CODEWITHSUNDEEP
google-chromefirefoxchromium
koras
koras

Reputation: 1107

Server has a weak ephemeral Diffie-Hellman public key. How to by-pass it?

While I'm trying to visit a specific website (that one: https://login.uj.edu.pl) I'm getting ERR_INVALID_ARGUMENT error. Here is the problem: "Server has a weak ephemeral Diffie-Hellman public key". More about the issue there: https://productforums.google.com/forum/#!topic/chrome/o3vZD-Mg2Ic

I know that it should be fixed by a webmaster but until it happens I have to access the page every day anyway. I found an extension to Firefox to avoid this error: https://addons.mozilla.org/en-us/firefox/addon/disable-dhe/

Now i want to get rid of the error in Google Chrome (well, Chromium actually). Is there any possibility to make it work? It's my university's page and it can take years for the site administrator to fix that secure connection issue.

What's strange the problem occurs in Linux only, in all the browsers. In Windows, Chrome-OS or Android there is nothing wrong. I know that using insecure connection is wrong but in that case I have no choice.

EDIT: I cannot accept any solution because the site I was trying to access changed its encryption to the right one. Now I can't test your solutions because the problem is already solved by site admins.

Upvotes: 26

Views: 85578

Answers (10)

ptommasi
ptommasi

Reputation: 1252

I found the solution for apache tomcat in this stackoverflow question, I just copy the solution:

Just edit 'conf/server.xml' adding the 'ciphers' attribute to your https connector:

 <Connector
        ...
        ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
        ...

Practically you're explicitly defining the list of allowed ciphers, excluding the Diffie-Hellman ones (the one with 'DHE' in the name).

Upvotes: -1

A-Sharabiani
A-Sharabiani

Reputation: 19329

I was also getting this error, I reset the chrome settings to fix it: Settings > show advanced settings > Reset setting

Upvotes: 0

S4nD3r
S4nD3r

Reputation: 339

The solution is:

Type in your browser (I tried in Iceweasel)

    about:config

Search for 

    security.ssl3.dhe_rsa_aes_128_sha 

    security.ssl3.dhe_rsa_aes_256_sha

Set them both to false (just double click to set them to false or true).

That's it!

Upvotes: 21

user4772709
user4772709

Reputation:

Open Server.xml file in your tomcat and set attribute "ciphers" 

<Connector port="8007" protocol="AJP/1.3" redirectPort="8443" ciphers="SSL_RSA_WITH_RC4_128_SHA" />

Upvotes: -2

Indranil Acharya
Indranil Acharya

Reputation: 66

At Fireforx I was facing the same problem, I did the following changes and it worked for me,

Firefox:

  1. Go to about:config from browser tab

  2. Search for security.ssl3.dhe_rsa_aes_128_sha and security.ssl3.dhe_rsa_aes_256_sha parameter.

  3. Set them both to false.

Upvotes: 0

vasa
vasa

Reputation: 787

Quick hack to get around this issue (Mac OSX)

  • Run this in commandline to workaround the issue while launching Chrome

Chrome:

  • open /Applications/Google\ Chrome.app --args --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

Canary:

  • open /Applications/Google\ Chrome\ Canary.app --args --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

For Firefox

  • Go to about:config
  • Search for security.ssl3.dhe_rsa_aes_128_sha and security.ssl3.dhe_rsa_aes_256_sha
  • Set them both to false.

NOTE: Permanently fix would be to update the DH key with a length > 1024

Upvotes: 4

Bharat Ranpariya
Bharat Ranpariya

Reputation: 1253

I have also facing this issue and resolved by @Duccio Fabbri answer, 

 --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

I don't know why this works but it works, for permanent use of this you can follow below step.

  1. Go to browser short cut
  2. Right click and Go to properties
  3. Go to Short cut tab

  4. Go to Target textbox, in this you will find your chrome full path , add above string at the end of path. and it will look like

    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

  5. Apply and close it.

Now it will work.when you open it next time.

Upvotes: 0

Duccio Fabbri
Duccio Fabbri

Reputation: 1008

This solution worked for me: 

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

The recent release (Sep. 1) to Chrome 45 contains the fix for the Logjam attack as detailed in https://weakdh.org but it introduce this kind of problem.

I found it in this post

Upvotes: 11

Burkay Genc
Burkay Genc

Reputation: 11

Use netsurf (netsurf aur) on that site. I am on the same boat with you. Using Arch and Chromium and Firefox both refuses to enter certain websites. Netsurf can do the job for me.

Upvotes: 1

jonnybot
jonnybot

Reputation: 2453

Are you by any chance on the Chrome development channel, or possibly the Beta channel? I know that the dev channel currently has some stricter rules on SSL keys, and Beta might as well. You might try getting the stable release from https://www.chromium.org/getting-involved/dev-channel and see if that runs without the error.

Upvotes: 1

Related Questions