Jump to content

Since Firefox 39 : SSL received a weak ephemeral Diffie-Hellman key. (Error code: ssl_error_weak_server_ephemeral_dh_key)


Recommended Posts

My firefox got an update to 39.0

 

Now, I can't connect to my remote web console (v6). I got this message :

 

 

Secure Connection Failed

An error occurred during a connection to consoleeset.soges-tech.ca:8443. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

 

I use the server appliance in a vmware environment.

Link to post
Share on other sites

Go to about:config

search for security.ssl3.dhe_rsa_aes_128_sha and security.ssl3.dhe_rsa_aes_256_sha

Set them both to false.

ESET will definitely have to address their certificate in a future patch.

Link to post
Share on other sites
  • Administrators

This will be addressed in ERA 6.2 soon. To fix Logjam vulnerability, you'll need to update OpenSSL and possibly Java too. This can be accomplished via the Update operating system task.

Link to post
Share on other sites
  • 4 weeks later...
  • 4 weeks later...

This will be addressed in ERA 6.2 soon. To fix Logjam vulnerability, you'll need to update OpenSSL and possibly Java too. This can be accomplished via the Update operating system task.

Apparently this issue wasn't addressed in 6.2 - I upgraded my ERA VA to 6.2 yesterday and I still couldn't use Chrome to login because of the weak Diffie-Hellman key error. Someone was very kind to post is a simple fix here, but it remains unknown why ESET didn't do it in the first place.

 

The fix is basically one parameter added to the /etc/tomcat6/server.xml, see the post for more details:

 

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
Edited by terrum
Link to post
Share on other sites
  • Administrators

I've deployed a fresh ERA 6.2 virtual appliance and the ciphers are listed in server.xml. I think the problem is that you've performed upgrade but the "ERA Component Upgrade" task doesn't update Tomcat, only ERAS and its components (agent, MDM, ERA Proxy).

Link to post
Share on other sites

So if the "ERA Component Upgrade" task only updates select components, leaving Tomcat and perhaps other things behind, would you recommend a fresh install of a "new" ERA 6.2 VA and migrating settings and clients from the "old" instead of doing in-place upgrade?

 

Where from the new ERA 6.2 VA bits can be downloaded? It seems a working link hasn't been posted anywhere yet.

 

Thanks.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...