Server has a weak ephemeral Diffie-Hellman public key

Last post 04-20-2016, 2:12 PM by JohnB352. 2 replies.
Sort Posts: Previous Next
  • Server has a weak ephemeral Diffie-Hellman public key
    Posted: 03-02-2016, 10:32 AM

    CV 10 SP13

    We get this when using Chrome to access the Web console page.  If you research this, this is what Google has to say:

    "Server has a weak ephemeral Diffie-Hellman public key" or ERR_SSL_WEAK_EPHEMERAL_DH_KEY

    If you see this error, it means that a secure connection can't be established because of outdated security code on the website. Chrome protects your privacy by preventing you from connecting to these sites. You won't be able to visit this page using Chrome.

    If you're a website administrator, we recommend you update your server to support ECDHE and disable DHE. If ECDHE is unavailable, you can instead disable all DHE cipher suites and rely on plain RSA.

    I can find information on how to "rely on plain RSA" by making a change in the config but, that sounds like a bad idea since you've effectively lowered your security at that point.

    What are people doing to solve this problem?

  • Re: Server has a weak ephemeral Diffie-Hellman public key
    Posted: 04-20-2016, 12:26 PM
    • isle is not online. Last active: 11-20-2019, 3:07 PM isle
    • Top 25 Contributor
    • Joined on 08-21-2012
    • NJ
    • Adept
    • Points 308

    You are using SSL correct?


    SSLv3 Vulnerabilities

    If SSL is configured on your Tomcat server, do the following to protect against the SSLv3 POODLE vulnerability:

    • In the server.xml file, update the <Connector> element for the second connector: remove the sslProtocol="TLS" parameter and add thesslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" parameter.

    For more information, see the second connector configuration information in Configuring the SSL Connector for Tomcat.

  • Re: Server has a weak ephemeral Diffie-Hellman public key
    Posted: 04-20-2016, 2:12 PM

    That is a different problem.  But, while looking up information on my error message, to show that it's differerent from the SSLv3 poodle issue, I found a link with a solution that worked for me.

    By the way, our server.xml file did have the the two parameters you referenced.

    From this link:

    I found something about ciphers.  I added that to the server.xml file and I no longer get the "diffie-hellman" error.  I do get a message about an untrusted certificate, but I can proceed past that message.

    So in a round about way, you helped me.  Smile

The content of the forums, threads and posts reflects the thoughts and opinions of each author, and does not represent the thoughts, opinions, plans or strategies of Commvault Systems, Inc. ("Commvault") and Commvault undertakes no obligation to update, correct or modify any statements made in this forum. Any and all third party links, statements, comments, or feedback posted to, or otherwise provided by this forum, thread or post are not affiliated with, nor endorsed by, Commvault.
Commvault, Commvault and logo, the “CV” logo, Commvault Systems, Solving Forward, SIM, Singular Information Management, Simpana, Commvault Galaxy, Unified Data Management, QiNetix, Quick Recovery, QR, CommNet, GridStor, Vault Tracker, InnerVault, QuickSnap, QSnap, Recovery Director, CommServe, CommCell, SnapProtect, ROMS, and CommValue, are trademarks or registered trademarks of Commvault Systems, Inc. All other third party brands, products, service names, trademarks, or registered service marks are the property of and used to identify the products or services of their respective owners. All specifications are subject to change without notice.
Copyright © 2020 Commvault | All Rights Reserved. | Legal | Privacy Policy