Is it possible to force the browser to ignore the "Server has a weak ephemeral Diffie-Hellman public key" error? I've tried it on Opera, Chrome and Firefox. But there is nothing too visible that allows me to ignore this.
Google-chrome – Is it possible to force the browser to ignore “weak ephemeral Diffie-Hellman public key”
firefoxgoogle-chromeopera
Related Solutions
Depending on the software, an upgrade may not be necessary.
I had this issue as well. In my case, the application was using Tomcat and I was able to change config settings in the server.xml
file. I found the solution here.
To quote the relevant portion:
Tomcat has several weak ciphers enabled by default. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. If you have a Tomcat server (version 4.1.32 or later), you can disable SSL 2.0 and disable weak ciphers by following these instructions. Open your
server.xml
file add the following to your SSL connector<connector port="443" maxhttpheadersize="8192" address="127.0.0.1" enablelookups="false" disableuploadtimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" SSLEnabled="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" keystoreFile="mydomain.key" keystorePass="changeit" truststoreFile="mytruststore.truststore" truststorePass="changeit" />
In my situation, the only part that I had to modify in the server.xml
file was the ciphers="..."
portion.
After you do this, restart your application.
Hacky fix to get around this issue (Mac OSX)
- Run this in commandline to workaround the issue while launching Chrome
Chrome:
open /Applications/Google\ Chrome.app --args --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013
Canary:
open /Applications/Google\ Chrome\ Canary.app --args --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013
For Firefox
- Go to about:config
- Search for
security.ssl3.dhe_rsa_aes_128_sha
andsecurity.ssl3.dhe_rsa_aes_256_sha
- Set them both to
false
.
NOTE: Permanently fix would be to update the DH key with a length > 1024
Best Answer
Yes, just tell the browser you want to use an insecure connection by using the
http
protocol instead ofhttps
.The browser is warning you because you requested a secure connection (via
https
), and the public key provided by the server is not secure.TLS errors are not something users should casually ignore. If you don't care about security, then just tell the browser to use the insecure protocol; don't tell the browser to use the secure protocol and then ignore any errors with the security. That defeats the purpose.