Fix ssl_error_weak_server_ephemeral_dh_key Firefox

From Firefox 39, user maybe occur ssl_error_weak_server_ephemeral_dh_key when using HTTPS. This post help fix ssl_error_weak_server_ephemeral_dh_key from tomcat server or ignore this in Firefox by user

Fix ssl_error_weak_server_ephemeral_dh_key Firefox
  1. Fix ssl_error_weak_server_ephemeral_dh_key from tomcat server

    Tomcat has several weak ciphers enabled by default. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. If you have a Tomcat server (version 4.1.32 or later), you can disable SSL 2.0 and disable weak ciphers by following these instructions. Open your server.xml file add the following to your SSL connector

    <Connector port="443" maxhttpheadersize="8192" address="127.0.0.1"
               enablelookups="false" disableuploadtimeout="true" acceptCount="100"
               scheme="https" secure="true" clientAuth="false" SSLEnabled="true"
               sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
               ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
               TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,
               TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
               TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
               keystoreFile="mydomain.key" keystorePass="changeit"
               truststoreFile="mytruststore.truststore" truststorePass="changeit" />
    
  2. Fix ssl_error_weak_server_ephemeral_dh_key by ignore it in Firefox

    • Open Firefox, go to URL about:config
    • Accept the This might void your warranty! warning by clicking on I'll be careful, I promise! button
    • In the search field, enter security.ssl3.dhe_rsa_aes
    • Double click each result (128 SHA and 256 SHA) to change the Value to false

  3. Useful resources

    The Logjam Attack

    SSL/TLS, ciphers, perfect forward secrecy and Tomcat

Comments

Popular posts from this blog

Reduce TIME_WAIT Socket Connections