In the company that I work we have a server GF 3.1.1 (JDK 6) with CAS which does the authentication of the users in another system. After the last update of Firefox (v. 39x) we are getting the follow information from the browser:
mydomain.com SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.
And it is not possible to access the site without this workaround or using another browser. In chrome I can access normally but if I look at the connection properties it says:
Your connection is encrypted with obsolete cryptography.
The connection uses TLS 1.0.
The connection is encrypted using AES_128_CBC, with SHA1 for message authentication an DHE_RSA as the key exchange mechanism.
I can't configure all the browsers of our customers or say them only use chrome. Maybe in future chrome can do the same. So my solution is configure the server properly. The problem is that I don't know how can I do that.
I found in GF where I can do the configuration in Configurations > server-config > Network Config > Protocols > http-listner-2 > SSL
Then I found here a blacklist and a whitelist of some ciphers that are recommended to use. I tried to remove all in black and put all those in white. But I still have the issue. I think this list may be out of date.
I appreciate any help.
Finally. I found a solution. I search a lot and I could find a solution, so I tried to test one by one of the ciphers. So, to work ( I am not saying that is the right way). I had to do this:
At:
Configurations > server-config > Network Config > Protocols > http-listner-2 > SSL
After that our application can be opened at any browser again. I hope it may help someone.
For admin:
Configurations > server-config > Service HTTP > Listeners HTTP > admin-listner > SSL
Edit: Comparing with the whitelist here the remaining ciphers that would be part of a new whitelist are:
Whitelist
I just encountered this problem as well with Chrome and the admin console. The way I got around it was to delete the current ssl certificate for the listener and recreate it using a specific set of ciphers with the --ssl3tlsciphers option. For me it was the admin-listener so first I deleted the current default certificate:
asadmin delete-ssl --type http-listener admin-listener
Then I recreated it using the following command:
asadmin create-ssl --type http-listener --certname s1as --ssl3tlsciphers SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV,SSL_RSA_WITH_NULL_MD5,SSL_RSA_WITH_NULL_SHA,SSL_DH_anon_WITH_RC4_128_MD5,TLS_DH_anon_WITH_AES_128_CBC_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,SSL_DH_anon_WITH_DES_CBC_SHA,SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA admin-listener
I noticed that simply deleting the default certificate doesn't remove all references to it in the domain.xml file. I haven't been able to find the proper way to do this. I just used trial and error. Another method is to modify the domain.xml file where the ssl element for the listener is defined and add the attribute "ssl3-tls-ciphers":
<ssl ssl3-tls-ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV,SSL_RSA_WITH_NULL_MD5,SSL_RSA_WITH_NULL_SHA,SSL_DH_anon_WITH_RC4_128_MD5,TLS_DH_anon_WITH_AES_128_CBC_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,SSL_DH_anon_WITH_DES_CBC_SHA,SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA" classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" cert-nickname="s1as"></ssl>
Both methods require a restart of glassfish.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With