1

Problem:

We have difficulty trying to connect to our server using a browser. Google Chrome can connect, but Mozilla Firefox cannot. This problem is related to the "Weak Diffie-Hellman and the Logjam Attack" (https://weakdh.org/)

Activity log, sequence of actions we have conducted to try and fix the problem, and things we already know:

  1. Everything was fine
  2. Firefox complained about the Weak Diffie-Hellman ephemeral key
  3. Firefox can no longer access our server
  4. But, Google Chrome CAN STILL access
  5. Found out about "Weak Diffie-Hellman and the Logjam Attack" (https://weakdh.org/)
  6. Tested Firefox using their website, and responded "Good News! Your browser is safe against the Logjam attack."
  7. Tested Chrome using their website, and it responded that Chrome was vulnerable.
  8. This explained why we could still access our server using Chrome
  9. Updated Chrome to the latest version.
  10. Tested Chrome using weakdh.org, and responded "Good News! Your browser is safe against the Logjam attack."
  11. Tried accessing our site using Chrome, and it has the same error with Firefox.
  12. Both Chrome and Firefox can no longer access the site at this point.
  13. We followed the instruction located at https://weakdh.org/sysadmin.html for Apache Tomcat servers.
  14. Fix did not work both for Chrome and Firefox, still the same error.
  15. We followed the instruction at Diffie-Hellman public key error with Tomcat 7
  16. Fix WORKED for Chrome BUT NOT for Firefox.
  17. Firefox has error code: ssl_error_bad_cert_alert
  18. We experimented on lesser number of ciphers but none worked
  19. Same error for Firefox, still OK for Chrome.

TECHNICAL DETAILS

Certificate:

Signature algorithm: sha256RSA
Signature hash algorithm: sha256
Public key: RSA (2048 Bits)
Thumbprint algorithm: sha1

Environment:

Apache Tomcat 6.0
Java 1.6.0_34

Current server configuration:

<Connector port="443" SSLEnabled="true" maxThreads="150" scheme="https" 
secure="true" clientAuth="true" sslProtocol="TLS" 
keystoreFile="********.pfx" 
keystoreType="PKCS12" 
keystorePass="********" 
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"/>
Community
  • 1
  • 1
Vic Cebedo
  • 169
  • 1
  • 2
  • 7

1 Answers1

0

Basically, you'll need to upgrade your java version. More details in here: ApacheJMeterTemporaryRootCA.crt not generated

[]'s

Community
  • 1
  • 1
Uilian
  • 656
  • 8
  • 19