UCSD - Chrome Update - Server has a weak ephemeral Diffie-Hellman public key

hoogman01 · ‎09-08-2015

We were recently blessed with the latest chrome update which rendered the UCSD inaccessible to our chrome users due to the following error - Server has a weak ephemeral Diffie-Hellman public key. We were able to resolve the issue by updating the ciphers that are currently utilized by tomcat.

Login to UCSD as root via putty
cd to /opt/infra/web_cloudmgr/apache-tomcat/conf/
VI the servers.xml
Browse to the line containing ciphers=
Replace the String with
1. ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
Save/Exit
su - shelladmin
Stop Services
Start Services

tad.smith · ‎09-09-2015

This worked perfect, thanks! One small edit, though, it is server.xml that needs to be edited and not servers.xml.

snoopj123 · ‎09-09-2015

I've also been told that upgrading to, I believe, 5.3 should resolve the issue. I know I did something similar to this on 5.2.0.1, but upgrading my test environment to 5.3.1.2 from 5.2.0.1 seemed to correct this as well.

hoogman01 · ‎09-09-2015

I'm currently running 5.3.0.1 and was having the issue. I also ran this by cisco and they said a fix would be coming in 5.3.2.0.

snoopj123 · ‎09-09-2015

Good to know. After all the changes I did to the environment, I just figured the upgrade fixed it. I was also told by a Cisco contact that it should have been fixed already. So much for that.

amerzec2015 · ‎09-17-2015

There is a bug fixed for this in the just released 5.3.2.0 version: CSCuv34350: UCSD failed on Cipher Suite checking with Firefox v39.

So anyone just facing this issue, two options:

1. Fix server.xml as described above (workaround)

2. Update to 5.3.2.0 (official bugfix)