Security tools report the default SSL Ciphers are too weak


本ナレッジベースはアトラシアンの サーバー プラットフォーム向けに記載されたものです。Atlassian Cloud との機能の違いにより、本記事の内容を Atlassian Cloud アプリケーションに適用することはできません。

このページの内容は、サポート対象外のプラットフォームに関連しています。したがって、アトラシアンは、そのためのサポートの提供を保証できません 。この資料は情報提供のみを目的としているため、お客様自身の責任でご使用ください。

問題

Security and penetration tests of an Atlassian product server (or other applications using Apache Tomcat) may report that some weak SSL ciphers are enabled. Here's an example:

The weak SSL ciphers EXP-RC4-MD5, EDH-RSA-DES-CBC-SHA, EXP-EDH-RSA-DESCBC-SHA, DES-CBC-SHA, and EXP-DES-CBC-SHA were enabled

The standalone version of Tomcat has SSL Ciphers enabled that may not comply with high-security standards. Pre-existing Tomcat containers (for use with the WAR distribution) may also have these weak ciphers enabled.

ソリューション 1

The best way to solve this issue is to configure Java to use a Diffie-Hellman 2048 bit-group as documented at Logjam (CVE-2015-4000) and Atlassian Products. This workaround is available for Java version 8 and above so long as your Atlassian applications are compatible with it.

Please note Java versions before 8 cannot use a  Diffie-Hellman key size above 1024bits so make sure to upgrade all application linked products to use Java 8 before increasing the Diffie-Hellman key size above 1024bits.

ソリューション 2

Specifically set the following ciphers by adding the following code block in the SSL Connector section to:

  • $CONFLUENCE_INSTALL/conf/server.xml file in the case of Confluence.
  • $CROWD_INSTALL/ apache-tomcat/conf/server.xml file in the case of Crowd.
  • $JIRA_INSTALL/conf/server.xml file in the case of JIRA.
  • $BITBUCKETSERVER_HOME/shared/server.xml in the case of Bitbucket Server 4.x.
server.xml
useCipherSuitesOrder="true"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
TLS_SRP_SHA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
TLS_SRP_SHA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA"

For Bitbucket Server 5.0+, the ciphers can be controlled by adding server.ssl.ciphers in $BITBUCKET_HOME/shared/bitbucket.properties with the ciphers from above.

Note: these ciphers come from the Mozilla SSL Configuration Generator at the intermediate level converted to their respective IANA names and with DES-CBC3-SHA removed (Java doesn't support it at the current time). With the above ciphers setting old clients such as Windows XP and Java 6 will not be able to connect.


説明 Security and penetration tests of an Atlassian product server (or other applications using Apache Tomcat) may report that some weak SSL ciphers are enabled.
製品 Bitbucket
プラットフォーム サーバー (オンプレミス型)


最終更新日: 2018 年 9 月 11 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.