Firefox 39 - Secure Connection Failed - weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message

As of Firefox 39, connecting to an old administrative interface for some third party software gave the following message:

Secure Connection Failed

An error occurred during a connection to backup.trinetsolutions.com. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

Please contact the website owners to inform them of this problem.

sa289

Posted 2015-07-19T20:04:56.677

Reputation: 313

I had the same issue: http://superuser.com/a/940887/21149 (Depending on the server you connect to the solution I got may work for you as well.)

– ytg – 2015-07-30T13:24:00.773

1@ytg - that worked for me and is a far better solution than what I published. Do you want to post it on this question too? – sa289 – 2015-07-30T15:52:04.943

Answers

Depending on the software, an upgrade may not be necessary.

I had this issue as well. In my case, the application was using Tomcat and I was able to change config settings in the server.xml file. I found the solution here.

To quote the relevant portion:

Tomcat has several weak ciphers enabled by default. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. If you have a Tomcat server (version 4.1.32 or later), you can disable SSL 2.0 and disable weak ciphers by following these instructions. Open your server.xml file add the following to your SSL connector

<connector port="443" maxhttpheadersize="8192" address="127.0.0.1" 
           enablelookups="false" disableuploadtimeout="true" acceptCount="100" 
           scheme="https" secure="true" clientAuth="false" SSLEnabled="true" 
           sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" 
           ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 
           TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, 
           TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, 
           TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
           TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" 
           keystoreFile="mydomain.key" keystorePass="changeit" 
           truststoreFile="mytruststore.truststore" truststorePass="changeit" />

In my situation, the only part that I had to modify in the server.xml file was the ciphers="..." portion.

After you do this, restart your application.

Doug R.

Posted 2015-07-19T20:04:56.677

Reputation: 121

I wanted to let people know a workaround to this as upgrading old software isn't always a possibility. You can install Fiddler and in the options enable decrypting of HTTPS traffic. Then access the site with Fiddler running. Fiddler will proxy the traffic for you and Firefox will think everything is fine (other than warning about the SSL certificate created by Fiddler to do its man-in-the-middle SSL proxying, but it lets you bypass that warning).

The drawback to this is that Firefox is giving this warning for a reason, so only use this if the security risks are outweighed by the benefits. You could also use a different browser (though in my case the site worked best with Firefox), or you could install a portable / standalone version of Firefox that's an older version and use it solely for accessing that site (i.e. don't access other websites since it will be lacking security updates present in the latest version of Firefox).

sa289

Posted 2015-07-19T20:04:56.677

Reputation: 313