How To Fix "Server has a weak ephemeral Dillie-Heffman public key" For Jboss Server

| Servers | 24 seen

A few days ago a customer of mine experienced an error by not being able to access his management system on intranet I built a few years ago. The error we got was following:

"Server has a weak ephemeral Dillie-Heffman public key" or ERR_SSL_WEAK_EPHEMERAL_DH_KEY

What basically means:

If you see this error, it means that a secure connection can't be established because of outdated security code on the website. Chrome protects your privacy by preventing you from connecting to these sites. You won't be able to visit this page using Chrome.

I spent some time to figure out what all is about, and since the software we were running on intranet was installed with just a few clicks (apt-get install ...) and compiled from source. And turns out it all the thing was running on Jboss server, since I'm not very proficient in Jboss or Tomcat it took me some time to find a solution.

After all I followed the advice on Google Support:

You have a few options to fix this error in Chrome:

  • Enable ECDHE and disable DHE (preferable)
  • Use a 1024-bit (or larger) Diffie-Hellman group for the DHE_RSA SSL cipher suites
  • Disable all DHE SSL cipher suites

After couple of hours of browsing for best solution among the three mentioned above I stick with the 2 option

I added following line to the connector element in server.xml. Read more SSL/TLS, ciphers, perfect forward secrecy and Tomcat

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA

Restarted Jboss server and things went normal.

Hope this helps.

Add new comment