Server has a weak ephemeral Diffie-Hellman public key

Document ID : KB000089694
Last Modified Date : 14/04/2018
Show Technical Document Details
Issue:
Server has a weak ephemeral Diffie-Hellman public key
Resolution:

Symptoms

Upgrade Google Chrome to update v45 and when trying to access the ECC it shows the message: Server has a weak ephemeral Diffie-Hellman public key


Cause

Google and other browser have updated their browser to block site that are using cipher that are susceptible to being exploited.

https://weakdh.org/


Resolution

There are two work around available A) this will need to be apply to the browser or B) which need to be apply to the Tomcat server itself:

A)
1. Go to browser short cut 
2. Right click and Go to properties 
3. Go to Short cut tab 
4. Go to Target textbox, in this you will find your chrome full path , add above string at the end of path. and it will look like 
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013 
5. Apply and close it. 

B) 
On the Tomcat system (in the Tomcat\config folder there is a Server.xml file), modify it and add in the cipher listed at: https://weakdh.org/sysadmin.html

Example of how it should look can be found here: 
https://blog.eveoh.nl/2014/02/tls-ssl-ciphers-pfs-tomcat/ 
http://stackoverflow.com/questions/30931692/diffie-hellman-public-key-error-with-tomcat-7 

Along with that; all Automic communications between components are encrypted (AutomationEngine, Database, Agents, etc) using AES-256bit encryption by default. As such, with the (https://weakdh.org/sysadmin.html) site, it noted that for the tomcat cipher to work with AES -256 bit and it is necessary to install the JCE Unlimited Strength Jurisdiction Policy Files from Oracle. 

If you want to use a different encryption level (128 or 192) it can be adjusted in the UC_AS_SETTINGS: http://docs.automic.com/documentation/AE/10.0/english/AE_WEBHELP/help.htm#ucacoz.htm?Highlight=AES-128