Winstone configure self signed keystore for SSL Authentication

Question

I am creating a self signed key using

keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 1360 -keysize 2048

Embedding the keystore with Winstone servlet container using --httpsKeyStore=keystore.jks option. When accessing from chrome I am getting the following error

Server has a weak, ephemeral Diffie-Hellman public key

ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY

Is there any way to overcome this issue by creating keystore or configuring Winstone? I can access the site from firefox browser.

score 4 · Accepted Answer · answered Dec 22 '15 at 06:28

4

Updated my server Java version to 1.7 (Previous was 1.6) and now I can add exception and proceed in chrome browser

answered Dec 22 '15 at 06:28

Sharavanakumaar Murugesan

875
8
33

score 0 · Answer 2 · edited Jul 22 '22 at 13:54

This isn't a keystore or certificate issue. This is telling you that your server is configured with weak cryptography for the Diffie-Hellman handshaking part of establishing an SSL/TLS connection. Here is a sample from a server.xml file which does not use weak cryptography:

<Connector port="443" 
              protocol="org.apache.coyote.http11.Http11Protocol"
              SSLEnabled="true"
              maxThreads="150"
              scheme="https"
              secure="true"
              keystoreFile="..\ssl\keystore"
              keystorePass="yourpasswordgoeshere"
              clientAuth="false"
              sslProtocol="TLSv1.2"
              sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
              ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                       TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
                       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                       TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
                       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
                       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
                       TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
                       TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
                       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
                       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
                       TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
                       TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"
   />

Can I configure this in winstone servlet container? This one is for Apache tomcat right? — Sharavanakumaar Murugesan, Dec 22 '15 at 06:20

Winstone configure self signed keystore for SSL Authentication

Server has a weak, ephemeral Diffie-Hellman public key

2 Answers2