jedduff 1 Posted July 8, 2015 Posted July 8, 2015 My firefox got an update to 39.0 Now, I can't connect to my remote web console (v6). I got this message : Secure Connection FailedAn error occurred during a connection to consoleeset.soges-tech.ca:8443. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. I use the server appliance in a vmware environment.
Phydeauxdawg 5 Posted July 8, 2015 Posted July 8, 2015 Go to about:config search for security.ssl3.dhe_rsa_aes_128_sha and security.ssl3.dhe_rsa_aes_256_sha Set them both to false. ESET will definitely have to address their certificate in a future patch.
CCSE 0 Posted July 13, 2015 Posted July 13, 2015 Hi, For us, security.ssl3.dhe_rsa_des_ede3_sha, must be false too. Regards
Administrators Marcos 5,461 Posted July 13, 2015 Administrators Posted July 13, 2015 This will be addressed in ERA 6.2 soon. To fix Logjam vulnerability, you'll need to update OpenSSL and possibly Java too. This can be accomplished via the Update operating system task.
Senthil 0 Posted August 10, 2015 Posted August 10, 2015 This article might help you to solve this error, hxxp://letusexplain.blogspot.com/2015/08/solved-server-has-weak-ephemeral-diffie.html
terrum 1 Posted September 5, 2015 Posted September 5, 2015 (edited) This will be addressed in ERA 6.2 soon. To fix Logjam vulnerability, you'll need to update OpenSSL and possibly Java too. This can be accomplished via the Update operating system task. Apparently this issue wasn't addressed in 6.2 - I upgraded my ERA VA to 6.2 yesterday and I still couldn't use Chrome to login because of the weak Diffie-Hellman key error. Someone was very kind to post is a simple fix here, but it remains unknown why ESET didn't do it in the first place. The fix is basically one parameter added to the /etc/tomcat6/server.xml, see the post for more details: ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" Edited September 5, 2015 by terrum
Administrators Marcos 5,461 Posted September 6, 2015 Administrators Posted September 6, 2015 I've deployed a fresh ERA 6.2 virtual appliance and the ciphers are listed in server.xml. I think the problem is that you've performed upgrade but the "ERA Component Upgrade" task doesn't update Tomcat, only ERAS and its components (agent, MDM, ERA Proxy).
terrum 1 Posted September 6, 2015 Posted September 6, 2015 So if the "ERA Component Upgrade" task only updates select components, leaving Tomcat and perhaps other things behind, would you recommend a fresh install of a "new" ERA 6.2 VA and migrating settings and clients from the "old" instead of doing in-place upgrade? Where from the new ERA 6.2 VA bits can be downloaded? It seems a working link hasn't been posted anywhere yet. Thanks.
Recommended Posts