Disable weak DH keys in Adito (Fixes Firefox error: ssl_error_weak_server_ephemeral_dh_key ) – Lars Werner
Jul 092015
 

The problem

ssl_error_weak_server_ephemeral_dh_key

ssl_error_weak_server_ephemeral_dh_key

The solution

Adito supports a lot of different SSL-ciphers and some of them has weak Diffie-Hellman (DH) keys.
Here is a guide that worked for me and ensures secure connection to Adito (as before).

If you want to read more about the problem visit https://weakdh.org/ it checks your browser at the same time.

Use alternative browser or temporary enter these commands in Firefox:

  • about:config
  • Search for security.ssl3.dhe_rsa_aes
  • Doubleclick to set values to false on security.ssl3.dhe_rsa_aes_128_sha and security.ssl3.dhe_rsa_aes_256_sha

Login to your Adito account and then follow the guide

Press the "Server" link under System Configuration

Press the “Server” link under System Configuration

Push the "SSL" tab and you'll see a list of chipers

Push the “SSL” tab and you’ll see a list of ciphers

Adito states the following regarding the Adito client (this is very important)

Supported Ciphers

The list of SSL ciphers supported by Adito. If the selected cipher list is empty then all available ciphers are supported, if you edit this list then ensure that SSL_RSA_WITH_RC4_128_MD5 is selected as this is required by the Adito Agent.

WARNING: Editing these properties may cause compatibility problems with some older browsers.

I removed every TLS_* entry from this list and added all the SSL_* ciphers.
(Please do some research on which ciphers that are most usefull for your organization)

Press OK when you have updated  the ciphers list

Press OK when you have updated the ciphers list

A restart of the Adito server is required. Existing users will be thrown out!

A restart of the Adito server is required. Existing users will be thrown out!

Press OK to restart Adito now

Press OK to restart Adito now

Press OK on the redundant confirmation regarding restart

Press OK on the redundant confirmation regarding restart

Just wait 10 seconds. It displays an abort function if you actually did not read the messages before :)

Just wait 10 seconds. It displays an abort function if you actually did not read the messages before 🙂

The restart takes some time, and only works if you use it in service mode.
If you are using console, you have to close and restart the consolewindow.

Now remove the exceptions in Firefox as you changed before (security.ssl3.dhe_rsa_aes_128_sha and security.ssl3.dhe_rsa_aes_256_sha), and login to your Adito server using Firefox.

You are ready to use Adito on any browser again

You are ready to use Adito on any browser again

If you haven’t update your Adito so clients can use Java 1.8, please see the page Installer-SVN!
Applet is valid signed and recompiled with JDK 1.8!

 Posted by at 21:36:02

Leave a Reply

%d bloggers like this: