Environment
-
Jenkins
-
Jenkins LTS
-
CloudBees Jenkins Enterprise (CJE)
-
CloudBees Jenkins Operations Center (CJOC)
Resolution
Any specific ciphers that need to be disabled will need to be disabled at the Java Virtual Machine (JVM) level. Due to this fact it is best to review the documentation for the specific Java version being used in your environment. For example, there were various changes to enforce the security in latest Java versions and to not accept the use unsafe certificates by default. Please see the examples below with regards to Java 8:
jdk1.8.0_51 jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768 \>= jdk1.8.0_60 jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768 \>= jdk1.8.0_71 jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
Please also note that Oracle JDK stores this information here:$JAVA_HOME/jre/lib/security/java.security
For example, to disable a specific cipher, the name of the cipher should be added to the following line in the java.security file:
jdk.tls.disabledAlgorithms=SSLv3
changed to
jdk.tls.disabledAlgorithms=3DES_EDE_CBC, SSLv3, DSA, RSA keySize < 2048
The link to official Oracle Java Secure Socket Extension (JSEE) Reference Guide is included below.
About SSHD
It is currently not possible to disable the ciphers for the Jenkins SSHD module. The ciphers for the SSHD daemon are set in the code of the sshd-module.
There is an open issue to remove unsafe ciphers: JENKINS-39805. In the meantime, we recommend to disable SSHD if it is not used.