in company work have server gf 3.1.1 (jdk 6) cas authentication of users in system. after last update of firefox (v. 39x) getting follow information browser:
mydomain.com ssl received weak ephemeral diffie-hellman key in server key exchange handshake message.
and not possible access site without this workaround or using browser. in chrome can access if @ connection properties says:
your connection encrypted obsolete cryptography.
the connection uses tls 1.0.
the connection encrypted using aes_128_cbc, sha1 message authentication dhe_rsa key exchange mechanism.
i can't configure browsers of our customers or them use chrome. maybe in future chrome can same. solution configure server properly. problem don't know how can that.
i found in gf can configuration in configurations > server-config > network config > protocols > http-listner-2 > ssl
then found here blacklist , whitelist of ciphers recommended use. tried remove in black , put in white. still have issue. think list may out of date.
i appreciate help.
finally. found solution. search lot , find solution, tried test 1 one of ciphers. so, work ( not saying right way). had this:
at:
configurations > server-config > network config > protocols > http-listner-2 > ssl
- add ciphers available
- remove diffie-hellman ciphers
- save
after our application can opened @ browser again. hope may someone.
for admin:
configurations > server-config > service http > listeners http > admin-listner > ssl
- add ciphers available
- remove diffie-hellman ciphers
- save
- restart
edit: comparing whitelist here remaining ciphers part of new whitelist are:
whitelist
- tls_rsa_with_aes_128_cbc_sha
- ssl_rsa_with_3des_ede_cbc_sha
Comments
Post a Comment