ā07-08-2015 08:23 AM - edited ā03-14-2019 02:58 PM
I'm using Firefox with update 39 (it auto updated). When I browse to a customer's UCCX I get an error (screenshot attached) that through researching I believe is relateed to the logjam vulnerability announced back in May.
Does anyone know a workaround for this? Everything I've read states that Firefox does not have a method to roll back, so in the meantime I'm reduced to using IE.
It's not just on UCCX servers. I've run into it at another customer on their CUCM server.
Thanks in advance.
Solved! Go to Solution.
ā07-09-2015 02:44 PM
We are having the same issue with firefox 39. I was able to access CUCM 9.1 and UCCX 9.0 by setting the keys
security.ssl3.dhe_rsa_aes_128_sha
security.ssl3.dhe_rsa_aes_256_sha
to false in the about:config page in firefox. This is not ideal since it is just leaving us open to security holes. I have read that there is a fix for UCCX by upgrading to 10.6.1
https://tools.cisco.com/bugsearch/bug/CSCur36735
Chrome is also working for us.
ā07-09-2015 01:52 AM
Hi Nicholas
Looks like it's a firefox 'fix' - they've blocked some ciphers, and either UCCX doesn't offer an alternative or firefox doesn't take it.
Various forums show a fix as disabling these in about:config (type it in the address bar):
security.ssl3.dhe_rsa_aes_128_sha
security.ssl3.dhe_rsa_aes_256_sha
However it doesn't work for me.
My 10.x systems work OK.
Basically it's a combination of outdated security/cert config on the UC servers (which probably should be remediated, but for an internal system you could argue it's not so important to most organisations) and bad coding at Firefox (they should allow you to work around it at the client end whilst a fix for the server end is planned/tested and implemented).
I guess you're stuck back with IE for now...
Aaron
ā09-10-2015 02:01 PM
As where both changes will fix your immediate issue of accessing call manager or unity from firefox or chrome. Your setting yourself up for a man in the middle attack (logjam) at any other website you may visit. This is not the best security posture to take. Anyone have any ideas when or if Cisco will issue a patch for this? The problem exists for both self-signed certificates or certificate from a CA.
ā09-10-2015 04:30 PM
From Cisco TAC this will be resolved in 10.6 SU1 to be release in approximately a couple of weeks.
ā07-09-2015 02:44 PM
We are having the same issue with firefox 39. I was able to access CUCM 9.1 and UCCX 9.0 by setting the keys
security.ssl3.dhe_rsa_aes_128_sha
security.ssl3.dhe_rsa_aes_256_sha
to false in the about:config page in firefox. This is not ideal since it is just leaving us open to security holes. I have read that there is a fix for UCCX by upgrading to 10.6.1
https://tools.cisco.com/bugsearch/bug/CSCur36735
Chrome is also working for us.
ā08-18-2015 08:04 AM
10.6.1 fixes the POODLE vulnerability, but not the one this thread is noting (logjam). The logjam vulnerability is still active in 10.6.1, and is referenced under this bug:
https://tools.cisco.com/bugsearch/bug/CSCuv76434
It's noted as a Finesse vulnerability, but it's actually tied to the whole UCCX Tomcat platform, since Finesse runs within that same environment.
ā09-04-2015 06:05 AM
ā09-10-2015 07:02 AM
For Chrome (ver 45+) you can edit the shortcut link to add the following at the end (after the chrome.exe):
--cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013
Go to browser short cut (Start Menu, Desktop, Taskbar, etc...)
Right click and go to Properties
Go to Shortcut tab
Go to Target textbox, in this you will find your chrome full path, add above string at the end of path. For my Windows installation it will look like:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013
Apply, and click OK to close the properties window.
If you have Chrome open, fully close it and re-launch via shortcut.
You should now be able to access Finesse login site.
ā09-10-2015 08:20 PM
Here is a link to an excellent article about the Server has a weak ephemeral Diffie-Hellman public key ... ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY error.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide