cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6786
Views
20
Helpful
10
Replies

Using Chrome with PI 2.0 and 2.1 reports an error ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY

HANS VASTERS
Level 1
Level 1

Since today, after an automatic upgrade of the Chrome Browser, we cannot access out Prime Infrastructure Systems running on Version 2.0 and 2.1 anymore. The Chrome reports an error ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY. Version 2.2 has no problem. Has anyone a solution for this (beside an upgrade to 2.2 :-))?

10 Replies 10

Leo Laohoo
Hall of Fame
Hall of Fame

This is a known issue with Chrome 45.   I think this has something to do with CSCuj42438. 

 

IE will still work. 

Marvin Rhoads
Hall of Fame
Hall of Fame

We had this issue recently with Firefox and ISE. The root cause is the same.

In Firefox, this article tells how to change the browser to accept the older key strength.

I do see a similar article covering Chrome (among others) that talks about a simialr work around. It may be worth a try.

Leo Laohoo
Hall of Fame
Hall of Fame

Refer to CSCuv21820.

 

My recommendation is to create a TAC Case.  

Based on CSCuj42438, it looks like a lot of people are opening TAC cases.

Unfortunately, the response is to use Firefox, or to "Upgrade to PI 2.2 (or to 2.2 then to 3.0)."  I'm looking for clarification on the second option because the problem persists on 2.2.

Prime 2.2 - at a least a fully patched one - doesn't exhibit the problem.

Here's a screen shot from one:

Thank you all for discovering the work around.

 

lauterbachluke  - Did you upgrade to PI 3.0? If so is the problem still exist? Is Cisco going to fix the issue with a patch? I'm using PI 2.1.2.

 

Thanks all.

Bigoncisco
Level 1
Level 1

Here is a link to an excellent article about the Server has a weak ephemeral Diffie-Hellman public key ... ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY error.

HANS VASTERS
Level 1
Level 1

An easy way to overcome this problem is to go back to Chrome Version 44 to get it work again with PI 2.0 and PI 2.1.

To do that go to the directory

C:\Program Files (x86)\Google\Chrome\Application

  • rename chrome.exe
  • rename old_chrome.exe to chrome.exe

Then the version 44 of Chrome is used. It is also not updated.

Easier solution :-)

Create a shortcut with the command

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

Hello Hans Vasters!

Thanks for this workaround, but can you explain what this "cipher-suite-blacklist" command puts on the blacklist? Sorry if i ask a stupid question ;)

Greetings Reinhard

Review Cisco Networking for a $25 gift card