unable to access Jenkins in Firefox and Chrome after latest browser updates because of "weak ephemeral Diffie-Hellman public key"

189 views
Skip to first unread message

Roger Moore

unread,
Oct 27, 2015, 1:31:51 PM10/27/15
to jenkins...@googlegroups.com
Has anyone else seen a problem accessing Jenkins after Chrome was updated to v45? Chrome reports:

"This error can occur when connecting to a secure (HTTPS) server. It means that the server is trying to set up a secure connection but, due to a disastrous misconfiguration, the connection wouldn't be secure at all! 

In this case the server needs to be fixed. Google Chrome won't use insecure connections in order to protect your privacy."

A similar error occurs in Firefox v39.0, which reports:

"An error occurred during a connection to 'servername:portnumber'. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)."

I can connect using IE and Safari though.

The Jenkins logs do not provide messages at the time when the attempt to connect is made.

I tried looking at the Jenkins configuration and using Google searches, but could not find where to change the setting in Jenkins to force Jenkins to use the stronger key.

Any suggestions would be appreciated.



Roger Moore

Brent Atkinson

unread,
Oct 27, 2015, 7:27:16 PM10/27/15
to jenkins...@googlegroups.com




Roger Moore

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/SN1PR08MB198183FA4F85C5148C4BEEEEB6220%40SN1PR08MB1981.namprd08.prod.outlook.com.
For more options, visit https://groups.google.com/d/optout.

Roger Moore

unread,
Oct 28, 2015, 12:17:54 PM10/28/15
to jenkins...@googlegroups.com

Thanks Brent. I had found similar discussions but not on that message list.

 

After reading that though, and from the other things I’ve found, it seems the correct fix is to change the setting on the Jenkins server because we already are using 1024-bit certificates.

 

I had found a page that discusses how to fix the issue on Jetty implementations, but the specified file did not exist (or perhaps I couldn’t find it) in Jenkins.

 

My real question then is what do I modify in our Jenkins implementation to get around this issue? Assuming that there is something to modify…

Daniel Beck

unread,
Oct 28, 2015, 12:24:25 PM10/28/15
to jenkins...@googlegroups.com
To clarify, you're using the embedded Jetty-Winstone to run Jenkins (i.e. java -jar jenkins.war), including SSL/TLS?
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/SN1PR08MB19819521575455091AD09AD5B6210%40SN1PR08MB1981.namprd08.prod.outlook.com.

Roger Moore

unread,
Oct 28, 2015, 12:50:13 PM10/28/15
to jenkins...@googlegroups.com
Thank for the reply, Daniel.

I am using the default installation/configuration of Jenkins which I understand is Jetty. But I have configured it to use https on a port that our IT department requires me to use. And, we are running on CentOS 7.

Therefore, the command that runs is (some info modified for brevity and security):

java -Dcom.sun.akuma.Daemon=daemonized -Djava.awt.headless=true -DJENKINS_HOME=/var/lib/jenkins -jar /usr/lib/jenkins/jenkins.war --logfile=jenkins.log --webroot=/var/cache/jenkins/war --daemon --httpPort=-1 --httpsPort=ourportnumber --httpsKeyStore=locationOfOurKeyStore --httpsKeyStorePassword=xxx --httpsListenAddress:0.0.0.0 --ajp13Port=a_port_number --debug=5 --handlerCountMax=100 --handlerCountMaxIdle=20

I had thought the Jetty config file would be in /var/cache/Jenkins/war or in /usr/lib/jenkins/jenkins.war but I didn't see the cipher related entries in .xml files in the former and didn't want to change anything in the latter. I also looked in /var/lib/jenkins but didn't see anything that matched what I thought I was looking for there either.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/C5C8527B-0103-4D90-BD3A-5E60BC15235D%40beckweb.net.

Daniel Beck

unread,
Oct 28, 2015, 1:29:58 PM10/28/15
to jenkins...@googlegroups.com
Could you file an improvement against the 'winstone' component in our issue tracker?

https://wiki.jenkins-ci.org/display/JENKINS/How+to+report+an+issue
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/SN1PR08MB19811F65BD1C208F5840C691B6210%40SN1PR08MB1981.namprd08.prod.outlook.com.

wak...@comcast.net

unread,
Oct 28, 2015, 1:31:59 PM10/28/15
to jenkins...@googlegroups.com
We ran into this with issue with a different server application that was using SSL/TLS. Chances are you need to update the server to
stop advertising weak diffie-hellman ciphers. The last firefox/chrome browsers will see those ciphers and believe their is a client attack
on the horizon. So, the browsers won't connect. If you're server is Tomcat, you need to update server.xml.

From: "Daniel Beck" <m...@beckweb.net>
To: jenkins...@googlegroups.com
Sent: Wednesday, October 28, 2015 12:24:55 PM

Roger Moore

unread,
Oct 28, 2015, 2:15:11 PM10/28/15
to jenkins...@googlegroups.com
The deed is done. It was my first submission, so please let me know if I screwed it up...

https://issues.jenkins-ci.org/browse/JENKINS-31242
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/78F57B4C-5F2C-41C1-9161-1D31C04BEF4E%40beckweb.net.

Indra Gunawan (ingunawa)

unread,
Oct 29, 2015, 1:58:12 PM10/29/15
to jenkins...@googlegroups.com
HI Roger,

If you upgrade to the latest LTS this issue goes away. I see this on very
old instance of Jenkins running 1.455 we are still running. After upgrade
to v. 1.580.3 with SSL left as is with existing .keystore, I am not seeing
this anymore.

-Indra

On 10/28/15, 11:14 AM, "jenkins...@googlegroups.com on behalf of
Roger Moore" <jenkins...@googlegroups.com on behalf of
>>>something to modifyŠ
>>>https://groups.google.com/d/msgid/jenkinsci-users/SN1PR08MB1981952157545
>>>5091AD09AD5B6210%40SN1PR08MB1981.namprd08.prod.outlook.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>
>> --
>> You received this message because you are subscribed to the Google
>>Groups "Jenkins Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send
>>an email to jenkinsci-use...@googlegroups.com.
>> To view this discussion on the web visit
>>https://groups.google.com/d/msgid/jenkinsci-users/C5C8527B-0103-4D90-BD3A
>>-5E60BC15235D%40beckweb.net.
>> For more options, visit https://groups.google.com/d/optout.
>>
>> --
>> You received this message because you are subscribed to the Google
>>Groups "Jenkins Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send
>>an email to jenkinsci-use...@googlegroups.com.
>> To view this discussion on the web visit
>>https://groups.google.com/d/msgid/jenkinsci-users/SN1PR08MB19811F65BD1C20
>>8F5840C691B6210%40SN1PR08MB1981.namprd08.prod.outlook.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>--
>You received this message because you are subscribed to the Google Groups
>"Jenkins Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to jenkinsci-use...@googlegroups.com.
>To view this discussion on the web visit
>https://groups.google.com/d/msgid/jenkinsci-users/78F57B4C-5F2C-41C1-9161-
>1D31C04BEF4E%40beckweb.net.
>For more options, visit https://groups.google.com/d/optout.
>
>--
>You received this message because you are subscribed to the Google Groups
>"Jenkins Users" group.
>To unsubscribe from this group and stop receiving emails from it, send an
>email to jenkinsci-use...@googlegroups.com.
>To view this discussion on the web visit
>https://groups.google.com/d/msgid/jenkinsci-users/SN1PR08MB19811C64DAE05DC
>07F3DCDD4B6210%40SN1PR08MB1981.namprd08.prod.outlook.com.

Roger Moore

unread,
Oct 29, 2015, 2:29:38 PM10/29/15
to jenkins...@googlegroups.com
Hi Indra, thanks for your reply. We are currently running 1.596.

When you upgraded to 1.580.3, did that change your version of Java too?
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/D257ABAF.328CC%25ingunawa%40cisco.com.

Indra Gunawan (ingunawa)

unread,
Oct 29, 2015, 5:27:05 PM10/29/15
to jenkins...@googlegroups.com
When we upgraded to 1.580.3. We simply download the RHEL RPM package and
install it. We make sure to give the location of our existing .keystore
set for “JENKINS_HTTPS_KEYSTORE=“ in the /etc/sysconfig/jenkins.
We install Oracle JDK 7 to run Jenkins. I have been using Oracle JDK 7 to
run Jenkins even in older version. I never rely on openJDK or JRE that
comes with the RHEL.

-Indra

On 10/29/15, 11:29 AM, "jenkins...@googlegroups.com on behalf of
>https://groups.google.com/d/msgid/jenkinsci-users/CY1PR08MB1976EBF0AB7F004
>DD656BFC2B6200%40CY1PR08MB1976.namprd08.prod.outlook.com.

Roger Moore

unread,
Nov 2, 2015, 6:42:31 PM11/2/15
to jenkins...@googlegroups.com
Based on what Indra said, we began thinking the problem was not with Jenkins because we are using a higher version of it than Indra.

We ran an experiment on a brand new Red Hat 7.1 server and installed Java 1.8.x and the LTS version of Jenkins. We generated self-signed certificates and tried to access Jenkins through both Chrome and Firefox and lo and behold, it worked.

Therefore, I updated the version of Java (to 1.7.0_91) on our existing server and rebooted. Afterwards, I was able to access Jenkins on that server in both Chrome and Firefox. And, fortunately, changing the Java version did not break any builds. Apparently something changed between versions of Java, or the old version was corrupt.

Thanks to all who offered assistance!
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/D257D9CB.3298B%25ingunawa%40cisco.com.
Reply all
Reply to author
Forward
0 new messages