Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

https JIRA "weak ephemeral Diffie-Hellman public key”

KP11
KP11
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 4, 2015

I have read several articles that state to upgrade to java 1.8 and add 

-Djdk.tls.ephemeralDHKeySize=2048 in tomcat startup.

Some articles say JIRA 5.2.4.1 does not work with Java 1.8.. We are upgrading end of year to cloud 

Can this  issue be related to certifcates as well. We need to fix the issue before the upgrade. Any other workarounds  besides Java upgrade?

Answer
Watch
Like Be the first to like this
574 views

2 answers

1 vote
no_longer_in_sudoers_file
no_longer_in_sudoers_file
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 4, 2015

Have you considered putting nginx or apache in front of your JIRA instance to abstract away your SSL handling from JAVA?  This gives you a few more tools for managing these problems.

View More Comments
KP11
KP11
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 4, 2015

We can test that on our dev system. Thanks

Like
KP11
KP11
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 4, 2015

I saw this workaround. It does notdetail where exactly the line goes To workaround the problem, please add the cipher below to disable the weak Diffie-Hellman cipher. Open server.xml via $JIRA_INSTALL/conf directory. Add the following to the HTTPS connector port: ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" (info) Reference for more strong cipher settings - Security tools report the default SSL Ciphers are too weak Save it and restart JIRA. https://confluence.atlassian.com/display/JIRAKB/Server+has+a+weak,+ephemeral+Diffie-Hellman+public+key

Like
Reply
0 votes
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 4, 2015

I'm afraid not, if you want to upgrade Java, you need to upgrade Jira.

View More Comments
KP11
KP11
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 4, 2015

I saw this workaround. It does notdetail where exactly the line goes To workaround the problem, please add the cipher below to disable the weak Diffie-Hellman cipher. Open server.xml via $JIRA_INSTALL/conf directory. Add the following to the HTTPS connector port: ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" (info) Reference for more strong cipher settings - Security tools report the default SSL Ciphers are too weak Save it and restart JIRA. https://confluence.atlassian.com/display/JIRAKB/Server+has+a+weak,+ephemeral+Diffie-Hellman+public+key

Like
KP11
KP11
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 4, 2015

<Connector port="8963" maxHttpHeaderSize="8192" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" sslProtocol="TLSv1" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" clientAuth="false" SSLEnabled="true" URIEncoding="UTF-8" keyAlias="server" keystoreFile="conf/jira.jks" keystorePass="solumina" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256, TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA, TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384, TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA, TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA, TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256, TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA"

Like
KP11
KP11
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 4, 2015

There is already a cipher key.

Like
KP11
KP11
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 4, 2015

I was going to add it to the line? Any know issues with this workaround?

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.