I'm struggling to run Jenkins 2.91 (RPM version) using its embedded mode on Centos 7.2 with OpenJDK (1.8.0_65)
However I'm getting the "ssl_error_no_cypher_overlap" error when I connect with Firefox 38.1.0 over HTTPS
This problem does not occur when running Jenkins with Oracle JDK 1.8.0_144, only with OpenJDK.
I've tried various options such as the following without success
JENKINS_JAVA_OPTIONS="-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2"
I came across bug 1167153, however the fix of applying jdk.tls.disabledAlgorithms=EC,ECDHE,ECDH already appears to be in place in /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.65-3.b17.el7.x86_64/jre/lib/security/java.security.
I've also tried using openssl to see what protocols are reported
openssl s_client -connect localhost:8443
>>>
New, TLSv1/SSLv3, Cipher is AES256-SHA256
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-SHA256
I enabled logging using -Djavax.net.debug=ssl,handshake however this meant another fault was reported - ssl internal error - apparently due to bug - NoSuchAlgorithmException: EC AlgorithmParameters not available if SSL logs enabled
I managed to resolve this by installing bouncycastle. It seems OpenJDK doesn't ship with a ECC provider.
Download a bouncycastle provider from https://www.bouncycastle.org/latest_releases.html. e.g bcprov-ext-jdk15on-158.jar
Copy into /usr/lib/jvm/java-1.8.0-openjdk-<version>/jre/lib/ext
Add a provider to the end of the list in /usr/lib/jvm/java-1.8.0-openjdk-<version>/jre/lib/security/java.security
security.provider.9=org.bouncycastle.jce.provider.BouncyCastleProvider
Re-enabled ECC algorithms, line previously ended: , EC, ECDHE, ECDH
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
Restart jenkins