menu
  • Register

Want to solve programming problems and get paid for it? If that sounds interesting to you then contact us.

Server has a weak ephemeral diffie-hellman public key err_ssl_weak_server_ephemeral_dh_key

0 votes
57 views

Problem :

I guess Chrome have released an update over the past week. And this update has caused at least 100 of our internal applications to throw the exception shown below. The solutions I have found over the Internet, talk about updating the application server with a stronger cipher. But, our applications are spread out over various different servers like  IIS, tomcat, jboss, weblogic and websphere. So it is not practical solution for me to expect all of these application servers to be updated. Is there any way to get Chrome to allow an "exception" for these sites ? As these sites are all our internal sites, so the security is not really a concern for us.

Firefox also throws the same exception but there is a documented fix for that by simply changing some settings in Firefox. Is there anyone who is aware of a similar fix in Chrome?

Error

Server has a weak ephemeral Diffie-Hellman public key
 
ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY
6 5 3
7,540 points

Please log in or register to answer this question.

1 Answer

0 votes

Solution :

I had also faced the same issue recently. After doing research I found the solution on it.

I have solved this problem without upgrading jrockit but by simply configuring the ssl section like follows :

<ssl>

    <enabled>true</enabled>

    <hostname-verifier xsi:nil="true"></hostname-verifier>

    <hostname-verification-ignored>false</hostname-verification-ignored>

    <export-key-lifespan>500</export-key-lifespan>

    <client-certificate-enforced>false</client-certificate-enforced>

    <two-way-ssl-enabled>false</two-way-ssl-enabled>

    <ssl-rejection-logging-enabled>true</ssl-rejection-logging-enabled>

    <inbound-certificate-validation>BuiltinSSLValidationOnly</inbound-certificate-validation>

    <outbound-certificate-validation>BuiltinSSLValidationOnly</outbound-certificate-validation>

    <allow-unencrypted-null-cipher>false</allow-unencrypted-null-cipher>

    <use-server-certs>false</use-server-certs>

    <jsse-enabled>true</jsse-enabled>

</ssl>

It solved many different problems on SSL with chrome. I hope it will help you too in resolving your issue.

9 7 4
38,600 points

Related questions

0 votes
1 answer 51 views
51 views
Java.security.cert.certificateexception: no subject alternative names present
Problem : I have the Java web service client, which consumes the web service via HTTPS. When I try to connect to the service URL (https://AAA.BBB.CCC.DDD:9443/ISomeService ), I get the exception as below: &ldquo; Java.security.cert.CertificateException: No subject alternative names present.&rdquo;
asked Jan 21, 2020 jwilliam 3.9k points
0 votes
1 answer 124 views
124 views
java.security.cert.certificateexception: no subject alternative names present
Problem : I have a Java web service client, which consumes a web service via HTTPS. When I connect to the service URL, I get the exception java.security.cert.CertificateException: No subject alternative names present.
asked Oct 22, 2019 peterlaw 6.9k points
0 votes
1 answer 125 views
125 views
An ssl error has occurred and a secure connection to the server cannot be made.
Problem : Since I upgraded the existing project with the iOS 9, I keep getting the below error : &ldquo;An SSL error has occurred and a secure connection to the server cannot be made.&rdquo;
asked Jan 4, 2020 alecxe 7.5k points
0 votes
2 answers 1.9K views
1.9K views
No matching key exchange method found. their offer: diffie-hellman-group1-sha1
Problem : I am trying to ssh to the server but that is asking for the diffie-hellman-group1-sha1 key exchange method as below: ​ssh 123.123.123.123 Unable to negotiate with 123.123.123.123 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 ​ How can I enable the diffie-hellman-group1-sha1 key exchange method on the Debian 8.0?
asked Jan 10, 2020 alecxe 7.5k points
0 votes
1 answer 253 views
253 views
The client and server cannot communicate, because they do not possess a common algorithm
Problem : I have facing an issue with my C# PayTrace Gateway. My code was working fine until they turned off SSL3 due to the Poodle Exploit. When tried running my code I am getting the following message: The remote server has forcefully closed the connection. ... The client and server cannot communicate, because they do not possess a common algorithm. Any clue on error messages which I am facing?
asked Nov 29, 2019 alecxe 7.5k points
0 votes
1 answer 153 views
153 views
server certificate verification failed. cafile: /etc/ssl/certs/ca-certificates.crt crlfile: none
Problem : I can push by clone project using ssh but it is not working for me getting following error server certificate verification failed. cafile: /etc/ssl/certs/ca-certificates.crt crlfile: none
asked Nov 12, 2019 peterlaw 6.9k points
0 votes
2 answers 247 views
247 views
keytool error: java.lang.exception: public keys in reply and keystore don't match
Problem : I am getting bellow error while using keytool keytool error: java.lang.exception: public keys in reply and keystore don't match
asked Oct 19, 2019 peterlaw 6.9k points
0 votes
2 answers 235 views
235 views
Rsa certificate configured for does not include an id which matches the server name
Problem : I am trying to use the XAMPP and also started Apache but I cannot access my site over the HTTPS. I am facing the below error : [Mon Dec 16 08:05:33.208723 2019] [ssl:warn] [pid 3784:tid 256] AH01909: RSA certificate configured for www.example ... RSA certificate configured for www.example.com:443 does NOT include an ID which matches the server name What is wrong and how can I correct it?
asked Dec 17, 2019 alecxe 7.5k points
Dark theme