Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000031144 - Unable to access the RSA Security Analytics UI after updating Google Chrome to version 45

Document created by RSA Customer Support

on Jun 14, 2016•Last modified by RSA Customer Support

on Apr 14, 2017

Version 3Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000031144
Applies To	RSA Product Set: Security Analytics RSA Product/Service Type: Security Analytics UI, Security Analytics Server RSA Version/Condition: 10.0.x, 10.1.x, 10.2.x, 10.3.x, 10.4.x Platform: CentOS Platform (Other): Google Chrome O/S Version: EL5, EL6
Issue	After upgrading to Google Chrome version 45.0.2454.85 m, attempting to access the Security Analytics UI displays the following error, which cannot be bypassed: Server has a weak ephemeral Diffie-Hellman public key ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY
Cause	A change was introduced in Google Chrome version 45 and above that prevents access to servers with weak ephemeral Diffie-Hellman public keys. More information about this change can be found on the Chromium Projects website.
Resolution	This issue will be resolved in Security Analytics 10.4.1.3. The issue is also not present in Security Analytics 10.5.x.
Workaround	There are two workarounds that can be performed to resolve the issue until the permanent fix can be applied, which are listed below. Workaround 1: Disable all SSL/TLS cipher suites that use an ephemeral Diffie-Hellman key in the jetty-ssl.xml configuration file. (This option may prevent older browsers from accessing the Security Analytics UI.) Connect to the Security Analytics server appliance via SSH as the root user. Stop the Jetty service with the command below. stop jettysrv Create a backup of the existing jetty-ssl.xml configuration file. cp /opt/rsa/jetty9/etc/jetty-ssl.xml /opt/rsa/jetty9/etc/jetty-ssl.xml.bak Edit the appropriate jetty-ssl.xml configuration file with the vi editor using one of the commands below. Security Analytics 10.3.x, 10.4.0.0, and 10.4.0.1: Issue the command below. vi /opt/rsa/jetty9/etc/jetty-ssl.xml Security Analytics 10.4.0.2 and above: Issue the command below. vi /etc/puppet/modules/saserver/files/jetty-ssl.xml Replace the "ExcludeCipherSuites" section of the jetty-ssl.xml file with the lines below and save the changes. See the "Notes" section below for an example of the file before and after the change. <Set name="ExcludeCipherSuites"> <Array type="String"> <Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item> <Item>TLS_RSA_WITH_3DES_EDE_CBC_SHA</Item> <Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item> <Item>TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item> <Item>SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item> <Item>SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5</Item> <Item>TLS_KRB5_EXPORT_WITH_RC4_40_SHA</Item> <Item>TLS_KRB5_EXPORT_WITH_RC4_40_MD5</Item> <Item>TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA</Item> <Item>TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5</Item> <Item>SSL_DH_anon_WITH_DES_CBC_SHA</Item> <Item>SSL_DH_anon_WITH_3DES_EDE_CBC_SHA</Item> <Item>SSL_DH_anon_WITH_RC4_128_MD5</Item> <Item>SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DH_anon_EXPORT_WITH_RC4_40_MD5</Item> <Item>TLS_DH_anon_WITH_AES_256_GCM_SHA384</Item> <Item>TLS_DH_anon_WITH_AES_256_CBC_SHA256</Item> <Item>TLS_DH_anon_WITH_AES_256_CBC_SHA</Item> <Item>TLS_DH_anon_WITH_AES_128_CBC_SHA256</Item> <Item>TLS_DH_anon_WITH_AES_128_CBC_SHA</Item> <Item>TLS_ECDH_anon_WITH_AES_256_CBC_SHA</Item> <Item>TLS_ECDH_anon_WITH_AES_128_CBC_SHA</Item> <Item>TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA</Item> <Item>TLS_ECDH_anon_WITH_RC4_128_SHA</Item> <Item>TLS_ECDH_anon_WITH_NULL_SHA</Item> <Item>SSL_RSA_WITH_NULL_SHA</Item> <Item>SSL_RSA_WITH_NULL_MD5</Item> <Item>TLS_ECDHE_ECDSA_WITH_NULL_SHA</Item> <Item>TLS_ECDHE_RSA_WITH_NULL_SHA</Item> <Item>TLS_ECDH_ECDSA_WITH_NULL_SHA</Item> <Item>TLS_ECDH_RSA_WITH_NULL_SHA</Item> <Item>TLS_RSA_WITH_NULL_SHA256</Item> <Item>SSL_NULL_WITH_NULL_NULL</Item> <Item>SSL_DH_DSS_WITH_DES_CBC_SHA</Item> <Item>SSL_DH_RSA_WITH_DES_CBC_SHA</Item> <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item> <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item> <Item>SSL_RSA_WITH_DES_CBC_SHA</Item> <Item>TLS_DH_DSS_WITH_DES_CBC_SHA</Item> <Item>TLS_DH_RSA_WITH_DES_CBC_SHA</Item> <Item>TLS_DHE_RSA_WITH_DES_CBC_SHA</Item> <Item>TLS_DHE_DSS_WITH_DES_CBC_SHA</Item> <Item>TLS_RSA_WITH_DES_CBC_SHA</Item> <Item>SSL_RSA_WITH_RC4_128_SHA</Item> <Item>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</Item> <Item>TLS_ECDH_RSA_WITH_RC4_128_SHA</Item> <Item>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</Item> <Item>TLS_ECDHE_RSA_WITH_RC4_128_SHA</Item> <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item> <Item>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA</Item> <Item>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA</Item> <Item>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</Item> <Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Item> <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item> <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item> <Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</Item> <Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Item> <Item>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA</Item> <Item>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA</Item> <Item>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</Item> <Item>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</Item> <Item>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</Item> <Item>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</Item> <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item> <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item> <Item>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384</Item> <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item> <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</Item> <Item>TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA</Item> <Item>TLS_DHE_RSA_WITH_SEED_CBC_SHA</Item> <Item>TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA</Item> </Array> </Set> <Set name="ExcludeProtocols"> <Array type="java.lang.String"> <Item>SSLv3</Item> </Array> </Set> Start the Jetty service again to reflect the changes. Security Analytics 10.3.x, 10.4.0.0, and 10.4.0.1: Issue the command below to start the Jetty service. start jettysrv Security Analytics 10.4.0.2 and above: Restart the puppetmaster service with the command below, which will also restart the Jetty service. service puppet restart Workaround 2: Specify Google Chrome launch parameters to blacklist specific cipher suites. (Windows) Right-click on the shortcut used to access Google Chrome and select Properties. On the Shortcut tab, append the line below to the end of the value in the Target field. --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013 Click on the Apply button, followed by the OK button. Double-click on the shortcut to launch Google Chrome with the modified parameters. Making this change will blacklist the cipher suites related to the LogJam vulnerability, but will not disable those that are needed to access the Security Analytics UI.
Notes	Performing the workaround to modify the Jetty web server configuration is the recommended workaround, as it will resolve the issue for all browsers (i.e. Google Chrome, Mozilla Firefox, etc.) and for all users, whereas the second workaround must be applied in every user's environment and the Firefox issue will continue to occur. For more information regarding the related issue in Firefox, refer to the article entitled Unable to browse to the RSA Security Analytics UI using Firefox due to the following error: "Error code: ssl_error_weak_server_ephemeral_dh_key".

Attachments

Outcomes

0 Comments

Recommended Content

Incoming Links

000030767 - Unable to browse to the RSA Security Analytics UI using Firefox due to the following error: "Error code: ssl_error_weak_server_ephemeral_dh_key"