frizzelljc
Copper

OpenManage has a weak ephemeral Diffie-Hellman public key

Jump to solution

At least for my install on Windows 10 Pro 64-bit, OpenManage will not open in Chrome or Edge. Every time I try to open https://(pc name):1311, I get a

Server has a weak ephemeral Diffie-Hellman public key

error.

What am I doing wrong here?

(Trying to resolve almost the exact same issue as

http://www.tomshardware.com/answers/id-2228632/perc-rebuild-array.html - a 2950 with a bad RAID drive, though mine are 300 GB rather than 72.)

0 Kudos
walro
Copper

RE: "weak ephemeral diffie-hellman key" error in FF39 prevents OMSA from being accessible

Jump to solution

I've got this problem too, using Chrome 47 and OMSA 8.2.0. The option to set SSL Encryption to Auto Negotiate seems to be gone as of OMSA 8.2 so that trick does not work. I have tried tampering with SSL Ciphers and SSL Protocols, but I couldn't find a working combination, anyone got any ideas?

Thanks!

Highlighted

RE: "weak ephemeral diffie-hellman key" error in FF39 prevents OMSA from being accessible

Jump to solution

Walro, you’re right, looks like 8.2 changed everything. I had my OMSA 8.1 set as I described earlier and then upgraded to 8.2.0, so I didn’t even notice. Unfortunately, now I can’t test direct 8.2.0 install.

When I’m looking at my 8.2.0 settings after upgrade I see the following:

SSL Ciphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA

SSL Protocol: TLSv1, TLSv1.1, TLSv1.2

Key Signing Algorithm: SHA1

For me it works with FF 43.0.3 64 bit, Chrome 47.0.2526.106 m 64 bit, IE 11 on Win 8.1 and Win 10, Edge.

Please try to set the same and test.

If you need stronger security, I’d suggest using only TLSv1.2, other protocols are pretty old. Word of caution: I didn’t test it and I only would do that if I’d access OMSA over internet, which I’d NEVER do.

Also key signing would be  better to switch to SHA256, soon most of browsers will warn you about sites that use SHA1. This is tested and works with major browsers.

The settings I posted earlier for OMSA 8.1 worked with 7.4 for me also, if anyone needs it.

Happy Holidays!

Lapsap
Boron

RE: "weak ephemeral diffie-hellman key" error in FF39 prevents OMSA from being accessible

Jump to solution

It's good to have all these workarounds, but they are only good as a *temporary* solution.

So, what is the official position by DELL?  Are they going to let users still fiddling the settings here and there?  And they're not going to fix it, right?

0 Kudos
walro
Copper

RE: "weak ephemeral diffie-hellman key" error in FF39 prevents OMSA from being accessible

Jump to solution

Thanks Igor, your SSL Cipher suite works for me.

0 Kudos

RE: "weak ephemeral diffie-hellman key" error in FF39 prevents OMSA from being accessible

Jump to solution

Glad to help.

At least user community works where Dell support doesn't.

0 Kudos
TekkamanXP
Copper

RE: "weak ephemeral diffie-hellman key" error in FF39 prevents OMSA from being accessible

Jump to solution

Thanks Igor. Your Cipher List worked perfectly with Firefox 44.0.2.

It connected via this specific SSL Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

0 Kudos