Introduction
Firefox 39 (ETA 30th June) and Chrome 45 (ETA sometime in late August) introduce new security features which will prevent access to websites which use older encryption ciphers such as the default Diffie-Hellman.
This can prevent access to the CaféX WBF (Web Plugin Framework) e.g. when you browse to https://your-server:8443/web_plugin_framework/webcontroller/ you get the error similar to:
Server has a weak, ephemeral Diffie-Hellman public key
ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY
Note: This will also affect service URLs that are not behind a reverse proxy, e.g. services hosted in AWS with no reverse proxy protecting them.
Solution
Remove the older cipher keys from the cipher suites used by FAS.
1. Make a back up of your fas.properties file
- cd /opt/cafex/FAS-2.1*/domain/configuration
- cp fas.properties fas.bak-<date>
2. Edit fas.properties and remove the weak encryption ciphers
- vi fas.properties and make the following changes to the jsse cipher suites:
Before:
jsse.cipher.suites=SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA
After:
jsse.cipher.suites=SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA
3. Restart FAS from the command line
- service fas restart
Comments
0 comments
Please sign in to leave a comment.