Article Number | 000031144 |
Applies To | RSA Product Set: Security Analytics RSA Product/Service Type: Security Analytics UI, Security Analytics Server RSA Version/Condition: 10.0.x, 10.1.x, 10.2.x, 10.3.x, 10.4.x Platform: CentOS Platform (Other): Google Chrome O/S Version: EL5, EL6 |
Issue | After upgrading to Google Chrome version 45.0.2454.85 m, attempting to access the Security Analytics UI displays the following error, which cannot be bypassed:
Server has a weak ephemeral Diffie-Hellman public key ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY
|
Cause | A change was introduced in Google Chrome version 45 and above that prevents access to servers with weak ephemeral Diffie-Hellman public keys. More information about this change can be found on the Chromium Projects website. |
Resolution | This issue will be resolved in Security Analytics 10.4.1.3. The issue is also not present in Security Analytics 10.5.x. |
Workaround | There are two workarounds that can be performed to resolve the issue until the permanent fix can be applied, which are listed below. Workaround 1: Disable all SSL/TLS cipher suites that use an ephemeral Diffie-Hellman key in the jetty-ssl.xml configuration file. (This option may prevent older browsers from accessing the Security Analytics UI.)
- Connect to the Security Analytics server appliance via SSH as the root user.
- Stop the Jetty service with the command below.
stop jettysrv - Create a backup of the existing jetty-ssl.xml configuration file.
cp /opt/rsa/jetty9/etc/jetty-ssl.xml /opt/rsa/jetty9/etc/jetty-ssl.xml.bak - Edit the appropriate jetty-ssl.xml configuration file with the vi editor using one of the commands below.
- Replace the "ExcludeCipherSuites" section of the jetty-ssl.xml file with the lines below and save the changes.
See the "Notes" section below for an example of the file before and after the change. <Set name="ExcludeCipherSuites"> <Array type="String"> <Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item> <Item>TLS_RSA_WITH_3DES_EDE_CBC_SHA</Item> <Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item> <Item>TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item> <Item>SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item> <Item>SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5</Item> <Item>TLS_KRB5_EXPORT_WITH_RC4_40_SHA</Item> <Item>TLS_KRB5_EXPORT_WITH_RC4_40_MD5</Item> <Item>TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA</Item> <Item>TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5</Item> <Item>SSL_DH_anon_WITH_DES_CBC_SHA</Item> <Item>SSL_DH_anon_WITH_3DES_EDE_CBC_SHA</Item> <Item>SSL_DH_anon_WITH_RC4_128_MD5</Item> <Item>SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DH_anon_EXPORT_WITH_RC4_40_MD5</Item> <Item>TLS_DH_anon_WITH_AES_256_GCM_SHA384</Item> <Item>TLS_DH_anon_WITH_AES_256_CBC_SHA256</Item> <Item>TLS_DH_anon_WITH_AES_256_CBC_SHA</Item> <Item>TLS_DH_anon_WITH_AES_128_CBC_SHA256</Item> <Item>TLS_DH_anon_WITH_AES_128_CBC_SHA</Item> <Item>TLS_ECDH_anon_WITH_AES_256_CBC_SHA</Item> <Item>TLS_ECDH_anon_WITH_AES_128_CBC_SHA</Item> <Item>TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA</Item> <Item>TLS_ECDH_anon_WITH_RC4_128_SHA</Item> <Item>TLS_ECDH_anon_WITH_NULL_SHA</Item> <Item>SSL_RSA_WITH_NULL_SHA</Item> <Item>SSL_RSA_WITH_NULL_MD5</Item> <Item>TLS_ECDHE_ECDSA_WITH_NULL_SHA</Item> <Item>TLS_ECDHE_RSA_WITH_NULL_SHA</Item> <Item>TLS_ECDH_ECDSA_WITH_NULL_SHA</Item> <Item>TLS_ECDH_RSA_WITH_NULL_SHA</Item> <Item>TLS_RSA_WITH_NULL_SHA256</Item> <Item>SSL_NULL_WITH_NULL_NULL</Item> <Item>SSL_DH_DSS_WITH_DES_CBC_SHA</Item> <Item>SSL_DH_RSA_WITH_DES_CBC_SHA</Item> <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item> <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item> <Item>SSL_RSA_WITH_DES_CBC_SHA</Item> <Item>TLS_DH_DSS_WITH_DES_CBC_SHA</Item> <Item>TLS_DH_RSA_WITH_DES_CBC_SHA</Item> <Item>TLS_DHE_RSA_WITH_DES_CBC_SHA</Item> <Item>TLS_DHE_DSS_WITH_DES_CBC_SHA</Item> <Item>TLS_RSA_WITH_DES_CBC_SHA</Item> <Item>SSL_RSA_WITH_RC4_128_SHA</Item> <Item>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</Item> <Item>TLS_ECDH_RSA_WITH_RC4_128_SHA</Item> <Item>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</Item> <Item>TLS_ECDHE_RSA_WITH_RC4_128_SHA</Item> <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item> <Item>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA</Item> <Item>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA</Item> <Item>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</Item> <Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Item> <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item> <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item> <Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</Item> <Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Item> <Item>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA</Item> <Item>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA</Item> <Item>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</Item> <Item>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</Item> <Item>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</Item> <Item>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</Item> <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item> <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item> <Item>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384</Item> <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item> <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</Item> <Item>TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA</Item> <Item>TLS_DHE_RSA_WITH_SEED_CBC_SHA</Item> <Item>TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA</Item> </Array> </Set> <Set name="ExcludeProtocols"> <Array type="java.lang.String"> <Item>SSLv3</Item> </Array> </Set> - Start the Jetty service again to reflect the changes.
- Security Analytics 10.3.x, 10.4.0.0, and 10.4.0.1: Issue the command below to start the Jetty service.
start jettysrv - Security Analytics 10.4.0.2 and above: Restart the puppetmaster service with the command below, which will also restart the Jetty service.
service puppet restart Workaround 2: Specify Google Chrome launch parameters to blacklist specific cipher suites. (Windows)
- Right-click on the shortcut used to access Google Chrome and select Properties.
- On the Shortcut tab, append the line below to the end of the value in the Target field.
--cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013  - Click on the Apply button, followed by the OK button.
- Double-click on the shortcut to launch Google Chrome with the modified parameters.
Making this change will blacklist the cipher suites related to the LogJam vulnerability, but will not disable those that are needed to access the Security Analytics UI. |
Notes | Performing the workaround to modify the Jetty web server configuration is the recommended workaround, as it will resolve the issue for all browsers (i.e. Google Chrome, Mozilla Firefox, etc.) and for all users, whereas the second workaround must be applied in every user's environment and the Firefox issue will continue to occur. For more information regarding the related issue in Firefox, refer to the article entitled Unable to browse to the RSA Security Analytics UI using Firefox due to the following error: "Error code: ssl_error_weak_server_ephemeral_dh_key". |