cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9393
Views
35
Helpful
11
Replies

PI 2.1 and Firefox 39

kurdtkuei
Level 1
Level 1

Hi, it seems that PI 2.1 is using unsafe SSL encryption with DHE, which is blocked by the new version of Firefox 39.

 

The error is

An error occurred during a connection to prime.xxx.com. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

 

Except from changing Firefox settings what are the other solutions to that issue? Changing the certificate doesn't help.

 

Thank you,

Robert


 

1 Accepted Solution

Accepted Solutions

Freerk Terpstra
Level 7
Level 7

This issue is fixed in Prime Infrastructure 2.2.1. Since that release SSLv3 is disabled, so you can only use TLS with also strong ciphers.

Please rate useful posts :-)

View solution in original post

11 Replies 11

I also am seeing this issue with UCCX 9.0.2SU2.

 

Thanks,

Robert B.

Freerk Terpstra
Level 7
Level 7

This issue is fixed in Prime Infrastructure 2.2.1. Since that release SSLv3 is disabled, so you can only use TLS with also strong ciphers.

Please rate useful posts :-)

Does anyone know a specific bug id for this issue?

Of the two mentioned earlier in this thread, one if for Cisco Social Miner (CSCuu82529), and the other is for UCCX (CSCuu82538).

Thanks

Gilmar Silva
Level 1
Level 1

Hello Robert,

 

I only found a workaround in the link below (no definitive solution yet):

 

https://support.mozilla.org/pt-BR/questions/1066238

 

Workaround for Firefox 39 and above:

1) In FireFox, enter "about:config" in the URL field and press enter.

2) Accept the "This might void your warranty!" warning :)

3) In the search field at the top, enter "security.ssl3.dhe_rsa_aes"

4) Double click each result (128 and 256) to toggle the Value to "false"

Now retry your site - it should work now. Remember to change these settings back when you're done.

 

Thanks to "higherdestiny" that posted the answer.
 

Regards,

 

Gilmar Silva

Thanks Gilmar.  Works like a charm.

This is a good workaround. Thank you Gilmar.

I'm also having the issue with UCCX 10.0

Is there a fix? Because changing back and forth the Firefox options as proposed above is not really a permanent solution.

Hello Matthieu,

I found two bugs (CSCuu79565 and CSCuu82538), but there is no fixed release yet (only the same workaround).

 

Regards,

 

Gilmar Silva

An up-to-date PI 2.2.2 does not have the problem.

Likewise with 3.0.

Nickolus Looper
Level 1
Level 1

I'm a little confused that there is no fix for PI 2.1, as 2.1 is still current - there has been no EoL announcement.

Or does product support just apply to the major rev # (2.x)?

Thanks

Nick

Depending on the mechanics of a given fix, it may or may not be applied to all active releases of a given product.

If you have 2.1 and support, you are entitled to upgrade to 2.2 or even 3.0.

If you really don't want to and cannot upgrade for some other reason, you can open a TAC case and see if a patch can be made available for your use case.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: