cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3444
Views
5
Helpful
8
Replies

Ugh, Finesse (10.6) and Chrome / Firefox - weak Diffie-Hellman key

hostasaurus
Level 1
Level 1

With the release of the most recent Chrome 45 and Firefox at least as recent as 39, our Finesse users can no longer connect:

 

Server has a weak ephemeral Diffie-Hellman public key

ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY

 

We intentionally upgraded UCCX to 10.6.1.10000-39 to get Chrome support as we use it heavily for web app development/testing.  Oddly enough, our CUCM server (10.5.2.10000-5) doesn't have the same issue.  Both servers appear to support the same ciphers:

  Supported Server Cipher(s):
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA

  Prefered Server Cipher(s):
    TLSv1  256 bits  AES256-SHA

 

so I suspect that means the issue is just that the UCCX software is not configured to use a strong enough DH group, since normally those four export-grade ciphers would also be an issue.

Anyone know if there's a way to get into the server in a way that would let me either generate a 2048-bit DH group, or turn off all the weak ciphers?  Or maybe if I'm really lucky there will already be a logjam vulnerabillity patch from Cisco somewhere that I can apply?

 

As we're an ecommerce company, disabling the weak cipher and weak DH group checks is not an option.

8 Replies 8

Bigoncisco
Level 1
Level 1

Hi,

Here is a link to an excellent article about the Server has a weak ephemeral Diffie-Hellman public key  error.

That's an absolutely horrible article actually; whoever wrote it should be ashamed for not at least giving a disclaimer of how massive a security issue one would be undertaking by making the suggested changes.  Making the changes shown in that article will make a modern browser vulnerable to trivial man in the middle exploits that subjects all of their https traffic to decryption without their knowledge.  I truly hope no one would ever follow such guidelines, hence, my summary of my original post "As we're an ecommerce company, disabling the weak cipher and weak DH group checks is not an option."

Leo Laohoo
Hall of Fame
Hall of Fame

For Chrome, use this shortcut: 

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

No one should ever do that; it creates a serious security issue:

 

https://weakdh.org/

No one should ever do that; it creates a serious security issue:

Agree.  But I'm just "putting it out there".  Either use IE or, if still want to use Chrome, then use the above shortcut.  Cavaet emptor.

Tirtha Tripathy
Cisco Employee
Cisco Employee

Hi,

 

I understand the risk in ecommerce company, just sharing the info that I found.

 

https://tools.cisco.com/bugsearch/bug/CSCuu83416

http://stackoverflow.com/questions/30931692/diffie-hellman-public-key-error-with-tomcat-7

 

Hope this helps

(Rate the helpful posts)

 

Regards,

Tirtha

Regards, Tirtha

hostasaurus
Level 1
Level 1

Does not appear a fix will be released; we'll all be required to upgrade...  Below is from TAC:

 

 

I have taken a look over the case notes and I believe that you are running into the following documented defect (seen here https://tools.cisco.com/bugsearch/bug/CSCuu82538/?reffering_site=dumpcr)

This defect outlines Cisco’s recognition of this behavior and outlines the workaround, and the expected release version of UCCX where this will be fixed (the soon to release version 11).

 

The outputs that you show, where the openssl commands work with CUCM 10.5, but fail on UCCX 10.6, is because this issue is fixed in CUCM 10.5 because it uses a newer VOS version than UCCX 10.6 uses. Until UCCX moves to the newer VOS version, this will be an issue.

 

For example:

CUCM 10.5 (itself the vos version) the issue is fixed.

 

UCCX 10.6 (http://docwiki.cisco.com/wiki/Unified_CCX_Software_Compatibility_Matrix_for_10.6%281%29) shows that it uses the older 10.0 version of platform (which is affected by this vunerability).

 

The only real choices at this time for UCCX are:

1. Apply the browser based workaround listed in the defect above.

2. Wait for and upgrade to 11.0 upon release.

Hi,

 

The wait is over. Please find the links for download:

Finesse:

https://software.cisco.com/download/release.html?mdfid=283613135&softwareid=284259728&release=11.0%281%29&relind=AVAILABLE&rellifecycle=&reltype=latest

 

Hope this helps

(Rate the helpful posts)

 

Regards,

Tirtha

Regards, Tirtha
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: