Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10620
Views
25
Helpful
8
Replies

Getting Diffie Hellman error when trying to browse to UCCX using Firefox with latest update (39)

Go to solution
nicholas platt
Level 1
Level 1

‎07-08-2015 08:23 AM - edited ‎03-14-2019 02:58 PM

I'm using Firefox with update 39 (it auto updated). When I browse to a customer's UCCX I get an error (screenshot attached) that through researching I believe is relateed to the logjam vulnerability announced back in May.

Does anyone know a workaround for this? Everything I've read states that Firefox does not have a method to roll back, so in the meantime I'm reduced to using IE.

It's not just on UCCX servers. I've run into it at another customer on their CUCM server.

 

Thanks in advance.

 

4 people had this problem
Labels:
Preview file
169 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Medquest IT
Level 1
Level 1

‎07-09-2015 02:44 PM

We are having the same issue with firefox 39. I was able to access CUCM 9.1 and UCCX 9.0 by setting the keys

security.ssl3.dhe_rsa_aes_128_sha
security.ssl3.dhe_rsa_aes_256_sha

to false in the about:config page in firefox. This is not ideal since it is just leaving us open to security holes. I have read that there is a fix for UCCX by upgrading to 10.6.1

https://tools.cisco.com/bugsearch/bug/CSCur36735

Chrome is also working for us.

View solution in original post

8 Replies 8

Go to solution
Aaron Harrison
VIP Alumni
VIP Alumni

‎07-09-2015 01:52 AM

Hi Nicholas

Looks like it's a firefox 'fix' - they've blocked some ciphers, and either UCCX doesn't offer an alternative or firefox doesn't take it.

Various forums show a fix as disabling these in about:config (type it in the address bar):

security.ssl3.dhe_rsa_aes_128_sha

security.ssl3.dhe_rsa_aes_256_sha

However it doesn't work for me.

My 10.x systems work OK.

Basically it's a combination of outdated security/cert config on the UC servers (which probably should be remediated, but for an internal system you could argue it's not so important to most organisations) and bad coding at Firefox (they should allow you to work around it at the client end whilst a fix for the server end is planned/tested and implemented). 

I guess you're stuck back with IE for now...

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!
0 Helpful

Go to solution
howard.feldman
Level 1
Level 1
In response to Aaron Harrison

‎09-10-2015 02:01 PM

As where both changes will fix your immediate issue of accessing call manager or unity from firefox or chrome.  Your setting yourself up for a man in the middle attack (logjam) at any other website you may visit.  This is not the best security posture to take.  Anyone have any ideas when or if Cisco will issue a patch for this?  The problem exists for both self-signed certificates or certificate from a CA.

0 Helpful

Go to solution
K L
Level 4
Level 4
In response to howard.feldman

‎09-10-2015 04:30 PM

From Cisco TAC this will be resolved in 10.6 SU1 to be release in approximately a couple of weeks.

----------------------------------------
Cisco UC Architect
0 Helpful

Go to solution
Medquest IT
Level 1
Level 1

‎07-09-2015 02:44 PM

We are having the same issue with firefox 39. I was able to access CUCM 9.1 and UCCX 9.0 by setting the keys

security.ssl3.dhe_rsa_aes_128_sha
security.ssl3.dhe_rsa_aes_256_sha

to false in the about:config page in firefox. This is not ideal since it is just leaving us open to security holes. I have read that there is a fix for UCCX by upgrading to 10.6.1

https://tools.cisco.com/bugsearch/bug/CSCur36735

Chrome is also working for us.

Go to solution
Paul McGurn
Level 6
Level 6
In response to Medquest IT

‎08-18-2015 08:04 AM

10.6.1 fixes the POODLE vulnerability, but not the one this thread is noting (logjam).  The logjam vulnerability is still active in 10.6.1, and is referenced under this bug:

https://tools.cisco.com/bugsearch/bug/CSCuv76434

It's noted as a Finesse vulnerability, but it's actually tied to the whole UCCX Tomcat platform, since Finesse runs within that same environment.

 

Go to solution
jakeriley
Level 1
Level 1

‎09-04-2015 06:05 AM

 

 

Go to solution
K L
Level 4
Level 4

‎09-10-2015 07:02 AM

For Chrome (ver 45+) you can edit the shortcut link to add the following at the end (after the chrome.exe):

--cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

 

  1. Go to browser short cut (Start Menu, Desktop, Taskbar, etc...)

  2. Right click and go to Properties

  3. Go to Shortcut tab

  4. Go to Target textbox, in this you will find your chrome full path, add above string at the end of path. For my Windows installation it will look like:

    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

  5. Apply, and click OK to close the properties window.

  6. If you have Chrome open, fully close it and re-launch via shortcut.

  7. You should now be able to access Finesse login site.

 

----------------------------------------
Cisco UC Architect
0 Helpful

Go to solution
Bigoncisco
Level 1
Level 1

‎09-10-2015 08:20 PM

Here is a link to an excellent article about the Server has a weak ephemeral Diffie-Hellman public key ... ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY error.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents