VMware Cloud Community
nhsalexbooty
Contributor
Contributor
‎09-07-2015 02:50 AM
Jump to solution

Server has a weak, ephemeral Diffie-Hellman public key

Seems Chrome 45 and Firefox 40 are blocking DHE ciphers

We now get the following errors when browsing to the vRO Web Interface (and Configuration interface)

Tested this with the appliance versions of both vRO 6.0.1 and 6.0.2

Has anyone else experienced this?  And are there any better workaround than using the "--cipher-suite-blacklist=" parameter in Chrome?

I've raised a support ticket with VMware, but thought it would be an idea to post here as well.

Chrome:

DHE-error-chrome.PNG

Server has a weak, ephemeral Diffie-Hellman public key

ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY

Hide details

This error can occur when connecting to a secure (HTTPS) server. It means that the server is trying to set up a secure connection but, due to a disastrous misconfiguration, the connection wouldn't be secure at all!

In this case, the server needs to be fixed. Google Chrome won't use insecure connections in order to protect your privacy.

Learn more about this problem.

Firefox:

DHE-error-firefox.PNG

Secure Connection Failed

An error occurred during a connection to vro-appliance-hostname:8283. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

Please contact the web site owners to inform them of this problem.

Reply
1 Solution

Accepted Solutions
ivand
VMware Employee
VMware Employee
‎09-07-2015 03:27 AM
Jump to solution

You can try editing both server.xml in: /etc/vco/app-server and /etc/vco/configuration In server.xml update 'ciphers ' attribute by removing TLS_DHE_... ciphers. After that, restart vco-server and vco-configuration services vco-server and vco-configuration services

View solution in original post

Reply
7 Replies
ivand
VMware Employee
VMware Employee
‎09-07-2015 03:27 AM
Jump to solution

You can try editing both server.xml in: /etc/vco/app-server and /etc/vco/configuration In server.xml update 'ciphers ' attribute by removing TLS_DHE_... ciphers. After that, restart vco-server and vco-configuration services vco-server and vco-configuration services

Reply
nhsalexbooty
Contributor
Contributor
‎09-07-2015 06:26 AM
Jump to solution

Thanks, now resolved.   In case it helps anyone else here is what I changed:

/etc/vco/app-server/server.xml

  <Connector  protocol="HTTP/1.1" SSLEnabled="true" clientAuth="false" emptySessionPath="true" keystoreFile="${catalina.base}/conf/security/jssecacerts" keystorePass="dunesdunes" URIEncoding="UTF-8"
   maxHttpHeaderSize="163840" maxThreads="100" port="${ch.dunes.https-server.port}" address="${server.bind.address}" scheme="https" secure="true" sslProtocol="TLS" strategy="ms"
   ciphers="TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA" />

/etc/vco/configuration/server.xml

   <Connector protocol="HTTP/1.1" SSLEnabled="true" clientAuth="false" emptySessionPath="true" URIEncoding="UTF-8"
   keystoreFile="${catalina.base}/../app-server/conf/security/jssecacerts" keystorePass="dunesdunes"
   maxHttpHeaderSize="16384" maxThreads="100" port="8283"
   scheme="https" secure="true" sslProtocol="TLS" strategy="ms"
   ciphers="TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"/>
Reply
igaydajiev
VMware Employee
VMware Employee
‎09-08-2015 12:53 AM
Jump to solution

Weak, ephemeral Diffie-Hellman  algorithms are removed and the this change will be available with next vRO update releases (5.5.3 and 6.0.3)

Reply
TonyKhan
Enthusiast
Enthusiast
‎10-15-2015 01:37 PM
Jump to solution

I had the same issue.  Thanks for your help!  Smiley Happy

Reply
0 Kudos
jarushepic
Enthusiast
Enthusiast
‎10-15-2015 03:01 PM
Jump to solution

The problem still exists in 6.0.3

Reply
0 Kudos
bbcconsults
Contributor
Contributor
‎11-26-2015 09:17 PM
Jump to solution

Exactly where do you edit this, forgive my noobness, not a linux guru. thanks.

Reply
0 Kudos
virtualkim
Enthusiast
Enthusiast
‎12-29-2015 03:58 AM
Jump to solution

bbcconsults,

This solution is for the vRealize Orchestrator appliance.

What I do is I open putty and connect to the vRealize Orchestrator IP address of FQDN

Login using root (and the matching password)

Next I browse to the folder using                :   cd /etc/vco/app-server/

Then I open VI to edit the server .xml file      :   vi server.xml

Type 'i' to insert text                          :   i

Move your cursor to the text you want to delete and delete the keys we don't want

Press  ESC to initiate exit fron editing the file

type :     '   :wq   '  to quite editing and save the changes

Do the same for the other file

Next I browse to the folder using                :   cd /etc/vco/configuration/

Then I open VI to edit the server .xml file      :   vi server.xml

Type 'i' to insert text                          :   i

Move your cursor to the text you want to delete and delete the keys we don't want

Press  ESC to initiate exit fron editing the file

type :     '   :wq   '  to quite editing and save the changes

reboot your server

done

kim

Reply
0 Kudos