7 Replies Latest reply on Nov 3, 2015 7:13 PM by brian_spendolini-Oracle

    Error - Server has a weak ephemeral Diffie-Hellman public key

    SPS

      While opening the DBaas Monitor Console, I am getting the error - 'Server has a weak ephemeral Diffie-Hellman public key'. Though I am able to connect to the cloud Database without any issues.

      Regards,

      Samar

        • 1. Re: Error - Server has a weak ephemeral Diffie-Hellman public key
          SPS

          I was using Google Chrome and got this error. I got initially misled by this error as I was not very confident about the public key.

          I however do not get it in Firefox. 

           

          Cheers!!

          Samar

          • 2. Re: Error - Server has a weak ephemeral Diffie-Hellman public key
            John Edward Scott

            Hi Samar,

             

            This is a change in the Google Chrome (and others) browser, essentially to plug a security hole in the Diffie-Hellman Key Exchange protocol.

             

            My understating is that Google took the decision to prevent accepting ciphers which were susceptible to the security hole, which is great in one sense, but in doing that they rendered many sites unaccessible (until the website operators fixed the issue on their side).

             

            For us - this means (I believe) that we need to either -

             

            1) Use a different browser (such as IE), which has not yet blocked the affected keys

             

            2) Update the DBaaS console / Glassfish etc to not use those ciphers

             

            3) Wait for Oracle to fix and release new images

             

            I had a go at doing 2 last week and thought I had it working, but then found I'd broken it under certain circumstances - if I get it working I'll do a blog post on what I had to change.

             

            Hope this helps

             

            John

            --------------------------------------------

            Blog: http://jes.blogs.shellprompt.net

            Work: http://www.apex-evangelists.com

            • 3. Re: Error - Server has a weak ephemeral Diffie-Hellman public key
              brian_spendolini-Oracle

              as the opc user

               

              cd /u01/app/oracle/product/glassfish3/bin

              ./asadmin set 'configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.ssl3-tls-ciphers=+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA'

              ./asadmin set 'configs.config.server-config.network-config.protocols.protocol.sec-admin-listener.ssl.ssl3-tls-ciphers=+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA'

               

              then bounce glassfish using the dbaascli tool

               

              fixed by the end of the month in the new base images.

              • 4. Re: Error - Server has a weak ephemeral Diffie-Hellman public key
                jschrap

                The above fix does work.

                 

                Just one note:

                bounce glassfish using dbaascli tool  - with user root only.

                 

                Otherwise error:

                -bash-4.1$ dbaascli glassfish stop

                mkdir: cannot create directory `/var/opt/oracle/log/dbaascli/': Permission denied

                DBAAS CLI version 1.0.0

                Executing command glassfish stop

                Unable to run command. This command should be run as user: oracle or root. Currently: opc

                 

                dbaascli glassfish stop and start commands appear to work under root, but dbaascli glassfish status fails:

                 

                bash-4.1# dbaascli glassfish status

                DBAAS CLI version 1.0.0

                Executing command glassfish status

                Calculating the status and metrics:

                Authentication failed for user: admin

                with password from password file: /u01/app/oracle/product/glassfish3/bin/statuspwd.txt

                (Usually, this means invalid user name and/or password)

                Authentication failed for user: admin

                with password from password file: /u01/app/oracle/product/glassfish3/bin/statuspwd.txt

                (Usually, this means invalid user name and/or password)

                domain1 running

                Command list-domains executed successfully.

                Command list-http-listeners failed.

                Command uptime failed.

                 

                I wonder what the reason is for using the dbaascli tool instead of bouncing via init.d ? 

                /etc/init.d/glassfish start/stop/restart

                • 5. Re: Error - Server has a weak ephemeral Diffie-Hellman public key
                  John Edward Scott

                  Running it as the Oracle user worked for me -

                   

                  [oracle@OC1 ~]$ dbaascli glassfish stop

                  DBAAS CLI version 1.0.0

                  Executing command glassfish stop

                   

                   

                  Starting the GlassFish domain1

                  Environment variable GLASSFISH_HOME not set

                  Waiting for the domain to stop ..

                  Command stop-domain executed successfully.

                  [oracle@OC1 ~]$ dbaascli glassfish start

                  DBAAS CLI version 1.0.0

                  Executing command glassfish start

                   

                   

                  Starting the GlassFish domain1

                  Environment variable GLASSFISH_HOME not set

                  Waiting for domain1 to start ...........

                  Successfully started the domain : domain1

                  domain  Location: /u01/app/oracle/product/glassfish3/glassfish/domains/domain1

                  Log File: /u01/app/oracle/product/glassfish3/glassfish/domains/domain1/logs/server.log

                  Admin Port: 4848

                  Command start-domain executed successfully.

                  • 6. Re: Error - Server has a weak ephemeral Diffie-Hellman public key
                    user444805-Oracle

                    in firefox

                    Go to about:config

                    search for

                    security.ssl3.dhe_rsa_aes_128_sha and

                    security.ssl3.dhe_rsa_aes_256_sha

                    change to false

                    • 7. Re: Error - Server has a weak ephemeral Diffie-Hellman public key
                      brian_spendolini-Oracle

                      DO NOT ALTER THE SECURITY SETTINGS IN YOUR BROWSER


                      This is a VERY bad idea for it opens you up to multiple attack vectors.

                       

                      I have given you the solution and can provide a UI way as well if needed.