Reputation: 630
Chrome error "Server has a weak ephemeral Diffie-Hellman public key" for internal sites
Chrome seems to have released an update over the past week. This has caused at least 50 of our internal applications to throw the exception shown below. The solutions I have researched over the Internet, talk about updating the application server with a stronger cipher. However, our applications are spread out over IIS, tomcat, jboss, weblogic and websphere. Its not practical to expect all of these application servers to be updated. Is there no way to get Chrome to allow an "exception" for these sites ? Since these sites are all internal, the security is not really a concern.
Apparently, Firefox throws the same exception but there is a documented fix for that (by changing some settings in Firefox). Is anyone aware of a similar fix in Chrome.
Error
Server has a weak ephemeral Diffie-Hellman public key
ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY
Upvotes: 3
Views: 6797
Answers (4)
Reputation: 37
I've solved this problem without upgrading jrockit but configuring the ssl section like this
<ssl>
<enabled>true</enabled>
<hostname-verifier xsi:nil="true"></hostname-verifier>
<hostname-verification-ignored>false</hostname-verification-ignored>
<export-key-lifespan>500</export-key-lifespan>
<client-certificate-enforced>false</client-certificate-enforced>
<two-way-ssl-enabled>false</two-way-ssl-enabled>
<ssl-rejection-logging-enabled>true</ssl-rejection-logging-enabled>
<inbound-certificate-validation>BuiltinSSLValidationOnly</inbound-certificate-validation>
<outbound-certificate-validation>BuiltinSSLValidationOnly</outbound-certificate-validation>
<allow-unencrypted-null-cipher>false</allow-unencrypted-null-cipher>
<use-server-certs>false</use-server-certs>
<jsse-enabled>true</jsse-enabled>
</ssl>
Can't tell you exactly whats makes the difference but it solved many different problems on SSL with chrome
Upvotes: 0
Reputation: 1
This problem I found because of the JDK version running on App Server.
If your weblogic/apache server running on java JRockit version "1.6.0_33" & "1.6.0_45" or below you will face this issue.
A solution is to upgrade java to higher version like "1.6.0_101" and higher and restart app server.
Upvotes: 0
Reputation: 46
While Maximillian's workaround might work for you at the moment, there is no supported way to add an exception. The only safe solution is to upgrade the servers, and a less fragile workaround might be to put better proxies right in front of some of the servers.
Upvotes: 1
Reputation: 20359
I found a temporary workaround that should disable the security check in Chrome that is causing that error. It goes without saying that you do NOT want to use this while browsing the open web.
Try adding the following command argument to Chrome when you start it up:
--cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013
I found this solution at this google forum post. Hopefully it will help!
Upvotes: 3
Related Questions
- NET::ERR_CERT_INVALID error at every page
- ERR_SSL_KEY_USAGE_INCOMPATIBLE in Chrome
- Chrome ERR_CERT_AUTHORITY_INVALID
- NET::ERR_CERT_REVOKED issue in chrome
- Always get a Security Error for Internal HTTPS Website
- your connection is not private NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM
- Server has a weak ephemeral Diffie-Hellman public key. How to by-pass it?
- How to fix ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY
- ssl errors in google chrome ... no public key?