weak ephemeral Diffie-Hellman

[Indra Gunawan (ingunawa)]

To All,

We as much as possible are using the Jenkins LTS RPM to setup Jenkins.  We enable the HTTPS on a different port for instance 9081.

In existing Jenkins we do not use a webserver or proxy server to take care of the HTTPS.  We generate keystore with Java keytool.

keytool -genkey -alias hdsoncert -keyalg RSA -keysize 2048 -sigalg SHA1withRSA …

Starting with Firefox and now Chrome, some of the existing Jenkins are inaccessible where the browser (Firefox and Chrome) complaining about “Server has a weak ephemeral Diffie-Hellman public key”.

I googled about Jenkins and weak ephemeral Diffe-Hellman and nothing came up.

It looks like it is not the key that is unsecure but another issue with temporary ephemeral DH key:

http://stackoverflow.com/questions/30523324/how-to-config-local-jetty-ssl-to-avoid-weak-phermeral-dh-key-error

Do you have any suggestion besides setting up Proxy like Nginx and configure it with new cyper suite to disable this weak ephemeral DH?

Shall I try running Jenkins with JAVA 8?

https://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html

I am running Jenkins with Java 7

Thank you

-Indra