Server has a weak ephemeral Diffie-Hellman public key. How to by-pass it?

Question

While I'm trying to visit a specific website (that one: https://login.uj.edu.pl) I'm getting ERR_INVALID_ARGUMENT error. Here is the problem: "Server has a weak ephemeral Diffie-Hellman public key". More about the issue there: https://productforums.google.com/forum/#!topic/chrome/o3vZD-Mg2Ic

I know that it should be fixed by a webmaster but until it happens I have to access the page every day anyway. I found an extension to Firefox to avoid this error: https://addons.mozilla.org/en-us/firefox/addon/disable-dhe/

Now i want to get rid of the error in Google Chrome (well, Chromium actually). Is there any possibility to make it work? It's my university's page and it can take years for the site administrator to fix that secure connection issue.

What's strange the problem occurs in Linux only, in all the browsers. In Windows, Chrome-OS or Android there is nothing wrong. I know that using insecure connection is wrong but in that case I have no choice.

EDIT: I cannot accept any solution because the site I was trying to access changed its encryption to the right one. Now I can't test your solutions because the problem is already solved by site admins.

This question is off-topic here, but well suited for the browser-ninjas at http://superuser.com — nealmcb, Jul 10 '15 at 13:38

score 21 · Answer 1 · edited Sep 18 '15 at 15:08

21

The solution is:

Type in your browser (I tried in Iceweasel)

    about:config

Search for

    security.ssl3.dhe_rsa_aes_128_sha 

    security.ssl3.dhe_rsa_aes_256_sha

Set them both to false (just double click to set them to false or true).

That's it!

edited Sep 18 '15 at 15:08

ivanhoe

111
1
7

answered Jul 20 '15 at 20:14

S4nD3r

339
1
6

5

This works only in Firefox. In chrome it says, "the web page is not available" – Farrukh Chishti Sep 10 '15 at 06:41
1

@QualtarDemix Check http://stackoverflow.com/a/32486388/1672655 for Chrome/Firefox fix. – vasa Oct 20 '15 at 05:02
On trying that solution I am getting an error: 'open' is not recognized as an internal or external command, operable program or batch file. – Farrukh Chishti Nov 04 '15 at 06:48

Duccio Fabbri · Answer 2 · 2015-09-07T22:36:41.570

11

This solution worked for me:

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

The recent release (Sep. 1) to Chrome 45 contains the fix for the Logjam attack as detailed in https://weakdh.org but it introduce this kind of problem.

I found it in this post

edited Sep 07 '15 at 22:36

answered Sep 07 '15 at 15:20

Duccio Fabbri

998
1
10
21

This works fine , but on restart problem arises again. Is there a permanent fix too – Count Sep 09 '15 at 06:33
1

I right-clicked on the Chrome icon and chose Properties. In the Target field, append this: --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013 – samwyse Oct 21 '15 at 16:28

score 4 · Answer 3 · answered Sep 09 '15 at 18:02

Quick hack to get around this issue (Mac OSX)

Run this in commandline to workaround the issue while launching Chrome

Chrome:

open /Applications/Google\ Chrome.app --args --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

Canary:

open /Applications/Google\ Chrome\ Canary.app --args --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

For Firefox

Go to about:config
Search for security.ssl3.dhe_rsa_aes_128_sha and security.ssl3.dhe_rsa_aes_256_sha
Set them both to false.

NOTE: Permanently fix would be to update the DH key with a length > 1024

Getting error:'open' is not recognized as an internal or external command, operable program or batch file. — Farrukh Chishti, Nov 04 '15 at 06:47

score 1 · Answer 4 · answered Jun 19 '15 at 18:32

1

Are you by any chance on the Chrome development channel, or possibly the Beta channel? I know that the dev channel currently has some stricter rules on SSL keys, and Beta might as well. You might try getting the stable release from https://www.chromium.org/getting-involved/dev-channel and see if that runs without the error.

answered Jun 19 '15 at 18:32

jonnybot

2,435
1
32
56

I'm on Arch Linux so I have this: https://www.archlinux.org/packages/?name=chromium . It's stable, just a built binary. It's strange. – koras Jun 19 '15 at 18:48

score 1 · Answer 5 · answered Jun 26 '15 at 12:06

1

Use netsurf (netsurf aur) on that site. I am on the same boat with you. Using Arch and Chromium and Firefox both refuses to enter certain websites. Netsurf can do the job for me.

answered Jun 26 '15 at 12:06

Burkay Genc

11
1

score 0 · Answer 6 · answered Sep 09 '15 at 12:52

I have also facing this issue and resolved by @Duccio Fabbri answer,

 --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

I don't know why this works but it works, for permanent use of this you can follow below step.

Go to browser short cut
Right click and Go to properties
Go to Short cut tab
Go to Target textbox, in this you will find your chrome full path , add above string at the end of path. and it will look like

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013
Apply and close it.

Now it will work.when you open it next time.

This should probably be a comment on Duccio Fabbri answer because it doesn't add anything useful. — vitaut, Nov 11 '15 at 00:09
I added the why that how any buddy can use it. by Duccio Fabbri i got they way. and after that i found how to do that , that's why i added as an answer. ultimate goal for this is USE of answer. @vitaut — bharatpatel, Nov 16 '15 at 14:32

score 0 · Answer 7 · edited Sep 09 '15 at 23:43

0

At Fireforx I was facing the same problem, I did the following changes and it worked for me,

Firefox:

Go to about:config from browser tab
Search for security.ssl3.dhe_rsa_aes_128_sha and security.ssl3.dhe_rsa_aes_256_sha parameter.
Set them both to false.

edited Sep 09 '15 at 23:43

Deepak

1,503
3
22
45

answered Sep 09 '15 at 22:48

Indranil Acharya

66
3

score 0 · Answer 8 · answered Dec 24 '15 at 17:29

0

I was also getting this error, I reset the chrome settings to fix it: Settings > show advanced settings > Reset setting

answered Dec 24 '15 at 17:29

A-Sharabiani

17,750
17
113
128

score -1 · Answer 9 · edited May 23 '17 at 12:19

I found the solution for apache tomcat in this stackoverflow question, I just copy the solution:

Just edit 'conf/server.xml' adding the 'ciphers' attribute to your https connector:

 <Connector
        ...
        ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
        ...

Practically you're explicitly defining the list of allowed ciphers, excluding the Diffie-Hellman ones (the one with 'DHE' in the name).

score -2 · Answer 10 · answered Sep 15 '15 at 07:22

-2

Open Server.xml file in your tomcat and set attribute "ciphers"

<Connector port="8007" protocol="AJP/1.3" redirectPort="8443" ciphers="SSL_RSA_WITH_RC4_128_SHA" />

answered Sep 15 '15 at 07:22

The question asked about client-side solutions, not server-side ones! – anderas Sep 15 '15 at 07:43
1

My Problem is fixed after changing at server side and i din't see anywhere this is asked for client side , This issue we getting in browser does mean we have to fix on client side only . – Sep 15 '15 at 11:26
This is **not** an answer. – r5d Sep 15 '15 at 11:31
1

The question asked about *connecting to* a badly configured server with chromium. This is a client-side problem! (Also, tomcat was mentioned nowhere in the question.) – anderas Sep 16 '15 at 06:54

Server has a weak ephemeral Diffie-Hellman public key. How to by-pass it?

10 Answers10