[FE-4896] SSL Cipher suites are not configurable

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 3.6.0
Affects Version/s: 3.1.2
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

Allow SSL cipher suites to be configured, preferably in the administration panel but at a minimum by editing the config.xml. Currently we are relying on the default cipher suites for jetty which includes some outdated ones that are considered insecure these days.

See configuring cipher suites

It looks like a change needs to be made in com.cenqua.fisheye.web.WebServer, where we set up the SslContextFactory. We need to call setIncludeCipherSuites to provide a list of cipher suites.

duplicates

CRUC-6594 Allow configuring SSL cipher suites and protocols in jetty ssl connector

Closed

Form Name

paulwatson (Inactive) added a comment - 09/Oct/2013 7:58 AM

nickpellow - thanks! I've published that now.

paulwatson (Inactive) added a comment - 09/Oct/2013 7:58 AM nickpellow - thanks! I've published that now.

Nick added a comment - 08/Oct/2013 12:48 AM - edited

It is currently possible to allow the webserver FishEye bundles (Jetty) to use other Cipher Suites.
To do this:

create a file called: jetty-web.xml in FISHEYE_HOME/content/WEB-INF/jetty-web.xml

add the following content to the file. Modify parameters as needed:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure.dtd" >
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
    <Get name="server">
      <Call name="addConnector">
        <Arg>
            <New class="org.eclipse.jetty.server.ssl.SslSocketConnector">
              <Set name="Port">8443</Set>
              <Set name="maxIdleTime">30000</Set>
              <Set name="keyPassword">XXX</Set>
              <Set name="trustPassword">XXX</Set>
              <Set name="IncludeCipherSuites">
                <Array type="java.lang.String">
                  <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
                  <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
                  <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
                  <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item>
                  <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
                  <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>
                </Array>
              </Set>
            </New>
            </Arg>
      </Call>
    </Get>
</Configure>

restart FishEye

The above configuration will mean that you have a new SSL Connector listening on port 8443, using whatever Cipher Suites you've configured there.

We could potentially update our config.xml to allow this to be done there as well.

Nick added a comment - 08/Oct/2013 12:48 AM - edited It is currently possible to allow the webserver FishEye bundles (Jetty) to use other Cipher Suites. To do this: create a file called: jetty-web.xml in FISHEYE_HOME/content/WEB-INF/jetty-web.xml add the following content to the file. Modify parameters as needed: <?xml version= "1.0" encoding= "ISO-8859-1" ?> <!DOCTYPE Configure PUBLIC "- //Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure.dtd" > <Configure class= "org.eclipse.jetty.webapp.WebAppContext" > <Get name= "server" > <Call name= "addConnector" > <Arg> <New class= "org.eclipse.jetty.server.ssl.SslSocketConnector" > <Set name= "Port" >8443</Set> <Set name= "maxIdleTime" >30000</Set> <Set name= "keyPassword" >XXX</Set> <Set name= "trustPassword" >XXX</Set> <Set name= "IncludeCipherSuites" > <Array type= "java.lang. String " > <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item> <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item> <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item> <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item> <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item> <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item> </Array> </Set> </New> </Arg> </Call> </Get> </Configure> restart FishEye The above configuration will mean that you have a new SSL Connector listening on port 8443, using whatever Cipher Suites you've configured there. We could potentially update our config.xml to allow this to be done there as well.

Assignee:: Unassigned

Reporter:: Richard Stephens (Inactive)

Affected customers:: 1 This affects my team

Watchers:: 5 Start watching this issue

Created:: 27/Sep/2013 6:49 AM

Updated:: 14/Oct/2015 12:00 PM

Resolved:: 03/Aug/2015 9:50 AM

Details

Description

Attachments

Issue Links

Forms

Activity

Collapse comment: paulwatson (Inactive) added a comment - 09/Oct/2013 7:58 AM

Expand comment: paulwatson (Inactive) added a comment - 09/Oct/2013 7:58 AM

Collapse comment: Nick added a comment - 08/Oct/2013 12:48 AM, Edited by Nick - 08/Oct/2013 12:48 AM

Expand comment: Nick added a comment - 08/Oct/2013 12:48 AM, Edited by Nick - 08/Oct/2013 12:48 AM

People

Dates