Highlighted
Lapsap
2 Iron

"weak ephemeral diffie-hellman key" error in FF39 prevents OMSA from being accessible

Jump to solution

In Firefox version 39, some OMSA web site would give this error message:

An error occurred during a connection to <server>:1311. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

I suppose I need to reinstall new version of OMSA, or is it?  I haven't checked yet.  Does new version exist yet?  And is there some "fast and dirty" workaround because it would take me quite some time to update all my OMSA.

Thanks

0 Kudos
2 Solutions

Accepted Solutions
igor_coreforce
1 Copper

RE: "weak ephemeral diffie-hellman key" error in FF39 prevents OMSA from being accessible

Jump to solution

Hello everyone!

I fixed it for myself, please try, hopefully it will work for you.

My environment:

R410, R710
OMSA 8.1.0.1
iDRAC v1.99
Lifecycle controller 1.7.5.4
Firefox 39.0

Login to OMSA using IE or Chrome, go to Preferences -> General Settings, set SSL Encryption to Auto Negotiate and hit Apply. You’ll be notified to restart web server, click OK and look for “Options: Restart Web Server” link. Click on that, give it 30 seconds and enjoy on FF 39.0!

In the same place you can change SHA-1 to better algorithm. Not sure if patch to OMSA helped, didn’t try with previous versions.

igor_coreforce
1 Copper

RE: "weak ephemeral diffie-hellman key" error in FF39 prevents OMSA from being accessible

Jump to solution

Walro, you’re right, looks like 8.2 changed everything. I had my OMSA 8.1 set as I described earlier and then upgraded to 8.2.0, so I didn’t even notice. Unfortunately, now I can’t test direct 8.2.0 install.

When I’m looking at my 8.2.0 settings after upgrade I see the following:

SSL Ciphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA

SSL Protocol: TLSv1, TLSv1.1, TLSv1.2

Key Signing Algorithm: SHA1

For me it works with FF 43.0.3 64 bit, Chrome 47.0.2526.106 m 64 bit, IE 11 on Win 8.1 and Win 10, Edge.

Please try to set the same and test.

If you need stronger security, I’d suggest using only TLSv1.2, other protocols are pretty old. Word of caution: I didn’t test it and I only would do that if I’d access OMSA over internet, which I’d NEVER do.

Also key signing would be  better to switch to SHA256, soon most of browsers will warn you about sites that use SHA1. This is tested and works with major browsers.

The settings I posted earlier for OMSA 8.1 worked with 7.4 for me also, if anyone needs it.

Happy Holidays!

16 Replies
Moderator
Moderator

RE: "weak ephemeral diffie-hellman key" error in FF39 prevents OMSA from being accessible

Jump to solution

Hello

I suppose I need to reinstall new version of OMSA, or is it?  I haven't checked yet.  Does new version exist yet?

Maybe, what version are you using?

In preferences>general settings>server preferences you can set the SSL encryption method. It is likely defaulted to autonegotiate which allows weak cyphers.

http://www.dell.com/support/home/us/en/04/product-support/product/dell-opnmang-srvr-admin-v7.4/manua...

Thanks

Daniel Mysinger
Dell EMC, Enterprise Engineer

0 Kudos
Lapsap
2 Iron

RE: "weak ephemeral diffie-hellman key" error in FF39 prevents OMSA from being accessible

Jump to solution

I'm using version 7.4.0.2

I've been to that place but "SSL Encryption" option is already in "128-bit or Higher", not "Auto Negotiate".  "Key Signing Algorithm" option is at SHA256.  However, I don't see anything related to Diffie-Hellman key.

I've searched through a few manuals provided by your link.  I was looking for Diffie-Hellman or DH but I found no mention.

0 Kudos
Moderator
Moderator

RE: "weak ephemeral diffie-hellman key" error in FF39 prevents OMSA from being accessible

Jump to solution

I've been to that place but "SSL Encryption" option is already in "128-bit or Higher", not "Auto Negotiate".  "Key Signing Algorithm" option is at SHA256.  However, I don't see anything related to Diffie-Hellman key.

I'm not aware of a setting that we have specifically for DH keys. Adjusting the SSL encryption should affect public and private keys.

I'm using version 7.4.0.2

7.4 is the latest version for older servers. Newer servers support 8. You can check the download page of your server to see if 8 is supported.

It looks like Firefox increased the minimum bits required for public key exchange around FF 38.1 or 39. According to this bug report some users were able to bypass the error, but some were not.

https://bugzilla.mozilla.org/show_bug.cgi?id=1180526

I would suggest that you check the release notes for OMSA and use a supported browser.

Thanks

Daniel Mysinger
Dell EMC, Enterprise Engineer

0 Kudos
Lapsap
2 Iron

RE: "weak ephemeral diffie-hellman key" error in FF39 prevents OMSA from being accessible

Jump to solution

In another server which is a PowerEdge R710, I also have this problem.  It had this config:

OMSA 7.4.0
Lifecycle controller 1.5.0.671
iDRAC6: 1.98

These are updated to

OMSA 7.4.0 --> 8.1.0
Lifecycle controller 1.5.0.671 --> 1.7.5.4
iDRAC6: 1.98 -> 1.99

Now, things are worse 😄
FF 39 still cannot open OMSA, but FF 3.5 no longer can open iDRAC!

I have to use FF 9.0.1 to open both.

There have quite a lot of "security updates" in the Internet.  For instance, SHA-1 will not be accepted to hash certificate from the beginning of 2017.  Dell got to follow a bit the "outside world".

So, for the moment, there is still no workaround.

0 Kudos
igor_coreforce
1 Copper

RE: "weak ephemeral diffie-hellman key" error in FF39 prevents OMSA from being accessible

Jump to solution

Hello everyone!

I fixed it for myself, please try, hopefully it will work for you.

My environment:

R410, R710
OMSA 8.1.0.1
iDRAC v1.99
Lifecycle controller 1.7.5.4
Firefox 39.0

Login to OMSA using IE or Chrome, go to Preferences -> General Settings, set SSL Encryption to Auto Negotiate and hit Apply. You’ll be notified to restart web server, click OK and look for “Options: Restart Web Server” link. Click on that, give it 30 seconds and enjoy on FF 39.0!

In the same place you can change SHA-1 to better algorithm. Not sure if patch to OMSA helped, didn’t try with previous versions.

Lapsap
2 Iron

RE: "weak ephemeral diffie-hellman key" error in FF39 prevents OMSA from being accessible

Jump to solution

[deleted] ... Preferences -> General Settings, set SSL Encryption to Auto Negotiate and hit Apply.

..... [deleted]

Yes!  This works for me too (my OMSA is just 8.1 but I suppose the solution is not related to version)

So actually it's the opposite for SSL Encryption option to make it work.

Thanks

0 Kudos
igor_coreforce
1 Copper

RE: "weak ephemeral diffie-hellman key" error in FF39 prevents OMSA from being accessible

Jump to solution

Glad it helped. Seems to me Dell introduced it long time ago, but here is the “tyranny of default”.

Now if someone can also try it on the older versions of OMSA, so we can close the case and continue to enjoy Dell hardware.

I was on Dell IT seminar yesterday in NY and saw for the first time new PE FX architecture. Looks very promising! I have 10U worth of equipment in one place and it would fit in one 2U unit on FX platform and probably have some extra space for growth.

0 Kudos
Lapsap
2 Iron

RE: "weak ephemeral diffie-hellman key" error in FF39 prevents OMSA from being accessible

Jump to solution

What does PE FX architecture have to do with OMSA in this issue?

Or are you doing some advertisement?

0 Kudos
igor_coreforce
1 Copper

RE: "weak ephemeral diffie-hellman key" error in FF39 prevents OMSA from being accessible

Jump to solution

You can manage FX thru OMSA at chassis level or at server level and it looks very cool. Wanted to mention it for people who thinks that Dell is neglecting OMSA development. Clicked on Post too early.

I'm not working for Dell or any their affiliates. No advertisement, just sharing. Sorry if it felt that way.

0 Kudos