7 Replies Latest reply on Sep 8, 2015 11:29 AM by kjstech

    WHD SSL - firefox complains about ephemeral_dh_key

    kjstech

      Hello, I used porticle and generated a keypair, imported our domain root cert and also submitted a cert request through our internal domain CA.  I got the certificate back fine and it works great in Chrome / IE / Edge.  Those browesers all show secured and nothing wrong with the cert.  Its Sha256 and showing connection with the server at TLS 1.2.

       

      However if I use Firefox ESR 38.2.1 I get this strange message:

      error ssl_error_weak_server_ephemeral_dh_key

       

      Found this:

       

      https://support.mozilla.org/en-US/questions/1067995

       

      The way around it was in firefox about:config

      search for security.ssl3.dhe_rsa_aes and change both the 128 and 256 to false.

      Now it works fine in Firefox.

       

      However it sounds like this could be a legitimate vulnerability according to this site: https://weakdh.org/

       

      Do you think there is an alternate way to perform the certificate update in Porticle to avoid this?

        • Re: WHD SSL - firefox complains about ephemeral_dh_key
          daniel.farrelly

          it's a bug. there's a hotfix available (WHD-v12.3.0-HotFix3-WHD-703). basically you replace a few files then change DHE key exchanges to their elliptic curve variants. another option is to simply route your connection to WHD thru a reverse proxy.

          • Re: WHD SSL - firefox complains about ephemeral_dh_key
            shift4corp

            Take a look at this article. https://amoreopensource.wordpress.com/2014/07/21/securing-web-help-desk/

             

            We had to update our Ciphers in order for Firefox to work correctly again. Sounds like you are using a workaround that may introduce vulnerabilities.

              • Re: WHD SSL - firefox complains about ephemeral_dh_key
                kjstech

                Ok just changing the ciphers line in C:\Program Files (x86)\WebHelpDesk\conf\tomcat_server_template.xml and restarting the service seemed to fix it.  Chrome and firefox load the web help desk without balking at it.

                 

                Out of the box the line read:

                 

                ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"

                 

                changed both instances of the ciphers= with top this instead.

                ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA"

                 

                I did not know about upgrading tomcat because I'm not sure which version to download.  7.0.64 is on the site now but I would guess its 32-bit because it resides in C:\Program Files (x86), but then again its running on Server 2012 R2 which is 64-bit by nature.  Also I'm not sure what you mean about permissions with root as its a windows system not linux.  I'd like to update it but I'm just unclear on the version, permissions and then what to do with Java, if anything at all.

                1 of 1 people found this helpful
              • Re: WHD SSL - firefox complains about ephemeral_dh_key
                kjstech

                Chrome worked for awhile, now all of a sudden Chrome will not launch WHD at all!

                I haven't googled a workaround for Chrome yet, but let me check the article you posted.  Thanks shift4corp.

                 

                ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY



                  • Re: WHD SSL - firefox complains about ephemeral_dh_key
                    typhoon87

                    This is what Solarwinds recommends.

                     

                    I believe these instructions first showed up in the readme file for 12.3 hotfix 2, and are also in hotfix 3

                     

                    Reconfigure your Apache™ Tomcat™ server template file.

                           WARNING: SolarWinds recommends that you configure your Tomcat server
                           template file as instructed. Any additional modifications to the file may
                           result in system performance issues or errors.

                               a. On your Web Help Desk server, navigate to the following directory:
                                 
                                  <WebHelpDesk>/conf
                     
                               b. In the /conf directory, open the following file in a text editor:

                                  tomcat_server_template.xml

                               c. In the file, locate and replace all "_DHE_" substrings with the
                                  following substring:

                                  _ECDHE_
                            
                               d. Save and close the file.

                      • Re: WHD SSL - firefox complains about ephemeral_dh_key
                        kjstech

                        Ok between the ciphers above, and I checked, its running Tomcat version 7.0.59, so no upgrade was necessary to be able to change the protocol="HTTP/1.1" to"org.apache.coyote.http11.Http11NioProtocol".

                         

                        The site is internal only so I can't double check with SSL Labs, but running sslyze shows TLS enabled with decent ciphers and no regeneration offered.  It should in theory get at least an A- unless I turn off TLS 1.0 and 1.1 and leave it only TLS 1.2.  But its good enough for internal security now and third party browsers are showing secure connection with no issues anymore.

                        1 of 1 people found this helpful