jedduff 1 Posted July 8, 2015 Share Posted July 8, 2015 My firefox got an update to 39.0 Now, I can't connect to my remote web console (v6). I got this message : Secure Connection FailedAn error occurred during a connection to consoleeset.soges-tech.ca:8443. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. I use the server appliance in a vmware environment. Link to comment Share on other sites More sharing options...
Phydeauxdawg 5 Posted July 8, 2015 Share Posted July 8, 2015 Go to about:config search for security.ssl3.dhe_rsa_aes_128_sha and security.ssl3.dhe_rsa_aes_256_sha Set them both to false. ESET will definitely have to address their certificate in a future patch. Link to comment Share on other sites More sharing options...
CCSE 0 Posted July 13, 2015 Share Posted July 13, 2015 Hi, For us, security.ssl3.dhe_rsa_des_ede3_sha, must be false too. Regards Link to comment Share on other sites More sharing options...
Administrators Marcos 4,931 Posted July 13, 2015 Administrators Share Posted July 13, 2015 This will be addressed in ERA 6.2 soon. To fix Logjam vulnerability, you'll need to update OpenSSL and possibly Java too. This can be accomplished via the Update operating system task. Link to comment Share on other sites More sharing options...
Senthil 0 Posted August 10, 2015 Share Posted August 10, 2015 This article might help you to solve this error, hxxp://letusexplain.blogspot.com/2015/08/solved-server-has-weak-ephemeral-diffie.html Link to comment Share on other sites More sharing options...
terrum 1 Posted September 5, 2015 Share Posted September 5, 2015 (edited) This will be addressed in ERA 6.2 soon. To fix Logjam vulnerability, you'll need to update OpenSSL and possibly Java too. This can be accomplished via the Update operating system task. Apparently this issue wasn't addressed in 6.2 - I upgraded my ERA VA to 6.2 yesterday and I still couldn't use Chrome to login because of the weak Diffie-Hellman key error. Someone was very kind to post is a simple fix here, but it remains unknown why ESET didn't do it in the first place. The fix is basically one parameter added to the /etc/tomcat6/server.xml, see the post for more details: ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" Edited September 5, 2015 by terrum Link to comment Share on other sites More sharing options...
Administrators Marcos 4,931 Posted September 6, 2015 Administrators Share Posted September 6, 2015 I've deployed a fresh ERA 6.2 virtual appliance and the ciphers are listed in server.xml. I think the problem is that you've performed upgrade but the "ERA Component Upgrade" task doesn't update Tomcat, only ERAS and its components (agent, MDM, ERA Proxy). Link to comment Share on other sites More sharing options...
terrum 1 Posted September 6, 2015 Share Posted September 6, 2015 So if the "ERA Component Upgrade" task only updates select components, leaving Tomcat and perhaps other things behind, would you recommend a fresh install of a "new" ERA 6.2 VA and migrating settings and clients from the "old" instead of doing in-place upgrade? Where from the new ERA 6.2 VA bits can be downloaded? It seems a working link hasn't been posted anywhere yet. Thanks. Link to comment Share on other sites More sharing options...
Recommended Posts