09-09-2015 11:38 AM - edited 03-17-2019 04:15 AM
With the release of the most recent Chrome 45 and Firefox at least as recent as 39, our Finesse users can no longer connect:
Server has a weak ephemeral Diffie-Hellman public key
ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY
We intentionally upgraded UCCX to 10.6.1.10000-39 to get Chrome support as we use it heavily for web app development/testing. Oddly enough, our CUCM server (10.5.2.10000-5) doesn't have the same issue. Both servers appear to support the same ciphers:
Supported Server Cipher(s):
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Prefered Server Cipher(s):
TLSv1 256 bits AES256-SHA
so I suspect that means the issue is just that the UCCX software is not configured to use a strong enough DH group, since normally those four export-grade ciphers would also be an issue.
Anyone know if there's a way to get into the server in a way that would let me either generate a 2048-bit DH group, or turn off all the weak ciphers? Or maybe if I'm really lucky there will already be a logjam vulnerabillity patch from Cisco somewhere that I can apply?
As we're an ecommerce company, disabling the weak cipher and weak DH group checks is not an option.
09-10-2015 08:14 PM
Hi,
Here is a link to an excellent article about the Server has a weak ephemeral Diffie-Hellman public key error.
09-10-2015 08:36 PM
That's an absolutely horrible article actually; whoever wrote it should be ashamed for not at least giving a disclaimer of how massive a security issue one would be undertaking by making the suggested changes. Making the changes shown in that article will make a modern browser vulnerable to trivial man in the middle exploits that subjects all of their https traffic to decryption without their knowledge. I truly hope no one would ever follow such guidelines, hence, my summary of my original post "As we're an ecommerce company, disabling the weak cipher and weak DH group checks is not an option."
09-11-2015 01:58 AM
For Chrome, use this shortcut:
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013
09-11-2015 04:55 AM
No one should ever do that; it creates a serious security issue:
https://weakdh.org/
09-11-2015 07:16 AM
No one should ever do that; it creates a serious security issue:
Agree. But I'm just "putting it out there". Either use IE or, if still want to use Chrome, then use the above shortcut. Cavaet emptor.
09-12-2015 01:30 PM
Hi,
I understand the risk in ecommerce company, just sharing the info that I found.
https://tools.cisco.com/bugsearch/bug/CSCuu83416
http://stackoverflow.com/questions/30931692/diffie-hellman-public-key-error-with-tomcat-7
Hope this helps
(Rate the helpful posts)
Regards,
Tirtha
09-16-2015 05:32 AM
Does not appear a fix will be released; we'll all be required to upgrade... Below is from TAC:
I have taken a look over the case notes and I believe that you are running into the following documented defect (seen here https://tools.cisco.com/bugsearch/bug/CSCuu82538/?reffering_site=dumpcr)
This defect outlines Cisco’s recognition of this behavior and outlines the workaround, and the expected release version of UCCX where this will be fixed (the soon to release version 11).
The outputs that you show, where the openssl commands work with CUCM 10.5, but fail on UCCX 10.6, is because this issue is fixed in CUCM 10.5 because it uses a newer VOS version than UCCX 10.6 uses. Until UCCX moves to the newer VOS version, this will be an issue.
For example:
CUCM 10.5 (itself the vos version) the issue is fixed.
UCCX 10.6 (http://docwiki.cisco.com/wiki/Unified_CCX_Software_Compatibility_Matrix_for_10.6%281%29) shows that it uses the older 10.0 version of platform (which is affected by this vunerability).
The only real choices at this time for UCCX are:
1. Apply the browser based workaround listed in the defect above.
2. Wait for and upgrade to 11.0 upon release.
09-26-2015 12:29 PM
Hi,
The wait is over. Please find the links for download:
Finesse:
https://software.cisco.com/download/release.html?mdfid=283613135&softwareid=284259728&release=11.0%281%29&relind=AVAILABLE&rellifecycle=&reltype=latest
Hope this helps
(Rate the helpful posts)
Regards,
Tirtha
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide