Disabling Specific Ciphers In Jenkins

Article ID:216526298
1 minute readKnowledge base


Disabling Specific Ciphers In Jenkins


  • Jenkins

  • Jenkins LTS

  • CloudBees Jenkins Enterprise (CJE)

  • CloudBees Jenkins Operations Center (CJOC)


Any specific ciphers that need to be disabled will need to be disabled at the Java Virtual Machine (JVM) level. Due to this fact it is best to review the documentation for the specific Java version being used in your environment. For example, there were various changes to enforce the security in latest Java versions and to not accept the use unsafe certificates by default. Please see the examples below with regards to Java 8:

jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768

\>= jdk1.8.0_60
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768

\>= jdk1.8.0_71
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

Please also note that Oracle JDK stores this information here:$JAVA_HOME/jre/lib/security/java.security

For example, to disable a specific cipher, the name of the cipher should be added to the following line in the java.security file:


changed to

jdk.tls.disabledAlgorithms=3DES_EDE_CBC, SSLv3, DSA, RSA keySize < 2048

The link to official Oracle Java Secure Socket Extension (JSEE) Reference Guide is included below.

About SSHD

It is currently not possible to disable the ciphers for the Jenkins SSHD module. The ciphers for the SSHD daemon are set in the code of the sshd-module.

There is an open issue to remove unsafe ciphers: JENKINS-39805. In the meantime, we recommend to disable SSHD if it is not used.