https://groups.google.com/d/msgid/jenkinsci-users/SN1PR08MB1981952157 >>>>545 5091AD09AD5B6210%40SN1PR08MB1981.namprd08.prod.outlook.com. >>>> For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> You received this message because you are subscribed to the Google >>>Groups "Jenkins Users" group. >>> To unsubscribe from this group and stop receiving emails from it, >>>send an email to [email protected]. >>> To view this discussion on the web visit >>>https://groups.google.com/d/msgid/jenkinsci-users/C5C8527B-0103-4D90-B >>>D3A >>>-5E60BC15235D%40beckweb.net. >>> For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> You received this message because you are subscribed to the Google >>>Groups "Jenkins Users" group. >>> To unsubscribe from this group and stop receiving emails from it, >>>send an email to [email protected]. >>> To view this discussion on the web visit >>>https://groups.google.com/d/msgid/jenkinsci-users/SN1PR08MB19811F65BD1 >>>C20 8F5840C691B6210%40SN1PR08MB1981.namprd08.prod.outlook.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >>-- >>You received this message because you are subscribed to the Google >>Groups "Jenkins Users" group. >>To unsubscribe from this group and stop receiving emails from it, send >>an email to [email protected]. >>To view this discussion on the web visit >>https://groups.google.com/d/msgid/jenkinsci-users/78F57B4C-5F2C-41C1-91 >>61- >>1D31C04BEF4E%40beckweb.net. >>For more options, visit https://groups.google.com/d/optout. >> >>-- >>You received this message because you are subscribed to the Google >>Groups "Jenkins Users" group. >>To unsubscribe from this group and stop receiving emails from it, send >>an email to [email protected]. >>To view this discussion on the web visit >>https://groups.google.com/d/msgid/jenkinsci-users/SN1PR08MB19811C64DAE0 >>5DC 07F3DCDD4B6210%40SN1PR08MB1981.namprd08.prod.outlook.com. >>For more options, visit https://groups.google.com/d/optout. > >-- >You received this message because you are subscribed to the Google Groups >"Jenkins Users" group. >To unsubscribe from this group and stop receiving emails from it, send an >email to [email protected]. >To view this discussion on the web visit >https://groups.google.com/d/msgid/jenkinsci-users/D257ABAF.328CC%25ingunaw >a%40cisco.com. >For more options, visit https://groups.google.com/d/optout. > >-- >You received this message because you are subscribed to the Google Groups >"Jenkins Users" group. >To unsubscribe from this group and stop receiving emails from it, send an >email to [email protected]. >To view this discussion on the web visit >https://groups.google.com/d/msgid/jenkinsci-users/CY1PR08MB1976EBF0AB7F004 >DD656BFC2B6200%40CY1PR08MB1976.namprd08.prod.outlook.com. >For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/D257D9CB.3298B%25ingunawa%40cisco.com. For more options, visit https://groups.google.com/d/optout.
