3

Chrome seems to have released an update over the past week. This has caused at least 50 of our internal applications to throw the exception shown below. The solutions I have researched over the Internet, talk about updating the application server with a stronger cipher. However, our applications are spread out over IIS, tomcat, jboss, weblogic and websphere. Its not practical to expect all of these application servers to be updated. Is there no way to get Chrome to allow an "exception" for these sites ? Since these sites are all internal, the security is not really a concern.

Apparently, Firefox throws the same exception but there is a documented fix for that (by changing some settings in Firefox). Is anyone aware of a similar fix in Chrome.

Error

Server has a weak ephemeral Diffie-Hellman public key

ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY
Maximillian Laumeister
  • 19,884
  • 8
  • 59
  • 78
user1074593
  • 446
  • 1
  • 9
  • 23

4 Answers4

3

I found a temporary workaround that should disable the security check in Chrome that is causing that error. It goes without saying that you do NOT want to use this while browsing the open web.

Try adding the following command argument to Chrome when you start it up:

--cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

I found this solution at this google forum post. Hopefully it will help!

Maximillian Laumeister
  • 19,884
  • 8
  • 59
  • 78
1

While Maximillian's workaround might work for you at the moment, there is no supported way to add an exception. The only safe solution is to upgrade the servers, and a less fragile workaround might be to put better proxies right in front of some of the servers.

Lucas Garron
  • 46
  • 3
0

This problem I found because of the JDK version running on App Server.

If your weblogic/apache server running on java JRockit version "1.6.0_33" & "1.6.0_45" or below you will face this issue.

A solution is to upgrade java to higher version like "1.6.0_101" and higher and restart app server.

Jérémie Bertrand
  • 3,025
  • 3
  • 44
  • 53
Chinmay Sahoo - Consultant
  • 1
0

I've solved this problem without upgrading jrockit but configuring the ssl section like this

<ssl>
    <enabled>true</enabled>
    <hostname-verifier xsi:nil="true"></hostname-verifier>
    <hostname-verification-ignored>false</hostname-verification-ignored>
    <export-key-lifespan>500</export-key-lifespan>
    <client-certificate-enforced>false</client-certificate-enforced>
    <two-way-ssl-enabled>false</two-way-ssl-enabled>
    <ssl-rejection-logging-enabled>true</ssl-rejection-logging-enabled>
    <inbound-certificate-validation>BuiltinSSLValidationOnly</inbound-certificate-validation>
    <outbound-certificate-validation>BuiltinSSLValidationOnly</outbound-certificate-validation>
    <allow-unencrypted-null-cipher>false</allow-unencrypted-null-cipher>
    <use-server-certs>false</use-server-certs>
    <jsse-enabled>true</jsse-enabled>
</ssl>

Can't tell you exactly whats makes the difference but it solved many different problems on SSL with chrome

Danh
  • 5,916
  • 7
  • 30
  • 45
Stefano Ghezzi
  • 37
  • 4