This post is more than 5 years old
45 Posts
0
1121166
"weak ephemeral diffie-hellman key" error in FF39 prevents OMSA from being accessible
In Firefox version 39, some OMSA web site would give this error message:
An error occurred during a connection to :1311. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)
I suppose I need to reinstall new version of OMSA, or is it? I haven't checked yet. Does new version exist yet? And is there some "fast and dirty" workaround because it would take me quite some time to update all my OMSA.
Thanks
igor_coreforce
8 Posts
6
July 23rd, 2015 08:00
Hello everyone!
I fixed it for myself, please try, hopefully it will work for you.
My environment:
R410, R710
OMSA 8.1.0.1
iDRAC v1.99
Lifecycle controller 1.7.5.4
Firefox 39.0
Login to OMSA using IE or Chrome, go to Preferences -> General Settings, set SSL Encryption to Auto Negotiate and hit Apply. You’ll be notified to restart web server, click OK and look for “Options: Restart Web Server” link. Click on that, give it 30 seconds and enjoy on FF 39.0!
In the same place you can change SHA-1 to better algorithm. Not sure if patch to OMSA helped, didn’t try with previous versions.
igor_coreforce
8 Posts
4
December 29th, 2015 07:00
Walro, you’re right, looks like 8.2 changed everything. I had my OMSA 8.1 set as I described earlier and then upgraded to 8.2.0, so I didn’t even notice. Unfortunately, now I can’t test direct 8.2.0 install.
When I’m looking at my 8.2.0 settings after upgrade I see the following:
SSL Ciphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA
SSL Protocol: TLSv1, TLSv1.1, TLSv1.2
Key Signing Algorithm: SHA1
For me it works with FF 43.0.3 64 bit, Chrome 47.0.2526.106 m 64 bit, IE 11 on Win 8.1 and Win 10, Edge.
Please try to set the same and test.
If you need stronger security, I’d suggest using only TLSv1.2, other protocols are pretty old. Word of caution: I didn’t test it and I only would do that if I’d access OMSA over internet, which I’d NEVER do.
Also key signing would be better to switch to SHA256, soon most of browsers will warn you about sites that use SHA1. This is tested and works with major browsers.
The settings I posted earlier for OMSA 8.1 worked with 7.4 for me also, if anyone needs it.
Happy Holidays!
DELL-Daniel My
Moderator
Moderator
•
6.2K Posts
0
July 16th, 2015 15:00
Hello
Maybe, what version are you using?
In preferences>general settings>server preferences you can set the SSL encryption method. It is likely defaulted to autonegotiate which allows weak cyphers.
http://www.dell.com/support/home/us/en/04/product-support/product/dell-opnmang-srvr-admin-v7.4/manuals
Thanks
Lapsap
45 Posts
0
July 17th, 2015 05:00
I'm using version 7.4.0.2
I've been to that place but "SSL Encryption" option is already in "128-bit or Higher", not "Auto Negotiate". "Key Signing Algorithm" option is at SHA256. However, I don't see anything related to Diffie-Hellman key.
I've searched through a few manuals provided by your link. I was looking for Diffie-Hellman or DH but I found no mention.
DELL-Daniel My
Moderator
Moderator
•
6.2K Posts
0
July 17th, 2015 10:00
I'm not aware of a setting that we have specifically for DH keys. Adjusting the SSL encryption should affect public and private keys.
7.4 is the latest version for older servers. Newer servers support 8. You can check the download page of your server to see if 8 is supported.
It looks like Firefox increased the minimum bits required for public key exchange around FF 38.1 or 39. According to this bug report some users were able to bypass the error, but some were not.
https://bugzilla.mozilla.org/show_bug.cgi?id=1180526
I would suggest that you check the release notes for OMSA and use a supported browser.
Thanks
Lapsap
45 Posts
0
July 20th, 2015 11:00
In another server which is a PowerEdge R710, I also have this problem. It had this config:
OMSA 7.4.0
Lifecycle controller 1.5.0.671
iDRAC6: 1.98
These are updated to
OMSA 7.4.0 --> 8.1.0
Lifecycle controller 1.5.0.671 --> 1.7.5.4
iDRAC6: 1.98 -> 1.99
Now, things are worse :D
FF 39 still cannot open OMSA, but FF 3.5 no longer can open iDRAC!
I have to use FF 9.0.1 to open both.
There have quite a lot of "security updates" in the Internet. For instance, SHA-1 will not be accepted to hash certificate from the beginning of 2017. Dell got to follow a bit the "outside world".
So, for the moment, there is still no workaround.
Lapsap
45 Posts
0
July 23rd, 2015 11:00
Yes! This works for me too (my OMSA is just 8.1 but I suppose the solution is not related to version)
So actually it's the opposite for SSL Encryption option to make it work.
Thanks
Lapsap
45 Posts
0
July 24th, 2015 07:00
What does PE FX architecture have to do with OMSA in this issue?
Or are you doing some advertisement?
igor_coreforce
8 Posts
0
July 24th, 2015 07:00
Glad it helped. Seems to me Dell introduced it long time ago, but here is the “tyranny of default”.
Now if someone can also try it on the older versions of OMSA, so we can close the case and continue to enjoy Dell hardware.
I was on Dell IT seminar yesterday in NY and saw for the first time new PE FX architecture. Looks very promising! I have 10U worth of equipment in one place and it would fit in one 2U unit on FX platform and probably have some extra space for growth.
igor_coreforce
8 Posts
0
July 24th, 2015 09:00
You can manage FX thru OMSA at chassis level or at server level and it looks very cool. Wanted to mention it for people who thinks that Dell is neglecting OMSA development. Clicked on Post too early.
I'm not working for Dell or any their affiliates. No advertisement, just sharing. Sorry if it felt that way.
frizzelljc
1 Message
0
September 9th, 2015 16:00
At least for my install on Windows 10 Pro 64-bit, OpenManage will not open in Chrome or Edge. Every time I try to open https://(pc name):1311, I get a
Server has a weak ephemeral Diffie-Hellman public key
error.
What am I doing wrong here?
(Trying to resolve almost the exact same issue as
http://www.tomshardware.com/answers/id-2228632/perc-rebuild-array.html - a 2950 with a bad RAID drive, though mine are 300 GB rather than 72.)
walro
2 Posts
1
December 29th, 2015 01:00
I've got this problem too, using Chrome 47 and OMSA 8.2.0. The option to set SSL Encryption to Auto Negotiate seems to be gone as of OMSA 8.2 so that trick does not work. I have tried tampering with SSL Ciphers and SSL Protocols, but I couldn't find a working combination, anyone got any ideas?
Thanks!
Lapsap
45 Posts
0
January 8th, 2016 03:00
It's good to have all these workarounds, but they are only good as a *temporary* solution.
So, what is the official position by DELL? Are they going to let users still fiddling the settings here and there? And they're not going to fix it, right?
igor_coreforce
8 Posts
0
January 13th, 2016 08:00
Glad to help.
At least user community works where Dell support doesn't.
walro
2 Posts
0
January 13th, 2016 08:00
Thanks Igor, your SSL Cipher suite works for me.