Highlighted
8 Krypton

Chrome: "server has a weak ephemeral Diffie-Hellman public key"

From this morning onwards I am unable to use Chrome to connect with the Vplex management interface. Firefox displays the same error but may have been doing so longer.

Interestingly enough, I can connect fine with Microsoft Edge browser

Chrome: "server has a weak ephemeral Diffie-Hellman public key"

Firefox: "An error occurred during a connection to 10.1.0.28. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key) "

I can, of course, work around this by disabling the cypher-suite check in Chrome/Firefox.

We are running the following version:

Product Version                  5.3.0.02.00.05  -

SMSv2                            D30.60.0.12.0   -

Mgmt Server Base                 D30.60.0.5      -

Mgmt Server Software             D30.60.0.16     -

Cluster Witness Server Software  D30.60.0.10     Built against GeoSynchrony version - 60.1.218.0-0

I am wondering if the default cypher-suites used by SSL in the webclient where updated in 5.4 ?

If so, I can push the customer to update to latest version for this reason.

SNAG-0217.jpg

Labels (1)
0 Kudos
8 Replies
8 Krypton

Re: Chrome: "server has a weak ephemeral Diffie-Hellman public key"

Small update to this:

I have gone over the Release Notes for every patch since 5.3 came out, including 5.4, and I have not been able to find any comments in there relating to SSL, HTTP, the webserver, or cypher suite support changes.

I also found the Google Chromium post that announces the change:

http://blog.chromium.org/2015/07/chrome-45-beta-new-es2015-features.html

The logjam attack is fixed in this release by deprecating the use of keys smaller than 1024 bits in Diffie-Hellman key exchanges, which may require developers to update their server’s TLS configuration.

I have raised an SR #73929470 if anyone wants to reference it.

8 Krypton

Re: Chrome: "server has a weak ephemeral Diffie-Hellman public key"

I can confirm the same problem occurs in version 5.4.1.

0 Kudos
8 Krypton

Re: Chrome: "server has a weak ephemeral Diffie-Hellman public key"

Hi TheFluffyAdmin,

EMC Support and VPLEX Engineering are aware of the issue, and working to address it.

KB article has been created (should be customer visible)

http://support.emc.com/kb/205564

VPlex: Unable to access the VPlex GUI (Unisphere) due to the error "SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake

Seems to also be a problem for other EMC products as well.

Gary

8 Krypton

Re: Chrome: "server has a weak ephemeral Diffie-Hellman public key"

Yes, this issue applies to all GeoSynchrony code levels.

Gary

br56rt
6 Indium

Re: Chrome: "server has a weak ephemeral Diffie-Hellman public key"

I resolved Firefox security errors with information from a Mozilla support website - Is there anyway to fix a "Secure Connection Failed"?  Firefox works okay now.  However, having said that, it seems that IE is actually working with the VPLEX management interface quicker now since our upgrade to 5.3.

0 Kudos
8 Krypton

Re: Chrome: "server has a weak ephemeral Diffie-Hellman public key"

I have also confirmed this issue in Chrome browser, however have no issues accessing VPLEX GUI 5.4.1 using IE 11

0 Kudos
8 Krypton

Re: Chrome: "server has a weak ephemeral Diffie-Hellman public key"

try using on other ports without https

0 Kudos
8 Krypton

Re: Chrome: "server has a weak ephemeral Diffie-Hellman public key"

In case you guys had not yet see, this issue is resolved in 5.5 though it is not explicitly mentioned in the release notes.

https://support.emc.com/kb/205564

Permanent Fix:GeoSynchrony 5.5 and later versions contain the permanent fix for this issue due to use of a newer version of Java (java 1.8.0_11).

0 Kudos