Firefox 39 – Secure Connection Failed – weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message

encryptionfirefoxSecurityssl

As of Firefox 39, connecting to an old administrative interface for some third party software gave the following message:

Secure Connection Failed

An error occurred during a connection to backup.trinetsolutions.com.
SSL received a weak ephemeral Diffie-Hellman key in Server Key
Exchange handshake message. (Error code:
ssl_error_weak_server_ephemeral_dh_key)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

Please contact the website owners to inform them of this problem.

Best Answer

Depending on the software, an upgrade may not be necessary.

I had this issue as well. In my case, the application was using Tomcat and I was able to change config settings in the server.xml file. I found the solution here.

To quote the relevant portion:

Tomcat has several weak ciphers enabled by default. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. If you have a Tomcat server (version 4.1.32 or later), you can disable SSL 2.0 and disable weak ciphers by following these instructions. Open your server.xml file add the following to your SSL connector

<connector port="443" maxhttpheadersize="8192" address="127.0.0.1" 
           enablelookups="false" disableuploadtimeout="true" acceptCount="100" 
           scheme="https" secure="true" clientAuth="false" SSLEnabled="true" 
           sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" 
           ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 
           TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, 
           TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, 
           TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
           TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" 
           keystoreFile="mydomain.key" keystorePass="changeit" 
           truststoreFile="mytruststore.truststore" truststorePass="changeit" />

In my situation, the only part that I had to modify in the server.xml file was the ciphers="..." portion.

After you do this, restart your application.

Related Solutions

Linux – SSL https (http secure) sites won’t display is client or server side

Before anyone blindly turns off that warning by disabling OCSP, double-check that it's really not a client issue. Turning off warning messages is something you only do if you have a VERY GOOD reason and you know what you're doing - or if you are the White House, where "the alarm system had been switched off due to complaints from staff that it was too noisy". However, if you take this issue seriously, you don't do that.

It might simply be that the system clock is slow, because the error message says "contains a date in the future". And it is much more likely that your computer's date/time is incorrect rather than that of the server (that could affect hundreds of clients).

Open a terminal and check your time:

$ date

Restart your NTP service to correct it:

$ sudo systemctl restart ntpd && echo OK

If you don't have the NTP service installed ("not-found" error), install it:

$ sudo pacman -S ntp

Also, make sure it's enabled

$ sudo systemctl is-enabled ntpd || sudo systemctl enable ntpd

With NTP installed and enabled, restart it, give it a couple of seconds to fetch the time and then check the time:

$ sudo systemctl restart ntpd && sleep 30 && date

Then try accessing the website again.

Depending on what desktop environment you use, you may be able to use graphical tools instead of those commands.

And for those who have "fixed" this issue by disabling every security feature until it worked: Please re-enable whatever you have disabled. If you've disabled OCSP, enable it again. Those features are there for a reason.

Firefox – “sec_error_ocsp_server_error” when trying to open a HTTPS page

Issue #1: sec_error_ocsp_server_error can occur for other reasons than OCSP server internal error.

From Bugzilla bug 495380:

SEC_ERROR_OCSP_SERVER_ERROR is used 5 times in ocsp.c for everything from an internal OCSP server error to failing create the request session and any number of different problems writing the request to the remote server.`

Issue #2: I believe that Firefox is caching this error but should not do so, so I created Bugzilla bug report 1014979.

Workarounds (from a post that I wrote at another forum):

Method #1: Restart Firefox.

Method #2: Go to Options->Advanced->Certificates-> Validation. Set checkbox "When an OCSP server connection fails, treat the certificate as invalid" to the opposite of what it is now, and then press OK button twice. That is sufficient to clear the OCSP cache. However, since you probably want the original setting that you just changed, go to Options->Advanced->Certificates-> Validation and set checkbox "When an OCSP server connection fails, treat the certificate as invalid" back to the value that was there before you read this post, then press OK button twice.

Best Answer

Related Solutions

Linux – SSL https (http secure) sites won’t display is client or server side

Firefox – “sec_error_ocsp_server_error” when trying to open a HTTPS page

Related Question