cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8901
Views
25
Helpful
8
Replies
Beginner

Getting Diffie Hellman error when trying to browse to UCCX using Firefox with latest update (39)

I'm using Firefox with update 39 (it auto updated). When I browse to a customer's UCCX I get an error (screenshot attached) that through researching I believe is relateed to the logjam vulnerability announced back in May.

Does anyone know a workaround for this? Everything I've read states that Firefox does not have a method to roll back, so in the meantime I'm reduced to using IE.

It's not just on UCCX servers. I've run into it at another customer on their CUCM server.

 

Thanks in advance.

 

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

We are having the same issue

We are having the same issue with firefox 39. I was able to access CUCM 9.1 and UCCX 9.0 by setting the keys

security.ssl3.dhe_rsa_aes_128_sha
security.ssl3.dhe_rsa_aes_256_sha

to false in the about:config page in firefox. This is not ideal since it is just leaving us open to security holes. I have read that there is a fix for UCCX by upgrading to 10.6.1

https://tools.cisco.com/bugsearch/bug/CSCur36735

Chrome is also working for us.

8 REPLIES 8

Hi NicholasLooks like it's a

Hi Nicholas

Looks like it's a firefox 'fix' - they've blocked some ciphers, and either UCCX doesn't offer an alternative or firefox doesn't take it.

Various forums show a fix as disabling these in about:config (type it in the address bar):

security.ssl3.dhe_rsa_aes_128_sha

security.ssl3.dhe_rsa_aes_256_sha

However it doesn't work for me.

My 10.x systems work OK.

Basically it's a combination of outdated security/cert config on the UC servers (which probably should be remediated, but for an internal system you could argue it's not so important to most organisations) and bad coding at Firefox (they should allow you to work around it at the client end whilst a fix for the server end is planned/tested and implemented). 

I guess you're stuck back with IE for now...

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!
Beginner

As where both changes will

As where both changes will fix your immediate issue of accessing call manager or unity from firefox or chrome.  Your setting yourself up for a man in the middle attack (logjam) at any other website you may visit.  This is not the best security posture to take.  Anyone have any ideas when or if Cisco will issue a patch for this?  The problem exists for both self-signed certificates or certificate from a CA.

Enthusiast

From Cisco TAC this will be

From Cisco TAC this will be resolved in 10.6 SU1 to be release in approximately a couple of weeks.

Beginner

We are having the same issue

We are having the same issue with firefox 39. I was able to access CUCM 9.1 and UCCX 9.0 by setting the keys

security.ssl3.dhe_rsa_aes_128_sha
security.ssl3.dhe_rsa_aes_256_sha

to false in the about:config page in firefox. This is not ideal since it is just leaving us open to security holes. I have read that there is a fix for UCCX by upgrading to 10.6.1

https://tools.cisco.com/bugsearch/bug/CSCur36735

Chrome is also working for us.

Frequent Contributor

10.6.1 fixes the POODLE

10.6.1 fixes the POODLE vulnerability, but not the one this thread is noting (logjam).  The logjam vulnerability is still active in 10.6.1, and is referenced under this bug:

https://tools.cisco.com/bugsearch/bug/CSCuv76434

It's noted as a Finesse vulnerability, but it's actually tied to the whole UCCX Tomcat platform, since Finesse runs within that same environment.

 

Beginner

Not sure if you've come

 

 

Highlighted
Enthusiast

For Chrome (ver 45+) you can

For Chrome (ver 45+) you can edit the shortcut link to add the following at the end (after the chrome.exe):

--cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

 

  1. Go to browser short cut (Start Menu, Desktop, Taskbar, etc...)

  2. Right click and go to Properties

  3. Go to Shortcut tab

  4. Go to Target textbox, in this you will find your chrome full path, add above string at the end of path. For my Windows installation it will look like:

    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

  5. Apply, and click OK to close the properties window.

  6. If you have Chrome open, fully close it and re-launch via shortcut.

  7. You should now be able to access Finesse login site.

 

Beginner

Here is a link to an

Here is a link to an excellent article about the Server has a weak ephemeral Diffie-Hellman public key ... ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY error.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards