Server has a weak ephemeral Diffie-Hellman public key. How to by-pass it?
up vote 24 down vote favorite
11

While I'm trying to visit a specific website (that one: https://login.uj.edu.pl) I'm getting ERR_INVALID_ARGUMENT error. Here is the problem: "Server has a weak ephemeral Diffie-Hellman public key". More about the issue there: https://productforums.google.com/forum/#!topic/chrome/o3vZD-Mg2Ic

I know that it should be fixed by a webmaster but until it happens I have to access the page every day anyway. I found an extension to Firefox to avoid this error: https://addons.mozilla.org/en-us/firefox/addon/disable-dhe/

Now i want to get rid of the error in Google Chrome (well, Chromium actually). Is there any possibility to make it work? It's my university's page and it can take years for the site administrator to fix that secure connection issue.

What's strange the problem occurs in Linux only, in all the browsers. In Windows, Chrome-OS or Android there is nothing wrong. I know that using insecure connection is wrong but in that case I have no choice.

EDIT: I cannot accept any solution because the site I was trying to access changed its encryption to the right one. Now I can't test your solutions because the problem is already solved by site admins.



StackOverflow

Use netsurf (netsurf aur) on that site. I am on the same boat with you. Using Arch and Chromium and Firefox both refuses to enter certain websites. Netsurf can do the job for me.



The solution is:

Type in your browser (I tried in Iceweasel)

    about:config 

Search for

    security.ssl3.dhe_rsa_aes_128_sha 

    security.ssl3.dhe_rsa_aes_256_sha 

Set them both to false (just double click to set them to false or true).

That's it!



This solution worked for me:

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

The recent release (Sep. 1) to Chrome 45 contains the fix for the Logjam attack as detailed in https://weakdh.org but it introduce this kind of problem.

I found it in this post



I have also facing this issue and resolved by @Duccio Fabbri answer,

 --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

I don't know why this works but it works, for permanent use of this you can follow below step.

  1. Go to browser short cut
  2. Right click and Go to properties
  3. Go to Short cut tab
  4. Go to Target textbox, in this you will find your chrome full path , add above string at the end of path. and it will look like

    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

  5. Apply and close it.

Now it will work.when you open it next time.



Quick hack to get around this issue (Mac OSX)

  • Run this in commandline to workaround the issue while launching Chrome

Chrome:

  • open /Applications/Google\ Chrome.app --args --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

Canary:

  • open /Applications/Google\ Chrome\ Canary.app --args --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

For Firefox

  • Go to about:config
  • Search for security.ssl3.dhe_rsa_aes_128_sha and security.ssl3.dhe_rsa_aes_256_sha
  • Set them both to false.

NOTE: Permanently fix would be to update the DH key with a length > 1024



At Fireforx I was facing the same problem, I did the following changes and it worked for me,

Firefox:

  1. Go to about:config from browser tab
  2. Search for security.ssl3.dhe_rsa_aes_128_sha and security.ssl3.dhe_rsa_aes_256_sha parameter.

  3. Set them both to false.



Open Server.xml file in your tomcat and set attribute "ciphers"

<Connector port="8007" protocol="AJP/1.3" redirectPort="8443" ciphers="SSL_RSA_WITH_RC4_128_SHA" />


I was also getting this error, I reset the chrome settings to fix it: Settings > show advanced settings > Reset setting



I found the solution for apache tomcat in this stackoverflow question, I just copy the solution:

Just edit 'conf/server.xml' adding the 'ciphers' attribute to your https connector:

 <Connector
        ...
        ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
        ...

Practically you're explicitly defining the list of allowed ciphers, excluding the Diffie-Hellman ones (the one with 'DHE' in the name).



Viewed : 77368
Asked : June 19, 2015, 12:00 am

Top Related


New Related