Frontend – Lars Werner
Jul 092015
 

The problem

ssl_error_weak_server_ephemeral_dh_key

ssl_error_weak_server_ephemeral_dh_key

The solution

Adito supports a lot of different SSL-ciphers and some of them has weak Diffie-Hellman (DH) keys.
Here is a guide that worked for me and ensures secure connection to Adito (as before).

If you want to read more about the problem visit https://weakdh.org/ it checks your browser at the same time.

Use alternative browser or temporary enter these commands in Firefox:

  • about:config
  • Search for security.ssl3.dhe_rsa_aes
  • Doubleclick to set values to false on security.ssl3.dhe_rsa_aes_128_sha and security.ssl3.dhe_rsa_aes_256_sha

Login to your Adito account and then follow the guide

Press the "Server" link under System Configuration

Press the “Server” link under System Configuration

Push the "SSL" tab and you'll see a list of chipers

Push the “SSL” tab and you’ll see a list of ciphers

Adito states the following regarding the Adito client (this is very important)

Supported Ciphers

The list of SSL ciphers supported by Adito. If the selected cipher list is empty then all available ciphers are supported, if you edit this list then ensure that SSL_RSA_WITH_RC4_128_MD5 is selected as this is required by the Adito Agent.

WARNING: Editing these properties may cause compatibility problems with some older browsers.

I removed every TLS_* entry from this list and added all the SSL_* ciphers.
(Please do some research on which ciphers that are most usefull for your organization)

Press OK when you have updated  the ciphers list

Press OK when you have updated the ciphers list

A restart of the Adito server is required. Existing users will be thrown out!

A restart of the Adito server is required. Existing users will be thrown out!

Press OK to restart Adito now

Press OK to restart Adito now

Press OK on the redundant confirmation regarding restart

Press OK on the redundant confirmation regarding restart

Just wait 10 seconds. It displays an abort function if you actually did not read the messages before :)

Just wait 10 seconds. It displays an abort function if you actually did not read the messages before 🙂

The restart takes some time, and only works if you use it in service mode.
If you are using console, you have to close and restart the consolewindow.

Now remove the exceptions in Firefox as you changed before (security.ssl3.dhe_rsa_aes_128_sha and security.ssl3.dhe_rsa_aes_256_sha), and login to your Adito server using Firefox.

You are ready to use Adito on any browser again

You are ready to use Adito on any browser again

If you haven’t update your Adito so clients can use Java 1.8, please see the page Installer-SVN!
Applet is valid signed and recompiled with JDK 1.8!

 Posted by at 21:36:02
Jun 192015
 

Find the champagne, I finally got around to release Adito for Java v1.8 (and probably higher version).

Oracle are still strict in their handling of unsigned applet, so it has to be properly signed to run.

Certum.eu have yet again provided me with a yearly cert, and this time I’ll promise to renew it 🙂

I’ve only released the SVN-version with support for v1.8.

This version uses my extension-store and are probably the most bug-fixed version out.

Download the installer from here

 Posted by at 20:33:16
Sep 102013
 

Hardware.no has been a good source for techno-information for years.
Now in the days of commercials Adblock is a must to survive in the jungle of information.
But when sites are doing a semi-paid commercial thingy, I get annoyed:

Adblock = ON

Hardware.no commercial for adblockers

Hardware.no commercial for adblockers

Adblock = OFF

Hardware.no with commercial

Hardware.no with commercial

If you also got annoyed, add this filter to your adblock-exception-rules:

@@||hardware.no/js/adtech_ad.js
@@||hardware.no/js/adtech*.js

If you don’t care about comments on the site, block jQuery all together, add:

http://static.tek.no/js/jquery.min.js?cb=1369321785
or
http://static.tek.no/js/jquery.min.js*

(Source)

Earlier attempts does not work as expected. This will hide the commercial and show content

@@||tek.no$elemhide

That way the commercials and popups are long-gone-silver.

HW.no is active and tries to block attempts for blocking this.
If they are serious they should use sessions and hide articles behind a userportal solution.

If you have other sites that you would like to share tips like this, please let me know in the comment field!

 Posted by at 12:25:48
%d bloggers like this: