Security tools report the default SSL Ciphers are too weak
プラットフォームについて: Server と Data Center のみ - この記事は、サーバーおよびデータセンター プラットフォームのアトラシアン製品にのみ適用されます。
このページの内容はサポート対象外のプラットフォームに関連しています。したがって、アトラシアン サポートではこのページの記載内容のサポートの提供は保証されません。この資料は情報提供のみを目的として提供されています。内容はお客様自身の責任でご利用ください。
問題
Security and penetration tests of an Atlassian product server (or other applications using Apache Tomcat) may report that some weak SSL ciphers are enabled. Here's an example:
The weak SSL ciphers enabled
EXP-RC4-MD5,
EDH-RSA-DES-CBC-SHA
EXP-EDH-RSA-DESCBC-SHA
DES-CBC-SHA
EXP-DES-CBC-SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
The standalone version of Tomcat has SSL Ciphers enabled that may not comply with high-security standards. Pre-existing Tomcat containers (for use with the WAR distribution) may also have these weak ciphers enabled.
ソリューション 1
The best way to solve this issue is to configure Java to use a Diffie-Hellman 2048 bit-group as documented at Logjam (CVE-2015-4000) and Atlassian Products. This workaround is available for Java version 8 and above so long as your Atlassian applications are compatible with it.
Please note Java versions before 8 cannot use a Diffie-Hellman key size above 1024bits so make sure to upgrade all application linked products to use Java 8 before increasing the Diffie-Hellman key size above 1024bits.
ソリューション 2
Specifically set the following ciphers by adding the following code block in the SSL Connector section to:
$CONFLUENCE_INSTALL/conf/server.xml
file in the case of Confluence.$CROWD_INSTALL/
apache-tomcat/conf/server.xml
file in the case of Crowd.$JIRA_INSTALL/conf/server.xml
file in the case of JIRA.$BITBUCKETSERVER_HOME/shared/server.xml
in the case of Bitbucket Server 4.x.
useCipherSuitesOrder="true"
useServerCipherSuitesOrder="true"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
For Bitbucket Server 5.0+, the ciphers can be controlled by adding server.ssl.ciphers
in $BITBUCKET_HOME/shared/bitbucket.properties
with the ciphers from above.
Note: these ciphers come from the Mozilla SSL Configuration Generator at the intermediate level converted to their respective IANA names and with DES-CBC3-SHA removed (Java doesn't support it at the current time). With the above ciphers setting old clients such as Windows XP and Java 6 will not be able to connect.
アプリケーション | アプリケーションで SSL を使用する方法 |
---|---|
Jira アプリケーション | SSL または HTTPS 上で Jira アプリケーションを実行する |
Confluence | SSL または HTTPS 上で Confluence を実行する |
Bamboo | |
Bitbucket Server (旧称 Stash) | Bitbucket Server を SSL で保護する (Tomcat で終了) |
FishEye / Crucible | Fisheye の SSL 構成 (Tomcat で終了) |