WHD SSL - firefox complains about ephemeral_dh_key

it's a bug. there's a hotfix available (WHD-v12.3.0-HotFix3-WHD-703). basically you replace a few files then change DHE key exchanges to their elliptic curve variants. another option is to simply route your connection to WHD thru a reverse proxy.

I am using 12.1 and getting the same error.  My maintenance term expired, is my software now broken permanently?

Take a look at this article. https://amoreopensource.wordpress.com/2014/07/21/securing-web-help-desk/

We had to update our Ciphers in order for Firefox to work correctly again. Sounds like you are using a workaround that may introduce vulnerabilities.

Chrome worked for awhile, now all of a sudden Chrome will not launch WHD at all!

I haven't googled a workaround for Chrome yet, but let me check the article you posted.  Thanks shift4corp.

ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY

Ok just changing the ciphers line in C:\Program Files (x86)\WebHelpDesk\conf\tomcat_server_template.xml and restarting the service seemed to fix it.  Chrome and firefox load the web help desk without balking at it.

Out of the box the line read:

ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"

changed both instances of the ciphers= with top this instead.

ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA"

I did not know about upgrading tomcat because I'm not sure which version to download.  7.0.64 is on the site now but I would guess its 32-bit because it resides in C:\Program Files (x86), but then again its running on Server 2012 R2 which is 64-bit by nature.  Also I'm not sure what you mean about permissions with root as its a windows system not linux.  I'd like to update it but I'm just unclear on the version, permissions and then what to do with Java, if anything at all.

This is what Solarwinds recommends.

I believe these instructions first showed up in the readme file for 12.3 hotfix 2, and are also in hotfix 3

Reconfigure your Apache Tomcat server template file.

       WARNING: SolarWinds recommends that you configure your Tomcat server
       template file as instructed. Any additional modifications to the file may
       result in system performance issues or errors.

           a. On your Web Help Desk server, navigate to the following directory:
             
              <WebHelpDesk>/conf
 
           b. In the /conf directory, open the following file in a text editor:

              tomcat_server_template.xml

           c. In the file, locate and replace all "_DHE_" substrings with the
              following substring:

              _ECDHE_
        
           d. Save and close the file.

Ok between the ciphers above, and I checked, its running Tomcat version 7.0.59, so no upgrade was necessary to be able to change the protocol="HTTP/1.1" to"org.apache.coyote.http11.Http11NioProtocol".

The site is internal only so I can't double check with SSL Labs, but running sslyze shows TLS enabled with decent ciphers and no regeneration offered.  It should in theory get at least an A- unless I turn off TLS 1.0 and 1.1 and leave it only TLS 1.2.  But its good enough for internal security now and third party browsers are showing secure connection with no issues anymore.