I was able to remediate the weak ciphers finding by updating
jdk.tls.disabledAlgorithms as below:
jdk.tls.disabledAlgorithms=MD5,SSLv3,DSA, DESede,DES,3DES, RSA keySize <
2048, CBC, TLSv1, TLSv1.1, RC4, 3DES_EDE_CBC, RC4, MD5withRSA, DH keySize <
1024, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \
EC keySize < 224, anon, NULL, \
On Wednesday, June 2, 2021 at 10:49:07 AM UTC-4 s.p...@gmail.com wrote:
> In our web scans, we are seeing weak ciphers-enabled vulnerability.
> *example:* Netsparker Enterprise detected that weak ciphers are enabled
> during
> secure communication (SSL).
> You should allow only strong ciphers on your webserver to protect
> secure communication with your visitors.
> List of Supported Weak Ciphers
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006B)
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xC028)
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xC027)
>
> I tried the remediation suggested in the following link and updated java.
> security file as below but no luck. The vulnerability keeps appearing. Am I
> missing anything?
> https://support.cloudbees.com/hc/en-us/articles/216526298-Disabling-Specific-Ciphers-In-Jenkins
>
> jdk.tls.disabledAlgorithms=MD5,SSLv3,DSA, DESede,DES,3DES, RSA keySize <
> 2048, CBC, TLSv1, TLSv1.1, RC4,DES-CBC3-SHA keySize <256,
> 3DES_EDE_CBC,RC4,,MD5withRSA, DH keySize < 1024, \
> EC keySize < 224, anon, NULL, \
>
> Windows -2012R2 server
> Jdk1.8.0_281
> Jenkins url: https:<hostname>:8443
>
--
You received this message because you are subscribed to the Google Groups
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-users/fc61d0a7-ef1f-4347-b134-0898779e5772n%40googlegroups.com.
