000031144 - Unable to access the RSA Security Analytics UI after updating Google Chrome to version 45

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 14, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000031144
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics UI, Security Analytics Server
RSA Version/Condition: 10.0.x, 10.1.x, 10.2.x, 10.3.x, 10.4.x
Platform: CentOS
Platform (Other): Google Chrome
O/S Version: EL5, EL6
IssueAfter upgrading to Google Chrome version 45.0.2454.85 m, attempting to access the Security Analytics UI displays the following error, which cannot be bypassed:
Server has a weak ephemeral Diffie-Hellman public key
ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY

User-added image
CauseA change was introduced in Google Chrome version 45 and above that prevents access to servers with weak ephemeral Diffie-Hellman public keys.  More information about this change can be found on the Chromium Projects website.
ResolutionThis issue will be resolved in Security Analytics 10.4.1.3.
The issue is also not present in Security Analytics 10.5.x.
WorkaroundThere are two workarounds that can be performed to resolve the issue until the permanent fix can be applied, which are listed below.
Workaround 1: Disable all SSL/TLS cipher suites that use an ephemeral Diffie-Hellman key in the jetty-ssl.xml configuration file.  
                             (This option may prevent older browsers from accessing the Security Analytics UI.)
  1. Connect to the Security Analytics server appliance via SSH as the root user.
  2. Stop the Jetty service with the command below.
    stop jettysrv

  3. Create a backup of the existing jetty-ssl.xml configuration file.
    cp /opt/rsa/jetty9/etc/jetty-ssl.xml /opt/rsa/jetty9/etc/jetty-ssl.xml.bak

  4. Edit the appropriate jetty-ssl.xml configuration file with the vi editor using one of the commands below.
    • Security Analytics 10.3.x, 10.4.0.0, and 10.4.0.1:  Issue the command below.
       
      vi /opt/rsa/jetty9/etc/jetty-ssl.xml

       
    • Security Analytics 10.4.0.2 and above:  Issue the command below.
       
      vi /etc/puppet/modules/saserver/files/jetty-ssl.xml

       
  5. Replace the "ExcludeCipherSuites" section of the jetty-ssl.xml file with the lines below and save the changes.
    See the "Notes" section below for an example of the file before and after the change.
      <Set name="ExcludeCipherSuites">
        <Array type="String">
                      <Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item>
                      <Item>TLS_RSA_WITH_3DES_EDE_CBC_SHA</Item>
                      <Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
                      <Item>TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
                      <Item>SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                      <Item>SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
                      <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                      <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
                      <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                      <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
                      <Item>SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5</Item>
                      <Item>TLS_KRB5_EXPORT_WITH_RC4_40_SHA</Item>
                      <Item>TLS_KRB5_EXPORT_WITH_RC4_40_MD5</Item>
                      <Item>TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA</Item>
                      <Item>TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5</Item>
                      <Item>SSL_DH_anon_WITH_DES_CBC_SHA</Item>
                      <Item>SSL_DH_anon_WITH_3DES_EDE_CBC_SHA</Item>
                      <Item>SSL_DH_anon_WITH_RC4_128_MD5</Item>
                      <Item>SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA</Item>
                      <Item>SSL_DH_anon_EXPORT_WITH_RC4_40_MD5</Item>
                      <Item>TLS_DH_anon_WITH_AES_256_GCM_SHA384</Item>
                      <Item>TLS_DH_anon_WITH_AES_256_CBC_SHA256</Item>
                      <Item>TLS_DH_anon_WITH_AES_256_CBC_SHA</Item>
                      <Item>TLS_DH_anon_WITH_AES_128_CBC_SHA256</Item>
                      <Item>TLS_DH_anon_WITH_AES_128_CBC_SHA</Item>
                      <Item>TLS_ECDH_anon_WITH_AES_256_CBC_SHA</Item>
                      <Item>TLS_ECDH_anon_WITH_AES_128_CBC_SHA</Item>
                      <Item>TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA</Item>                  
                      <Item>TLS_ECDH_anon_WITH_RC4_128_SHA</Item>
                      <Item>TLS_ECDH_anon_WITH_NULL_SHA</Item>              
                      <Item>SSL_RSA_WITH_NULL_SHA</Item>
                      <Item>SSL_RSA_WITH_NULL_MD5</Item>
                      <Item>TLS_ECDHE_ECDSA_WITH_NULL_SHA</Item>
                      <Item>TLS_ECDHE_RSA_WITH_NULL_SHA</Item>
                      <Item>TLS_ECDH_ECDSA_WITH_NULL_SHA</Item>
                      <Item>TLS_ECDH_RSA_WITH_NULL_SHA</Item>
                      <Item>TLS_RSA_WITH_NULL_SHA256</Item>
                      <Item>SSL_NULL_WITH_NULL_NULL</Item>
                      <Item>SSL_DH_DSS_WITH_DES_CBC_SHA</Item>
                      <Item>SSL_DH_RSA_WITH_DES_CBC_SHA</Item>
                      <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
                      <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
                      <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
                      <Item>TLS_DH_DSS_WITH_DES_CBC_SHA</Item>
                      <Item>TLS_DH_RSA_WITH_DES_CBC_SHA</Item>
                      <Item>TLS_DHE_RSA_WITH_DES_CBC_SHA</Item>
                      <Item>TLS_DHE_DSS_WITH_DES_CBC_SHA</Item>
                      <Item>TLS_RSA_WITH_DES_CBC_SHA</Item>
                      <Item>SSL_RSA_WITH_RC4_128_SHA</Item>
                      <Item>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</Item>
                      <Item>TLS_ECDH_RSA_WITH_RC4_128_SHA</Item>
                      <Item>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</Item>
                      <Item>TLS_ECDHE_RSA_WITH_RC4_128_SHA</Item>
                      <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>
                      <Item>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA</Item>
                      <Item>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA</Item>
                      <Item>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</Item>
                      <Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Item>
                      <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
                      <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item>
                      <Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</Item>
                      <Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Item>
                      <Item>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA</Item>
                      <Item>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA</Item>
                      <Item>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</Item>
                      <Item>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
                      <Item>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</Item>
                      <Item>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</Item>
                      <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
                      <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
                      <Item>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384</Item>
                      <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
                      <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</Item>
                      <Item>TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA</Item>
                      <Item>TLS_DHE_RSA_WITH_SEED_CBC_SHA</Item>
                      <Item>TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA</Item>
        </Array>
      </Set>
      
      <Set name="ExcludeProtocols">
        <Array type="java.lang.String">
             <Item>SSLv3</Item>
        </Array>
    </Set>

  6. Start the Jetty service again to reflect the changes.
    • Security Analytics 10.3.x, 10.4.0.0, and 10.4.0.1:  Issue the command below to start the Jetty service.
       
      start jettysrv

       
    • Security Analytics 10.4.0.2 and above:  Restart the puppetmaster service with the command below, which will also restart the Jetty service.
       
      service puppet restart

       
Workaround 2:  Specify Google Chrome launch parameters to blacklist specific cipher suites. (Windows)
  1. Right-click on the shortcut used to access Google Chrome and select Properties.
  2. On the Shortcut tab, append the line below to the end of the value in the Target field.
    --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

    User-added image
  3. Click on the Apply button, followed by the OK button.
  4. Double-click on the shortcut to launch Google Chrome with the modified parameters.
Making this change will blacklist the cipher suites related to the LogJam vulnerability, but will not disable those that are needed to access the Security Analytics UI.
NotesPerforming the workaround to modify the Jetty web server configuration is the recommended workaround, as it will resolve the issue for all browsers (i.e. Google Chrome, Mozilla Firefox, etc.) and for all users, whereas the second workaround must be applied in every user's environment and the Firefox issue will continue to occur.
For more information regarding the related issue in Firefox, refer to the article entitled Unable to browse to the RSA Security Analytics UI using Firefox due to the following error: "Error code: ssl_error_weak_server_ephemeral_dh_key".

Attachments

    Outcomes