When I try to access a Windows 2012 R2 server using TSplus 8.3 from the browser using port 443 I get the following error in the web browser. I am using the default SSL certificate that comes with TSPLus.
Secure Connection Failed
An error occurred during a connection to 64.141.100.106. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)
What is needed to resolve this error? Can this be fixed by generating a new self signed certificate or do I need to purchase a commercial certificate?
Thanks,
Simon
Weak ephemeral Diffie-Hellman key
Re: Weak ephemeral Diffie-Hellman key
Hello,
You are correct, this means your browser detects a certificate that is not secured enough : weakdh.org/
You can connect using http:// instead of https:// to prevent this or use your own custom SSL certificate : terminalserviceplus.com/docs/https-ssl-certificates-tutorial
You are correct, this means your browser detects a certificate that is not secured enough : weakdh.org/
You can connect using http:// instead of https:// to prevent this or use your own custom SSL certificate : terminalserviceplus.com/docs/https-ssl-certificates-tutorial
Olivier
TSplus support team administrator
TSplus support team administrator
Re: Weak ephemeral Diffie-Hellman key
Hello,
usually Tsplus runs in compatibility mode, try also to create in *Tsplusinstallation*\webserver\ file named "tls.bin" with following content:
SSLv3, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
Save this file and restart html5 via GUI, check the result if it helped, because it should activate TLS1.1 and TLS1.2 which seems to be the cause of your problem actually when used TLS1.0 only.
Also, I hope, it helps.
usually Tsplus runs in compatibility mode, try also to create in *Tsplusinstallation*\webserver\ file named "tls.bin" with following content:
SSLv3, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
Save this file and restart html5 via GUI, check the result if it helped, because it should activate TLS1.1 and TLS1.2 which seems to be the cause of your problem actually when used TLS1.0 only.
Also, I hope, it helps.
TSplus HTML5 and Java web engineer
Re: Weak ephemeral Diffie-Hellman key
Additionally to get A grade from SSL Labs (ssllabs.com) you can do following.
In *Tsplusinstallation*\webserver\ locate file "runwebserver.ini" and add following commands to runtime environment of Java.
-Djdk.tls.ephemeralDHKeySize=matched -Djdk.tls.rejectClientInitiatedRenegotiation=true
To get stronger algos like AES256 etc. you need to install "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for JDK/JRE 8" (oracle.com/technetwork/java/javase/downloads/index.html)
Remember, on cost of higher security you get lesser compatibility with older browsers.
In *Tsplusinstallation*\webserver\ locate file "runwebserver.ini" and add following commands to runtime environment of Java.
-Djdk.tls.ephemeralDHKeySize=matched -Djdk.tls.rejectClientInitiatedRenegotiation=true
To get stronger algos like AES256 etc. you need to install "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for JDK/JRE 8" (oracle.com/technetwork/java/javase/downloads/index.html)
Remember, on cost of higher security you get lesser compatibility with older browsers.
TSplus HTML5 and Java web engineer
Re: Weak ephemeral Diffie-Hellman key
Thank-you for your suggestions however none of them made any difference. So since we are planning to get certificates for the servers this problem should be resolved when they are installed.
Simon
Simon
Re: Weak ephemeral Diffie-Hellman key
I do not know why these instructions did not work on our previous server but they did work on a new Windows 2012 Standard Server machine this week.
Thanks,
Simon
Thanks,
Simon