[JRASERVER-27681] Improve the default SSL cipherset in standalone JIRA setup

Type: Suggestion
Resolution: Unresolved
Fix Version/s: None
Component/s: Security
Labels:
Environment:
Windows server 2003 - Jira 4.4.3 with the bundled JRE.

UIS:
2
Support reference count:
7
Feedback Policy:

We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.

We are concerned about 'SSL Weak Cipher Suites Supported' and 'SSL Medium Strength Cipher Suites Suppored'. Any suggestions would be helpful.

ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,TLS_SRP_SHA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,TLS_SRP_SHA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA"

This is assuming APR is not in use, in which case the following should be used:

SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"

Workaround

Either of the following can be used:

Alter the server.xml to serve only the required ciphers as per Security tools report the default SSL Ciphers are too weak.
Host JIRA behind a reverse-proxy that will handle the serving of SSL as per Integrating JIRA with Apache using SSL.

relates to

JRACLOUD-27681 Improve the default SSL cipherset in standalone JIRA setup

Closed

Kerrod Williams (Inactive) added a comment - 15/Jul/2015 11:44 PM

Thanks for taking the time to raise this issue.

Due to the large volume of JIRA feature suggestions, we have to prioritise our development efforts. In part, that means concentrating on those issues that resonate the most with our users.

I am writing this note to advise you, that we have decided to close your Suggestion as it has not gained traction on jira.atlassian.com. We believe being upfront and direct with you will assist you in your decision making rather than believing Atlassian will eventually address this issue.

Thank you again for your suggestion and if you have any concerns or question, please don’t hesitate to email me.

Kind Regards,
Kerrod Williams
JIRA Product Management
kerrod.williams at atlassian dot com

Kerrod Williams (Inactive) added a comment - 15/Jul/2015 11:44 PM Thanks for taking the time to raise this issue. Due to the large volume of JIRA feature suggestions, we have to prioritise our development efforts . In part, that means concentrating on those issues that resonate the most with our users. I am writing this note to advise you, that we have decided to close your Suggestion as it has not gained traction on jira.atlassian.com. We believe being upfront and direct with you will assist you in your decision making rather than believing Atlassian will eventually address this issue. Thank you again for your suggestion and if you have any concerns or question, please don’t hesitate to email me. Kind Regards, Kerrod Williams JIRA Product Management kerrod.williams at atlassian dot com

David Black added a comment - 26/Feb/2015 12:18 AM

The default weak ciphers do not appear to be available in java 7 or above.

David Black added a comment - 26/Feb/2015 12:18 AM The default weak ciphers do not appear to be available in java 7 or above.

Scott Hammonds added a comment - 01/Jul/2013 4:18 PM

This article discusses how to manually fix in server.xml file. https://confluence.atlassian.com/display/JIRAKB/Default+SSL+ciphers+too+weak

Scott Hammonds added a comment - 01/Jul/2013 4:18 PM This article discusses how to manually fix in server.xml file. https://confluence.atlassian.com/display/JIRAKB/Default+SSL+ciphers+too+weak

Valentijn Scholten added a comment - 27/Dec/2012 10:27 PM

+1 for improving this. Especially for enterprise environments it currently is too weak.

Valentijn Scholten added a comment - 27/Dec/2012 10:27 PM +1 for improving this. Especially for enterprise environments it currently is too weak.

Eric Dalgliesh added a comment - 15/Nov/2012 12:41 AM

matthew.fenton@unt.edu, FYI we're having some internal discussion about this issue and will update this issue as useful information becomes available.

Eric Dalgliesh added a comment - 15/Nov/2012 12:41 AM matthew.fenton@unt.edu , FYI we're having some internal discussion about this issue and will update this issue as useful information becomes available.

Details

Description

Workaround

Attachments

Issue Links

Forms

Activity

Collapse comment: Kerrod Williams (Inactive) added a comment - 15/Jul/2015 11:44 PM

Expand comment: Kerrod Williams (Inactive) added a comment - 15/Jul/2015 11:44 PM

Collapse comment: David Black added a comment - 26/Feb/2015 12:18 AM

Expand comment: David Black added a comment - 26/Feb/2015 12:18 AM

Collapse comment: Scott Hammonds added a comment - 01/Jul/2013 4:18 PM

Expand comment: Scott Hammonds added a comment - 01/Jul/2013 4:18 PM

Collapse comment: Valentijn Scholten added a comment - 27/Dec/2012 10:27 PM

Expand comment: Valentijn Scholten added a comment - 27/Dec/2012 10:27 PM

Collapse comment: Eric Dalgliesh added a comment - 15/Nov/2012 12:41 AM

Expand comment: Eric Dalgliesh added a comment - 15/Nov/2012 12:41 AM

People

Dates