000030767 - Unable to browse to the RSA Security Analytics UI using Firefox due to the following error: "Error code: ssl_error_weak_server_ephemeral_dh_key"

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 9Show Document
  • View in full screen mode

Article Content

Article Number000030767
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics Server, Security Analytics UI
RSA Version/Condition: 10.3.x, 10.4.x
Platform: CentOS
Platform (Other): Mozilla Firefox
O/S Version: EL6
IssueUnable to render the Security Analytics UI login page properly using the Mozilla Firefox v39 web browser and higher.  The message below will appear.
An error occurred during a connection to <FQDN of the Security Analytics Server>. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key).

Conversely, when using Google Chrome, a warning messages similar to that above is also displayed, which may be bypassed in v44 of Chrome.  
Beginning in version 45 of Chrome, the connection will be denied with an SSL handshake error, similar to what is currently experienced in Mozilla Firefox.  This issue is addressed in the article entitled Unable to access the RSA Security Analytics UI after updating Google Chrome to version 45.
CauseStarting at v39 of Mozilla Firefox, certain antiquated Diffie-Hellman cipher suites are disabled by default, as more secure cipher suites should be used in their place.
These new precautions are in response to the Logjam vulnerability (CVE--2015-4000).
These cipher suites, while not used by default by the Security Analytics web server, are still in place on the server.  

 
ResolutionThis issue is rectified in Security Analytics 10.4.1.3.
The issue is not present or applicable to Security Analytics 10.5.x.
WorkaroundThe three workarounds can be alternately be used until binary remediation can be applied:
Workaround 1: Disable all SSL/TLS cipher suites that use an ephemeral Diffie-Hellman key in the jetty-ssl.xml configuration file.  
                             (This option may prevent older browsers from accessing the Security Analytics UI.)

  1. Stop the Jetty service with the command below.
    stop jettysrv

  2. Backup the existing jetty-ssl.xml configuration file with the command below.
    cp /opt/rsa/jetty9/etc/jetty-ssl.xml /opt/rsa/jetty9/etc/jetty-ssl.xml.bak

  3. Edit the appropriate jetty-ssl.xml configuration file with the vi editor using one of the commands below.
    • Security Analytics 10.3.x, 10.4.0.0, and 10.4.0.1:  Issue the command below.
       
      vi /opt/rsa/jetty9/etc/jetty-ssl.xml

       
    • Security Analytics 10.4.0.2 and above:  Issue the command below.
       
      vi /etc/puppet/modules/saserver/files/jetty-ssl.xml

       
  4. Replace the "ExcludeCipherSuites" section of the jetty-ssl.xml file with the lines below and save the changes.
    See the "Notes" section below for an example of the file before and after the change.
      <Set name="ExcludeCipherSuites">
        <Array type="String">
                      <Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item>
                      <Item>TLS_RSA_WITH_3DES_EDE_CBC_SHA</Item>
                      <Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
                      <Item>TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
                      <Item>SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                      <Item>SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
                      <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                      <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
                      <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                      <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
                      <Item>SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5</Item>
                      <Item>TLS_KRB5_EXPORT_WITH_RC4_40_SHA</Item>
                      <Item>TLS_KRB5_EXPORT_WITH_RC4_40_MD5</Item>
                      <Item>TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA</Item>
                      <Item>TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5</Item>
                      <Item>SSL_DH_anon_WITH_DES_CBC_SHA</Item>
                      <Item>SSL_DH_anon_WITH_3DES_EDE_CBC_SHA</Item>
                      <Item>SSL_DH_anon_WITH_RC4_128_MD5</Item>
                      <Item>SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA</Item>
                      <Item>SSL_DH_anon_EXPORT_WITH_RC4_40_MD5</Item>
                      <Item>TLS_DH_anon_WITH_AES_256_GCM_SHA384</Item>
                      <Item>TLS_DH_anon_WITH_AES_256_CBC_SHA256</Item>
                      <Item>TLS_DH_anon_WITH_AES_256_CBC_SHA</Item>
                      <Item>TLS_DH_anon_WITH_AES_128_CBC_SHA256</Item>
                      <Item>TLS_DH_anon_WITH_AES_128_CBC_SHA</Item>
                      <Item>TLS_ECDH_anon_WITH_AES_256_CBC_SHA</Item>
                      <Item>TLS_ECDH_anon_WITH_AES_128_CBC_SHA</Item>
                      <Item>TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA</Item>                  
                      <Item>TLS_ECDH_anon_WITH_RC4_128_SHA</Item>
                      <Item>TLS_ECDH_anon_WITH_NULL_SHA</Item>              
                      <Item>SSL_RSA_WITH_NULL_SHA</Item>
                      <Item>SSL_RSA_WITH_NULL_MD5</Item>
                      <Item>TLS_ECDHE_ECDSA_WITH_NULL_SHA</Item>
                      <Item>TLS_ECDHE_RSA_WITH_NULL_SHA</Item>
                      <Item>TLS_ECDH_ECDSA_WITH_NULL_SHA</Item>
                      <Item>TLS_ECDH_RSA_WITH_NULL_SHA</Item>
                      <Item>TLS_RSA_WITH_NULL_SHA256</Item>
                      <Item>SSL_NULL_WITH_NULL_NULL</Item>
                      <Item>SSL_DH_DSS_WITH_DES_CBC_SHA</Item>
                      <Item>SSL_DH_RSA_WITH_DES_CBC_SHA</Item>
                      <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
                      <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
                      <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
                      <Item>TLS_DH_DSS_WITH_DES_CBC_SHA</Item>
                      <Item>TLS_DH_RSA_WITH_DES_CBC_SHA</Item>
                      <Item>TLS_DHE_RSA_WITH_DES_CBC_SHA</Item>
                      <Item>TLS_DHE_DSS_WITH_DES_CBC_SHA</Item>
                      <Item>TLS_RSA_WITH_DES_CBC_SHA</Item>
                      <Item>SSL_RSA_WITH_RC4_128_SHA</Item>
                      <Item>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</Item>
                      <Item>TLS_ECDH_RSA_WITH_RC4_128_SHA</Item>
                      <Item>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</Item>
                      <Item>TLS_ECDHE_RSA_WITH_RC4_128_SHA</Item>
                      <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>
                      <Item>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA</Item>
                      <Item>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA</Item>
                      <Item>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</Item>
                      <Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Item>
                      <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
                      <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item>
                      <Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</Item>
                      <Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Item>
                      <Item>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA</Item>
                      <Item>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA</Item>
                      <Item>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</Item>
                      <Item>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
                      <Item>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</Item>
                      <Item>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</Item>
                      <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
                      <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
                      <Item>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384</Item>
                      <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
                      <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</Item>
                      <Item>TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA</Item>
                      <Item>TLS_DHE_RSA_WITH_SEED_CBC_SHA</Item>
                      <Item>TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA</Item>
        </Array>
      </Set>
      
      <Set name="ExcludeProtocols">
        <Array type="java.lang.String">
             <Item>SSLv3</Item>
        </Array>
    </Set>

  5. Start the Jetty service again to reflect the changes.
    • Security Analytics 10.3.x, 10.4.0.0, and 10.4.0.1:  Issue the command below to start the Jetty service.
       
      start jettysrv

       
    • Security Analytics 10.4.0.2 and above:  Restart the puppetmaster service with the command below, which will also restart the Jetty service.
       
      service puppet restart

       
Workaround 2: Disable the ciphers in Firefox with the steps below.
  1. In the Firefox browser window, where you would ordinarily type in a URL, type the string below.
    about:config

  2. Enter the string below in the search box that appears on the page and this will locate the two preferences that must be changed.
    security.ssl3.dhe_rsa_aes

  3. To toggle the two displayed values from true to false, left click on the row to select the key, then press the enter key. This will prevent Firefox from attempting to negotiate the weak cipher.
    User-added image
Workaround 3: Use a different browser.  
However, be aware that there is a known issue with the latest version of Google Chrome that affects the functionality of the Security Analytics UI.  
For more information on this issue, refer to the knowledgebase articles RSA Security Analytics UI experiences sluggishness after updating Google Chrome to version 44.0.2403.125 and Unable to access the RSA Security Analytics UI after updating Google Chrome to version 45.
NotesThe output below displays the jetty-ssl.xml file before the change from Workaround #1 was applied, noting this sample does not include any customized changes that may be in use for customer or other custom certificates.
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
<!-- ============================================================= -->
<!-- Configure a TLS (SSL) Context Factory                         -->
<!-- This configuration must be used in conjunction with jetty.xml -->
<!-- and either jetty-https.xml or jetty-spdy.xml (but not both)   -->
<!-- ============================================================= -->
<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
  <Set name="KeyStorePath"><Property name="jetty.home" default="." />/<Property name="jetty.keystore" default="etc/keystore"/></Set>
  <Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4"/></Set>
  <Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="OBF:1u2u1wml1z7s1z7a1wnl1u2g"/></Set>
  <Set name="TrustStorePath"><Property name="jetty.home" default="." />/<Property name="jetty.truststore" default="etc/keystore"/></Set>
  <Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4"/></Set>
  <Set name="EndpointIdentificationAlgorithm"></Set>
  <Set name="ExcludeCipherSuites">
   <Array type="String">
      <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
      <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
      <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
      <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
      <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
      <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
      <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
    </Array>
  </Set>
  <!-- =========================================================== -->
  <!-- Create a TLS specific HttpConfiguration based on the        -->
  <!-- common HttpConfiguration defined in jetty.xml               -->
  <!-- Add a SecureRequestCustomizer to extract certificate and    -->
  <!-- session information                                         -->
  <!-- =========================================================== -->
  <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
    <Arg><Ref refid="httpConfig"/></Arg>
    <Call name="addCustomizer">
      <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg>
    </Call>
  </New>
</Configure>


The output below displays the jetty-ssl.xml file content after Workaround #1 has been applied.


<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
<!-- ============================================================= -->
<!-- Configure a TLS (SSL) Context Factory                         -->
<!-- This configuration must be used in conjunction with jetty.xml -->
<!-- and either jetty-https.xml or jetty-spdy.xml (but not both)   -->
<!-- ============================================================= -->
<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
  <Set name="KeyStorePath"><Property name="jetty.home" default="." />/<Property name="jetty.keystore" default="etc/keystore"/></Set>
  <Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4"/></Set>
  <Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="OBF:1u2u1wml1z7s1z7a1wnl1u2g"/></Set>
  <Set name="TrustStorePath"><Property name="jetty.home" default="." />/<Property name="jetty.truststore" default="etc/keystore"/></Set>
  <Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4"/></Set>
  <Set name="EndpointIdentificationAlgorithm"></Set>
  <Set name="ExcludeCipherSuites">
    <Array type="String">
                  <Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item>
                  <Item>TLS_RSA_WITH_3DES_EDE_CBC_SHA</Item>
                  <Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
                  <Item>TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
                  <Item>SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                  <Item>SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
                  <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                  <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
                  <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                  <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
                  <Item>SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5</Item>
                  <Item>TLS_KRB5_EXPORT_WITH_RC4_40_SHA</Item>
                  <Item>TLS_KRB5_EXPORT_WITH_RC4_40_MD5</Item>
                  <Item>TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA</Item>
                  <Item>TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5</Item>
                  <Item>SSL_DH_anon_WITH_DES_CBC_SHA</Item>
                  <Item>SSL_DH_anon_WITH_3DES_EDE_CBC_SHA</Item>
                  <Item>SSL_DH_anon_WITH_RC4_128_MD5</Item>
                  <Item>SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA</Item>
                  <Item>SSL_DH_anon_EXPORT_WITH_RC4_40_MD5</Item>
                  <Item>TLS_DH_anon_WITH_AES_256_GCM_SHA384</Item>
                  <Item>TLS_DH_anon_WITH_AES_256_CBC_SHA256</Item>
                  <Item>TLS_DH_anon_WITH_AES_256_CBC_SHA</Item>
                  <Item>TLS_DH_anon_WITH_AES_128_CBC_SHA256</Item>
                  <Item>TLS_DH_anon_WITH_AES_128_CBC_SHA</Item>
                  <Item>TLS_ECDH_anon_WITH_AES_256_CBC_SHA</Item>
                  <Item>TLS_ECDH_anon_WITH_AES_128_CBC_SHA</Item>
                  <Item>TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA</Item>                 
                  <Item>TLS_ECDH_anon_WITH_RC4_128_SHA</Item>
                  <Item>TLS_ECDH_anon_WITH_NULL_SHA</Item>             
                  <Item>SSL_RSA_WITH_NULL_SHA</Item>
                  <Item>SSL_RSA_WITH_NULL_MD5</Item>
                  <Item>TLS_ECDHE_ECDSA_WITH_NULL_SHA</Item>
                  <Item>TLS_ECDHE_RSA_WITH_NULL_SHA</Item>
                  <Item>TLS_ECDH_ECDSA_WITH_NULL_SHA</Item>
                  <Item>TLS_ECDH_RSA_WITH_NULL_SHA</Item>
                  <Item>TLS_RSA_WITH_NULL_SHA256</Item>
                  <Item>SSL_NULL_WITH_NULL_NULL</Item>
                  <Item>SSL_DH_DSS_WITH_DES_CBC_SHA</Item>
                  <Item>SSL_DH_RSA_WITH_DES_CBC_SHA</Item>
                  <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
                  <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
                  <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
                  <Item>TLS_DH_DSS_WITH_DES_CBC_SHA</Item>
                  <Item>TLS_DH_RSA_WITH_DES_CBC_SHA</Item>
                  <Item>TLS_DHE_RSA_WITH_DES_CBC_SHA</Item>
                  <Item>TLS_DHE_DSS_WITH_DES_CBC_SHA</Item>
                  <Item>TLS_RSA_WITH_DES_CBC_SHA</Item>
                  <Item>SSL_RSA_WITH_RC4_128_SHA</Item>
                  <Item>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</Item>
                  <Item>TLS_ECDH_RSA_WITH_RC4_128_SHA</Item>
                  <Item>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</Item>
                  <Item>TLS_ECDHE_RSA_WITH_RC4_128_SHA</Item>
                  <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>
                  <Item>TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA</Item>
                  <Item>TLS_ECDH_RSA_WITH_AES_256_CBC_SHA</Item>
                  <Item>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</Item>
                  <Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Item>
                  <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
                  <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item>
                  <Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</Item>
                  <Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Item>
                  <Item>TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA</Item>
                  <Item>TLS_ECDH_RSA_WITH_AES_128_CBC_SHA</Item>
                  <Item>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</Item>
                  <Item>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
                  <Item>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</Item>
                  <Item>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</Item>
                  <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
                  <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
                  <Item>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384</Item>
                  <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
                  <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</Item>
                  <Item>TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA</Item>
                  <Item>TLS_DHE_RSA_WITH_SEED_CBC_SHA</Item>
                  <Item>TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA</Item>
    </Array>
  </Set>
 
  <Set name="ExcludeProtocols">
    <Array type="java.lang.String">
         <Item>SSLv3</Item>
    </Array>
  </Set>
  <!-- =========================================================== -->
  <!-- Create a TLS specific HttpConfiguration based on the        -->
  <!-- common HttpConfiguration defined in jetty.xml               -->
  <!-- Add a SecureRequestCustomizer to extract certificate and    -->
  <!-- session information                                         -->
  <!-- =========================================================== -->
  <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
    <Arg><Ref refid="httpConfig"/></Arg>
    <Call name="addCustomizer">
      <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg>
    </Call>
  </New>
</Configure>

NOTE:  The examples above were taken from a Security Analytics 10.3.5 environment.  
Some values may be slightly different depending on the code level and whether or not a custom CA certificate chain has been applied.

Attachments

    Outcomes