Server has a weak ephemeral Diffie-Hellman public ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY on Chrome and Firefox browser

Question

I have a tomcat secure serlet running on Amazon AMI, I've set up a secure connector on prt 8443 with a TLS protocol and using the .jks keystore:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" 
           compression="off"
           keystoreFile="\cert\localhost.jks" keystorePass="password"
           />

When I try to access to the url from the Internet, I'm getting "ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY" error.

I began to experience this error after updating Chrome 45. Now i'm on 45.0.2454.85 m Chrome version.

There is anyone that can help me to fix this error?

score 0 · Answer 1 · answered Oct 13 '15 at 07:49

Locate your install path for Tomcat (TOMCAT_PATH). Find the XML definition of SSL HTTP/1.1 Connector in server.xml and add the following to the connector

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,  TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,  TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"/>

For even better security, remove all references to RC4 ciphers.

Find all ciphers containing "RC4" from the list above and remove those from your list. RC4 ciphers are very old and some older smart phones and/or proxy servers still depend on the RC4 ciphers. Complete list of who still uses RC4 is here: https://blog.cloudflare.com/the-web-is-world-wide-or-who-still-needs-rc4/ For best compatibility, leave RC4, for best security remove RC4.

thanks for the reply @cedric.walter. I'm thinking to move on RC4, i'm just not getting the exact configuration. — miguel.angel, Oct 14 '15 at 11:29

score 0 · Answer 2 · answered Oct 14 '15 at 11:24

After a while a get the answer: I have to set up the cipher for my connector in Tomcat 7 like this:

<Connector  port="8443" protocol="HTTP/1.1"
            maxThreads="200" SSLEnabled="true"
            scheme="https"  secure="true" disableUploadTimeout="true"
            acceptCount="100"
            clientAuth="false"  sslProtocol="TLS"
            keystoreFile="localhost.jks" keystorePass="password"
            ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
               TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,
                  TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
                     TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
 />

Although, Google Chrome browser still tell me the cipher it's deprecated.

score 0 · Answer 3 · edited May 23 '17 at 11:59

0

To fix the issue you have to configure ciphers matching your JDK. Refer to answer in below link https://stackoverflow.com/a/32473771

edited May 23 '17 at 11:59

Community

1
1

answered May 24 '16 at 12:50

kadian

91
1
9

Server has a weak ephemeral Diffie-Hellman public ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY on Chrome and Firefox browser

3 Answers3