cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1927
Views
1
Helpful
5
Replies

UCSD - Chrome Update - Server has a weak ephemeral Diffie-Hellman public key

hoogman01
Level 1
Level 1

We were recently blessed with the latest chrome update which rendered the UCSD inaccessible to our chrome users due to the following error - Server has a weak ephemeral Diffie-Hellman public key. We were able to resolve the issue by updating the ciphers that are currently utilized by tomcat.

  1. Login to UCSD as root via putty
  2. cd to /opt/infra/web_cloudmgr/apache-tomcat/conf/
  3. VI the servers.xml
  4. Browse to the line containing ciphers=
  5. Replace the String with
    1. ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
  6. Save/Exit
  7. su - shelladmin
  8. Stop Services
  9. Start Services
5 Replies 5

tad.smith
Level 1
Level 1

This worked perfect, thanks! One small edit, though, it is server.xml that needs to be edited and not servers.xml.

snoopj123
Level 4
Level 4

I've also been told that upgrading to, I believe, 5.3 should resolve the issue.  I know I did something similar to this on 5.2.0.1, but upgrading my test environment to 5.3.1.2 from 5.2.0.1 seemed to correct this as well.

hoogman01
Level 1
Level 1

I'm currently running 5.3.0.1 and was having the issue. I also ran this by cisco and they said a fix would be coming in 5.3.2.0.

Good to know.  After all the changes I did to the environment, I just figured the upgrade fixed it.  I was also told by a Cisco contact that it should have been fixed already.  So much for that. 

amerzec2015
Level 1
Level 1

There is a bug fixed for this in the just released 5.3.2.0 version: CSCuv34350: UCSD failed on Cipher Suite checking with Firefox v39.


So anyone just facing this issue, two options:

1. Fix server.xml as described above (workaround)

2. Update to 5.3.2.0 (official bugfix)

Review Cisco Networking for a $25 gift card

Cisco UCS X-Series Energy Efficiency Offer