Secure Connection Failed
An error occurred during a connection to www.karchan.org:4848. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
Apparently it is related to a possible LogJam attack6.An error occurred during a connection to www.karchan.org:4848. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
Workaround
Of course, there is a workaround for Firefox2, but that is not what we should do. But for completeness, I'll provide it here:Workaround for Firefox 39 and above:
- In FireFox, enter "about:config" in the URL field and press enter.
- Accept the "This might void your warranty!" warning :)
- In the search field at the top, enter "security.ssl3.dhe_rsa_aes"
- Double click each result (128 and 256) to toggle the Value to "false"
Ciphers
The reason I got this message, was that the server and the client (browser) could not agree on a sufficiently good cipher for the SSL connection. The new version of Glassfish has this solved, because of the extra ciphers it has added3.If you look at the Appendix below, you immediately notice that the new ciphers all make use of Elliptic-Curve Diffie-Hellman Key Exchange, instead of normal Diffie-Hellman. It seems to be a great deal more secure and doesn't suffer from the Logjam weakness6.
Although it seems unnecessary, you could remove the weak ciphers from GlassFish, to prevent a loophole.5.
Appendix A. Available Ciphers
Glassfish 4.0 (build 89) | Glassfish 4.1 (build 13) |
---|---|
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA | SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA |
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 | SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 |
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA | SSL_DH_anon_WITH_3DES_EDE_CBC_SHA |
SSL_DH_anon_WITH_DES_CBC_SHA | SSL_DH_anon_WITH_DES_CBC_SHA |
SSL_DH_anon_WITH_RC4_128_MD5 | SSL_DH_anon_WITH_RC4_128_MD5 |
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA | SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA |
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA | SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA |
SSL_DHE_DSS_WITH_DES_CBC_SHA | SSL_DHE_DSS_WITH_DES_CBC_SHA |
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA | SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA |
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA | SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA |
SSL_DHE_RSA_WITH_DES_CBC_SHA | SSL_DHE_RSA_WITH_DES_CBC_SHA |
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA | SSL_RSA_EXPORT_WITH_DES40_CBC_SHA |
SSL_RSA_EXPORT_WITH_RC4_40_MD5 | SSL_RSA_EXPORT_WITH_RC4_40_MD5 |
SSL_RSA_WITH_3DES_EDE_CBC_SHA | SSL_RSA_WITH_3DES_EDE_CBC_SHA |
SSL_RSA_WITH_DES_CBC_SHA | SSL_RSA_WITH_DES_CBC_SHA |
SSL_RSA_WITH_NULL_MD5 | SSL_RSA_WITH_NULL_MD5 |
SSL_RSA_WITH_NULL_SHA | SSL_RSA_WITH_NULL_SHA |
SSL_RSA_WITH_RC4_128_MD5 | SSL_RSA_WITH_RC4_128_MD5 |
SSL_RSA_WITH_RC4_128_SHA | SSL_RSA_WITH_RC4_128_SHA |
TLS_DH_anon_WITH_AES_128_CBC_SHA | TLS_DH_anon_WITH_AES_128_CBC_SHA |
TLS_DH_anon_WITH_AES_128_CBC_SHA256 | TLS_DH_anon_WITH_AES_128_CBC_SHA256 |
TLS_DH_anon_WITH_AES_256_CBC_SHA | TLS_DH_anon_WITH_AES_256_CBC_SHA |
TLS_DH_anon_WITH_AES_256_CBC_SHA256 | TLS_DH_anon_WITH_AES_256_CBC_SHA256 |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA | TLS_DHE_DSS_WITH_AES_128_CBC_SHA |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA | TLS_DHE_DSS_WITH_AES_256_CBC_SHA |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 | TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA | TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA | TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 |
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA | |
TLS_ECDH_anon_WITH_AES_128_CBC_SHA | |
TLS_ECDH_anon_WITH_AES_256_CBC_SHA | |
TLS_ECDH_anon_WITH_NULL_SHA | |
TLS_ECDH_anon_WITH_RC4_128_SHA | |
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA | |
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA | |
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 | |
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA | |
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 | |
TLS_ECDH_ECDSA_WITH_NULL_SHA | |
TLS_ECDH_ECDSA_WITH_RC4_128_SHA | |
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA | |
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA | |
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 | |
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA | |
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 | |
TLS_ECDH_RSA_WITH_NULL_SHA | |
TLS_ECDH_RSA_WITH_RC4_128_SHA | |
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA | |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | |
TLS_ECDHE_ECDSA_WITH_NULL_SHA | |
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA | |
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | |
TLS_ECDHE_RSA_WITH_NULL_SHA | |
TLS_ECDHE_RSA_WITH_RC4_128_SHA | |
TLS_EMPTY_RENEGOTIATION_INFO_SCSV | TLS_EMPTY_RENEGOTIATION_INFO_SCSV |
TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA |
TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_RSA_WITH_AES_128_CBC_SHA256 |
TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA |
TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA256 |
TLS_RSA_WITH_NULL_SHA256 | TLS_RSA_WITH_NULL_SHA256 |
References
- [1] StackOverflow - GF4 how to config security protocol to work with firefox v 39x
- http://stackoverflow.com/questions/31346501/gf3-how-to-config-security-protocol-to-work-with-firefox-v-39x
- [2] Mozilla - Questions & Answers
- https://support.mozilla.org/pt-BR/questions/1066238#answer-738971
- [3] GlassFish Server Open Source Edition Security Guide Release 4.0
- https://glassfish.java.net/docs/4.0/security-guide.pdf
- [4] GlassFish Server Open Source Edition Administration Guide Release 4.0
- https://glassfish.java.net/docs/4.0/administration-guide.pdf
- [5] ServerFault - Disable support for LOW encryption ciphers for glassfish port no 3920
- http://serverfault.com/questions/614791/disable-support-for-low-encryption-ciphers-for-glassfish-port-no-3920
- [6] Weak Diffie-Hellman and the Logjam Attack
- https://weakdh.org/
No comments:
Post a Comment