Page 1 of 1
Weak ephemeral Diffie-Hellman key
Posted: Wed Oct 07, 2015 1:53 pm
by dcipher
When I try to access a Windows 2012 R2 server using TSplus 8.3 from the browser using port 443 I get the following error in the web browser. I am using the default SSL certificate that comes with TSPLus.
Secure Connection Failed
An error occurred during a connection to 64.141.100.106. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)
What is needed to resolve this error? Can this be fixed by generating a new self signed certificate or do I need to purchase a commercial certificate?
Thanks,
Simon
Re: Weak ephemeral Diffie-Hellman key
Posted: Wed Oct 07, 2015 3:48 pm
by admin
Hello,
You are correct, this means your browser detects a certificate that is not secured enough : weakdh.org/
You can connect using http:// instead of https:// to prevent this or use your own custom SSL certificate : terminalserviceplus.com/docs/https-ssl-certificates-tutorial
Re: Weak ephemeral Diffie-Hellman key
Posted: Wed Oct 07, 2015 5:47 pm
by juwagn
Hello,
usually Tsplus runs in compatibility mode, try also to create in *Tsplusinstallation*\webserver\ file named "tls.bin" with following content:
SSLv3, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
Save this file and restart html5 via GUI, check the result if it helped, because it should activate TLS1.1 and TLS1.2 which seems to be the cause of your problem actually when used TLS1.0 only.
Also, I hope, it helps.
Re: Weak ephemeral Diffie-Hellman key
Posted: Wed Oct 07, 2015 6:06 pm
by juwagn
Additionally to get A grade from SSL Labs (ssllabs.com) you can do following.
In *Tsplusinstallation*\webserver\ locate file "runwebserver.ini" and add following commands to runtime environment of Java.
-Djdk.tls.ephemeralDHKeySize=matched -Djdk.tls.rejectClientInitiatedRenegotiation=true
To get stronger algos like AES256 etc. you need to install "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for JDK/JRE 8" (oracle.com/technetwork/java/javase/downloads/index.html)
Remember, on cost of higher security you get lesser compatibility with older browsers.
Re: Weak ephemeral Diffie-Hellman key
Posted: Thu Oct 08, 2015 2:15 pm
by dcipher
Thank-you for your suggestions however none of them made any difference. So since we are planning to get certificates for the servers this problem should be resolved when they are installed.
Simon
Re: Weak ephemeral Diffie-Hellman key
Posted: Fri Nov 06, 2015 3:29 pm
by dcipher
I do not know why these instructions did not work on our previous server but they did work on a new Windows 2012 Standard Server machine this week.
Thanks,
Simon