VMware Cloud Community
FreddyFredFred
Hot Shot
Hot Shot
‎07-16-2015 11:00 AM
Jump to solution

cannot access vRO appliance web page with Firefox 39.0

I tried to access https://ipaddress:8281/vco/  and suddenly I'm greeted with the following error:

An error occurred during a connection to ipaddress:8281. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

I think Firefox updated itself between now and the last time I tried to access the web page.

I checked the release notes for version 39 and i see this: Removed support for insecure SSLv3 for network communications

Is that what's causing the problem? Anyone else have this problem?

1 Solution

Accepted Solutions
iiliev
VMware Employee
VMware Employee
‎07-16-2015 12:22 PM
Jump to solution

The problem is that SSLv3 and some of the cipher suites used in vRO appliances are now considered insecure, and some apps eg. Firefox started to block them.

Here is the list of cipher suites currently configured in vRO 6.x:

  TLS_DHE_RSA_WITH_AES_256_CBC_SHA


  TLS_DHE_DSS_WITH_AES_256_CBC_SHA


  TLS_RSA_WITH_AES_256_CBC_SHA


  TLS_DHE_RSA_WITH_AES_128_CBC_SHA


  TLS_DHE_DSS_WITH_AES_128_CBC_SHA


  TLS_RSA_WITH_AES_128_CBC_SHA

The ones that have DH in their name (Diffie-Hellman) should be disabled (4 out of 6). The easiest way is to remove them from the ciphers list in the following files:

  /etc/vco/app-server/server.xml  (vRO server)


  /etc/vco/configuration/server.xml  (vRO configurator)

After removal of the insecure ciphers, you may need to restart vRO. Now you should be able to connect to vRO appliance using Firefox 39.

View solution in original post

4 Replies
iiliev
VMware Employee
VMware Employee
‎07-16-2015 12:22 PM
Jump to solution

The problem is that SSLv3 and some of the cipher suites used in vRO appliances are now considered insecure, and some apps eg. Firefox started to block them.

Here is the list of cipher suites currently configured in vRO 6.x:

  TLS_DHE_RSA_WITH_AES_256_CBC_SHA


  TLS_DHE_DSS_WITH_AES_256_CBC_SHA


  TLS_RSA_WITH_AES_256_CBC_SHA


  TLS_DHE_RSA_WITH_AES_128_CBC_SHA


  TLS_DHE_DSS_WITH_AES_128_CBC_SHA


  TLS_RSA_WITH_AES_128_CBC_SHA

The ones that have DH in their name (Diffie-Hellman) should be disabled (4 out of 6). The easiest way is to remove them from the ciphers list in the following files:

  /etc/vco/app-server/server.xml  (vRO server)


  /etc/vco/configuration/server.xml  (vRO configurator)

After removal of the insecure ciphers, you may need to restart vRO. Now you should be able to connect to vRO appliance using Firefox 39.

FreddyFredFred
Hot Shot
Hot Shot
‎07-16-2015 01:52 PM
Jump to solution

Misread your post on my first reply (since deleted) Smiley Happy

The fix seems to have worked, thank you!

Any downside to making the changes? Will they get reverted when I upgrade the appliance one day?

Thanks

0 Kudos
iiliev
VMware Employee
VMware Employee
‎07-16-2015 02:58 PM
Jump to solution

I think there should be no downside to making this change (unless someone try to connect with a client app supporting only DH ciphers, but I doubt there are such apps).

The next versions (eg. vRO 6.0.3) will ship with updated ciphers list so you won't get the insecure ciphers back after appliance upgrade.

0 Kudos
willonit
Hot Shot
Hot Shot
‎09-16-2015 11:53 AM
Jump to solution

Quick one-liner to remove weak ciphers

0 Kudos