ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY: Server has a weak ephemeral Diffie-Hellman public key

asurajpai
Participant V

Hi when I open the UI for the [SAP][4.14.06.03][SUSE] OPDK I get the following error on chrome. Server has a weak ephemeral Diffie-Hellman public key ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY My keystore keystore.file=xxx.jks file has public cert which is of the strength 4096. Please help as we are not able to open the UI in the chrome version Version 45.0.2454.85 m.

Any changes in the JDK?

grep -rnw . -e "TLS_ECDHE_RSA_WITH_RC4_128_SHA" Binary file ./apigee4/share/jdk/jre/lib/jsse.jar matches

1 3 1,959
3 REPLIES 3

Not applicable

Chrome has strict enforcement of cryptographic encryption level. It doesn't allow any key which has a Diffie-Hellman public key value <1024 bit.

https://weakdh.org has more details

You can try disabling the DG Cipher suite.

Finally you can use another browser.

asurajpai
Participant V

As per your suggestion how do I make the changes to the Apigee edge UI as mentioned in the URL?https://weakdh.org/sysadmin.html

@Paul can you please suggest?

Hi All,

I fixed it for Router in my setup (^4.16) by getting knowledge from https://weakdh.org

$ cd /opt/nginx/conf
$ openssl dhparam -out dhparams.pem 2048
$ vim /opt/apigee/customer/application/router.properties conf_load_balancing_load.balancing.driver.nginx.dhparam=/opt/nginx/conf/dhparams.pem conf_load_balancing_load.balancing.driver.server.ssl.ciphers=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA $ apigee-service edge-router restart