From this morning onwards I am unable to use Chrome to connect with the Vplex management interface. Firefox displays the same error but may have been doing so longer.
Interestingly enough, I can connect fine with Microsoft Edge browser
Chrome: "server has a weak ephemeral Diffie-Hellman public key"
Firefox: "An error occurred during a connection to 10.1.0.28. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key) "
I can, of course, work around this by disabling the cypher-suite check in Chrome/Firefox.
We are running the following version:
Product Version 5.3.0.02.00.05 -
SMSv2 D188.8.131.52.0 -
Mgmt Server Base D184.108.40.206 -
Mgmt Server Software D220.127.116.11 -
Cluster Witness Server Software D18.104.22.168 Built against GeoSynchrony version - 22.214.171.124-0
I am wondering if the default cypher-suites used by SSL in the webclient where updated in 5.4 ?
If so, I can push the customer to update to latest version for this reason.
Small update to this:
I have gone over the Release Notes for every patch since 5.3 came out, including 5.4, and I have not been able to find any comments in there relating to SSL, HTTP, the webserver, or cypher suite support changes.
I also found the Google Chromium post that announces the change:
The logjam attack is fixed in this release by deprecating the use of keys smaller than 1024 bits in Diffie-Hellman key exchanges, which may require developers to update their server’s TLS configuration.
I have raised an SR #73929470 if anyone wants to reference it.
EMC Support and VPLEX Engineering are aware of the issue, and working to address it.
KB article has been created (should be customer visible)
VPlex: Unable to access the VPlex GUI (Unisphere) due to the error "SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake
Seems to also be a problem for other EMC products as well.
I resolved Firefox security errors with information from a Mozilla support website - Is there anyway to fix a "Secure Connection Failed"? Firefox works okay now. However, having said that, it seems that IE is actually working with the VPLEX management interface quicker now since our upgrade to 5.3.
In case you guys had not yet see, this issue is resolved in 5.5 though it is not explicitly mentioned in the release notes.
Permanent Fix:GeoSynchrony 5.5 and later versions contain the permanent fix for this issue due to use of a newer version of Java (java 1.8.0_11).