Err_ssl_weak_server_ephemeral_dh_key

I have a trang web và recently chrome started returning this error when trying khổng lồ access it:

ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY

It"s a java+jsp website & it runs on apache tomacat. It also uses Verisign certification, but I"ve read that the error is not related lớn this certificate.

Thanks for any help.

You watching: Err_ssl_weak_server_ephemeral_dh_key


*

I fixed it following this:http://support.filecatalyst.com/index.php?/Knowledgebase/Article/View/277/0/workaround-for-tomcat-ssl-tls-logjam-vulnerability

To sum up, I edited server.xml.

On the connector protocol, I changed the property

Protocol="TLS"for

sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" & added the property

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
Share
Improve this answer
Follow
answered Nov 12 "15 at 11:34

*

KalKal
31322 gold badges66 silver badges1717 bronze badges
Add a bình luận |
2
Your VPS is using weak Diffie-Hellman keys & might thus be affected by the Logjam attaông chồng. Because of this attachồng more & more browser and TLS stacks increase their minimum length of the DH key to 768 or 1024 bit. Probably the OpenSSL version you are using in your hệ thống uses a 512 bit DH key by default, which is too small. You need lớn fix this by explicitly setting a larger DH key in your server configuration. How this is done depends on the hệ thống, see Guide to lớn Deploying Diffie-Hellman for TLS for details.


Share
Improve sầu this answer
Follow
answered Jul 10 "15 at 6:18
*

Steffen UllrichSteffen Ullrich
92.9k77 gold badges100100 silver badges140140 bronze badges
7
| Show 2 more comments
1
If you have sầu a tư vấn contract with Oracle, you can tải về the lathử nghiệm version of Java 6/7 which raises the DHE encryption lớn 1024-bit in JSSE.

See more: Nod32 Keys - Eset Mobile Security


Share
Improve sầu this answer
Follow
answered Sep 11 "15 at 5:24
*

Yuhong BaoYuhong Bao
3,63311 gold badge1717 silver badges1717 bronze badges
1
Add a comment |
1
There is a workaround (warning: this creates a security vulnerability!)

Use this parameter launching chrome:

--cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013Parameters explanation:

0x0088 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA0x0087 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA0x0039 TLS_DHE_RSA_WITH_AES_256_CBC_SHA0x0038 TLS_DHE_DSS_WITH_AES_256_CBC_SHA0x0044 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA0x0045 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA0x0066 TLS_DHE_DSS_WITH_RC4_128_SHA0x0032 TLS_DHE_DSS_WITH_AES_128_CBC_SHA0x0033 TLS_DHE_RSA_WITH_AES_128_CBC_SHA0x0016 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA0x0013 SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHASources:

learncisco.net

productforums.google.com

weakdh.org

chromium.googlesource.com/.../sslprolớn.h


Share
Improve this answer
Follow
edited Oct 19 "15 at 10:05
answered Oct 19 "15 at 9:39
*

Paweł PrażakPaweł Prażak
2,84911 gold badge2424 silver badges3939 bronze badges
0
Add a bình luận |
0
I was able lớn fix this problem by setting the system property jdk.tls.ephemeralDHKeySize lớn 1024 (or 2048).


Share
Improve sầu this answer
Follow
answered Nov 3 "15 at 19:28
Tom HennenTom Hennen
4,30877 gold badges3131 silver badges4242 bronze badges
2
Add a bình luận |

Your Answer


Thanks for contributing an answer to Staông xã Overflow!

Please be sure to answer the question. Provide details & share your research!

But avoid

Asking for help, clarification, or responding khổng lồ other answers.Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

See more: Malwarebytes Anti - Malwarebytes Premium 3


Draft saved
Draft discarded

Sign up or log in


Sign up using Google
Sign up using Facebook
Sign up using E-Mail and Password
Submit

Post as a guest


Name
Email Required, but never shown


Post as a guest


Name
E-Mail

Required, but never shown


Post Your Answer Disthẻ

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy và cookie policy


Not the answer you're looking for? Browse other questions tagged java google-chrome ssl certificate or ask your own question.


The Overflow Blog
Featured on Meta
Linked
6
How to expand DH key kích cỡ to lớn 2048 in java 8
Related
3591
How bởi I efficiently iterate over each entry in a Java Map?
4357
How bởi I read / convert an InputStream inkhổng lồ a String in Java?
3768
How vày I generate random integers within a specific range in Java?
3240
How bởi I convert a String khổng lồ an int in Java?
2544
How can I fix 'game android.os.NetworkOnMainThreadException'?
3456
How can I create a memory leak in Java?
510
WebKit issues with event.layerX and sự kiện.layerY
502
Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?
1557
How to lớn generate a self-signed SSL certificate using OpenSSL?
1636
How to fix java.lang.UnsupportedClassVersionError: Unsupported major.minor version
Hot Network Questions more hot questions

Question feed
Subscribe lớn RSS
Question feed To subscribe to this RSS feed, copy và paste this URL into your RSS reader.


lang-java
Stachồng Overflow
Products
Company
Stack Exchange Network
site design / logo sản phẩm © 2021 Staông chồng Exchange Inc; user contributions licensed under cc by-sa. rev2021.7.27.39848


Staông xã Overflow works best with JavaScript enabled
*

Your privacy

By clicking “Accept all cookies”, you agree Stachồng Exchange can store cookies on your device & discđại bại information in accordance with our Cookie Policy.


Chuyên mục: Key Bản Quyền