Jump to content

Archived

This topic is now archived and is closed to further replies.

jedduff

Since Firefox 39 : SSL received a weak ephemeral Diffie-Hellman key. (Error code: ssl_error_weak_server_ephemeral_dh_key)

Recommended Posts

My firefox got an update to 39.0

 

Now, I can't connect to my remote web console (v6). I got this message :

 

 

Secure Connection Failed

An error occurred during a connection to consoleeset.soges-tech.ca:8443. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

 

I use the server appliance in a vmware environment.

Share this post


Link to post
Share on other sites

Go to about:config

search for security.ssl3.dhe_rsa_aes_128_sha and security.ssl3.dhe_rsa_aes_256_sha

Set them both to false.

ESET will definitely have to address their certificate in a future patch.

Share this post


Link to post
Share on other sites

Hi,

 

For us, security.ssl3.dhe_rsa_des_ede3_sha, must be false too.

 

Regards

Share this post


Link to post
Share on other sites

This will be addressed in ERA 6.2 soon. To fix Logjam vulnerability, you'll need to update OpenSSL and possibly Java too. This can be accomplished via the Update operating system task.

Share this post


Link to post
Share on other sites

This will be addressed in ERA 6.2 soon. To fix Logjam vulnerability, you'll need to update OpenSSL and possibly Java too. This can be accomplished via the Update operating system task.

Apparently this issue wasn't addressed in 6.2 - I upgraded my ERA VA to 6.2 yesterday and I still couldn't use Chrome to login because of the weak Diffie-Hellman key error. Someone was very kind to post is a simple fix here, but it remains unknown why ESET didn't do it in the first place.

 

The fix is basically one parameter added to the /etc/tomcat6/server.xml, see the post for more details:

 

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"

Share this post


Link to post
Share on other sites

I've deployed a fresh ERA 6.2 virtual appliance and the ciphers are listed in server.xml. I think the problem is that you've performed upgrade but the "ERA Component Upgrade" task doesn't update Tomcat, only ERAS and its components (agent, MDM, ERA Proxy).

Share this post


Link to post
Share on other sites

So if the "ERA Component Upgrade" task only updates select components, leaving Tomcat and perhaps other things behind, would you recommend a fresh install of a "new" ERA 6.2 VA and migrating settings and clients from the "old" instead of doing in-place upgrade?

 

Where from the new ERA 6.2 VA bits can be downloaded? It seems a working link hasn't been posted anywhere yet.

 

Thanks.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...