Jul 092015
 

The problem

ssl_error_weak_server_ephemeral_dh_key

ssl_error_weak_server_ephemeral_dh_key

The solution

Adito supports a lot of different SSL-ciphers and some of them has weak Diffie-Hellman (DH) keys.
Here is a guide that worked for me and ensures secure connection to Adito (as before).

If you want to read more about the problem visit https://weakdh.org/ it checks your browser at the same time.

Use alternative browser or temporary enter these commands in Firefox:

  • about:config
  • Search for security.ssl3.dhe_rsa_aes
  • Doubleclick to set values to false on security.ssl3.dhe_rsa_aes_128_sha and security.ssl3.dhe_rsa_aes_256_sha

Login to your Adito account and then follow the guide

Press the "Server" link under System Configuration

Press the “Server” link under System Configuration

Push the "SSL" tab and you'll see a list of chipers

Push the “SSL” tab and you’ll see a list of ciphers

Adito states the following regarding the Adito client (this is very important)

Supported Ciphers

The list of SSL ciphers supported by Adito. If the selected cipher list is empty then all available ciphers are supported, if you edit this list then ensure that SSL_RSA_WITH_RC4_128_MD5 is selected as this is required by the Adito Agent.

WARNING: Editing these properties may cause compatibility problems with some older browsers.

I removed every TLS_* entry from this list and added all the SSL_* ciphers.
(Please do some research on which ciphers that are most usefull for your organization)

Press OK when you have updated  the ciphers list

Press OK when you have updated the ciphers list

A restart of the Adito server is required. Existing users will be thrown out!

A restart of the Adito server is required. Existing users will be thrown out!

Press OK to restart Adito now

Press OK to restart Adito now

Press OK on the redundant confirmation regarding restart

Press OK on the redundant confirmation regarding restart

Just wait 10 seconds. It displays an abort function if you actually did not read the messages before :)

Just wait 10 seconds. It displays an abort function if you actually did not read the messages before :)

The restart takes some time, and only works if you use it in service mode.
If you are using console, you have to close and restart the consolewindow.

Now remove the exceptions in Firefox as you changed before (security.ssl3.dhe_rsa_aes_128_sha and security.ssl3.dhe_rsa_aes_256_sha), and login to your Adito server using Firefox.

You are ready to use Adito on any browser again

You are ready to use Adito on any browser again

If you haven’t update your Adito so clients can use Java 1.8, please see the page Installer-SVN!
Applet is valid signed and recompiled with JDK 1.8!

 Posted by at 21:36:02
Jun 192015
 

Find the champagne, I finally got around to release Adito for Java v1.8 (and probably higher version).

Oracle are still strict in their handling of unsigned applet, so it has to be properly signed to run.

Certum.eu have yet again provided me with a yearly cert, and this time I’ll promise to renew it :)

I’ve only released the SVN-version with support for v1.8.

This version uses my extension-store and are probably the most bug-fixed version out.

Download the installer from here

 Posted by at 20:33:16
May 172015
 

The changes in Oracles Java 1.8 is significant. Earlier compiled versions of Adito (also called OpenVPN-ALS) is no longer valid and needs to be recompiled.

If you want to make Adito work on Java 1.8 or newer, follow the guide or download the SVN-installer with signed applet from here.

Please note that description is for Windows users, but the code-changes in step 5 can be implemented to Linux for correct compile.

1. Installing Java 8 JDK
Download the JDK from here: http://www.oracle.com/technetwork/java/javase/downloads/index.html
(Version tested was Java SE Development Kit 8u45; Windows x86; filename: jdk-8u45-windows-i586.exe)
Add your JDK-directory\bin to your PATH-settings. If you are unfamiliar, please read this guide: https://www3.ntu.edu.sg/home/ehchua/programming/howto/JDK_Howto.html
Typical installation directory: %programfiles%\Java\jdk1.8.0_45

The JDK will also install the JRE (Java Run time), so a simple test after installation is to run “java.exe -version” in a command-prompt

2. Downloading latest version of Adito source code
The SVN-version of Adito can be downloaded from the sourceforge: http://sourceforge.net/p/openvpn-als/code/HEAD/tarball
(If you are having trouble getting the version, try downloading TortoiseSVN: http://tortoisesvn.net/downloads.html

Then use the SVN-link to get the R706 version: svn://svn.code.sf.net/p/openvpn-als/code/adito/trunk )

Typical installation directory: c:\adito
3. Downloading ANT
Adito project is setup to use ANT for compilation. Download ANT from here: https://ant.apache.org/bindownload.cgi
(Tested version was apache-ant-1.9.4-bin.zip). Add the c:\ant\bin directory to the PATH-variable in system. As earlier done in the JDK installation.
 Typical installation directory: c:\ant

You can test ANT by typing “ant -version” in the command-prompt. It should state “Apache Ant(TM) version 1.9.4 compiled on April 29 2014”.

4. Copy tools.jar from the JDK to Adito installation
 In the JDK-directory %programfiles%\Java\jdk1.8.0_45\lib\ locate the the “tools.jar” file

Copy tools.jar to 2 destinations:

c:\adito\lib

%programfiles%\Java\jre1.8.0_45\lib

5. Modify adito-source to correct version
ANT uses the build.xml files to compile each component. Adito source is old and are unaware of java version later than 1.2. Changes made are compile-parameters that will ensure that java 1.8 is targeted.
Find build.xml files in these directories and change target=”1.x” to target=”1.8″:

C:\adito\clientcerts\build.xml, line 88

C:\adito\maverick-crypto\build.xml, line 40

C:\adito\maverick-multiplex\build.xml, line 62

C:\adito\maverick-ssl\build.xml, line 83 and 150

C:\adito\maverick-util\build.xml, line 43

C:\adito\ui\build.xml, line 118

Save all the files and you’re ready to compile.

6. Compile the Adito
Open a command-prompt and go to directory c:\adito, enter command: “ANT -projecthelp”

A list of commands will be shown:

clean              Removes compiled files

compile            Compile Adito.

console            Starts the Adito server in the foreground display all output to the console

dist               Create an executable, ready to distribute version of Adito

help               Displays some help.

install            Run the Adito installation wizard. The server must not be running.

install-agent      Install Adito Agent.

install-service    Install Adito as a service.

javadoc            Generate javadocs for everything

start              Starts the Adito in the background

start-using-java   Starts the Adito in the foreground without the OS-dependent wrapper

stop               Stops the running Adito. Note, this currently does not work on all platforms.

sysinfo            Display some system information

uninstall-service  Uninstall Adito service.

Write then “ant compile” to compile. It should end after a minute or two with:

BUILD SUCCESSFUL

Total time: 51 seconds

Please ignore the warnings and others messages during compile. It did not cause any problems with my installation.

Messages like “[javac] warning: [options] source value 1.5 is obsolete and will be removed in a future release” could potential be failing in the future.

To run the installer and first-time setup type: “ant install”. To run Adito normal just run “ant” in the directory, it is the same as “ant start-using-java”.

Wrapper does not work as expected, but my updated installer fixes that.

Please note that a Adito for Java 1.8-installer version is on its way, just waiting for a updated cert.

%d bloggers like this: