Weak ephemeral error seen when logging into Spectrum OneClick using FireFox39.0 or Chrome v.45

Document ID : KB000056922
Last Modified Date : 14/02/2018
Show Technical Document Details

ISSUE:

When using FireFox 39.0 (or greater) or Chrome v.45 (or greater) to log into OneClick where SSL has been enabled, the following error is seen:

An error occurred during a connection to <spectrum server ip>:8443. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key) 

 

CAUSE:

FireFox 39.0 (or greater) and Chrome v.45 (or greater) includes tighter security, which error out when it attempts to use the weaker Diffie-Hellman ciphers affected by Logjam vulnerability.

 

RESOLUTION:

The following will resolve the issue:

  1. Log into the OneClick system as the user that owns the OneClick installation
  2. Make a backup copy of the existing $SPECROOT/tomcat/conf/server.xml file
  3. Edit the existing $SPECROOT/tomcat/conf/server.xml file
  4. Find the "ciphers" parameter and remove the following entries:

SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA 

SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA 

TLS_DHE_RSA_WITH_AES_128_CBC_SHA 

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

   5. Save the changes.
   6. Restart Spectrum tomcat.