menu
  • Register

Recent Badges

Popular Question peterlaw
Famous Question alecxe
Notable Question samhaz

Server has a weak ephemeral diffie-hellman public key err_ssl_weak_server_ephemeral_dh_key

0 votes
48 views

Problem :

I guess Chrome have released an update over the past week. And this update has caused at least 100 of our internal applications to throw the exception shown below. The solutions I have found over the Internet, talk about updating the application server with a stronger cipher. But, our applications are spread out over various different servers like  IIS, tomcat, jboss, weblogic and websphere. So it is not practical solution for me to expect all of these application servers to be updated. Is there any way to get Chrome to allow an "exception" for these sites ? As these sites are all our internal sites, so the security is not really a concern for us.

Firefox also throws the same exception but there is a documented fix for that by simply changing some settings in Firefox. Is there anyone who is aware of a similar fix in Chrome?

Error

Server has a weak ephemeral Diffie-Hellman public key
 
ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY
7.5k points

1 Answer

0 votes

Solution :

I had also faced the same issue recently. After doing research I found the solution on it.

I have solved this problem without upgrading jrockit but by simply configuring the ssl section like follows :

<ssl>

    <enabled>true</enabled>

    <hostname-verifier xsi:nil="true"></hostname-verifier>

    <hostname-verification-ignored>false</hostname-verification-ignored>

    <export-key-lifespan>500</export-key-lifespan>

    <client-certificate-enforced>false</client-certificate-enforced>

    <two-way-ssl-enabled>false</two-way-ssl-enabled>

    <ssl-rejection-logging-enabled>true</ssl-rejection-logging-enabled>

    <inbound-certificate-validation>BuiltinSSLValidationOnly</inbound-certificate-validation>

    <outbound-certificate-validation>BuiltinSSLValidationOnly</outbound-certificate-validation>

    <allow-unencrypted-null-cipher>false</allow-unencrypted-null-cipher>

    <use-server-certs>false</use-server-certs>

    <jsse-enabled>true</jsse-enabled>

</ssl>

It solved many different problems on SSL with chrome. I hope it will help you too in resolving your issue.

36.1k points

Related questions

0 votes
1 answer 39 views
39 views
Java.security.cert.certificateexception: no subject alternative names present
Problem : I have the Java web service client, which consumes the web service via HTTPS. When I try to connect to the service URL (https://AAA.BBB.CCC.DDD:9443/ISomeService ), I get the exception as below: &ldquo; Java.security.cert.CertificateException: No subject alternative names present.&rdquo;
asked Jan 21 jwilliam 3.9k points
0 votes
1 answer 91 views
91 views
java.security.cert.certificateexception: no subject alternative names present
Problem : I have a Java web service client, which consumes a web service via HTTPS. When I connect to the service URL, I get the exception java.security.cert.CertificateException: No subject alternative names present.
asked Oct 22, 2019 peterlaw 6.9k points
0 votes
1 answer 64 views
64 views
An ssl error has occurred and a secure connection to the server cannot be made.
Problem : Since I upgraded the existing project with the iOS 9, I keep getting the below error : &ldquo;An SSL error has occurred and a secure connection to the server cannot be made.&rdquo;
asked Jan 4 alecxe 7.5k points
0 votes
2 answers 509 views
509 views
No matching key exchange method found. their offer: diffie-hellman-group1-sha1
Problem : I am trying to ssh to the server but that is asking for the diffie-hellman-group1-sha1 key exchange method as below: ​ssh 123.123.123.123 Unable to negotiate with 123.123.123.123 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 ​ How can I enable the diffie-hellman-group1-sha1 key exchange method on the Debian 8.0?
asked Jan 10 alecxe 7.5k points
0 votes
1 answer 91 views
91 views
The client and server cannot communicate, because they do not possess a common algorithm
Problem : I have facing an issue with my C# PayTrace Gateway. My code was working fine until they turned off SSL3 due to the Poodle Exploit. When tried running my code I am getting the following message: The remote server has forcefully closed the connection. ... The client and server cannot communicate, because they do not possess a common algorithm. Any clue on error messages which I am facing?
asked Nov 29, 2019 alecxe 7.5k points
Dark theme