Server has a weak ephemeral Diffie-Hellman public key

  • Questions
  • Server has a weak ephemeral Diffie-Hellman public key
Question ID: 106444
0
0

Our Application only Runs on Firefox version 25 or higher and Chrome. I can launch the url manually outside VUGEN without any issues. When I try to record web protocol script in VUGEN using Chrome browser, am getting below error:

"Server has a weak ephemeral Diffie-Hellman public key
ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY
This error can occur when connecting to a secure (HTTPS) server."

Does anyone have any input on how to resolve this issue?

Marked as spam
Posted by (Questions: 108, Answers: 6)
Asked on October 13, 2015 12:27 pm
194 views
Answers (1)
1
Private answer

It appears that a secure connection cannot be established because of outdated security code on the website. In this case the Browser protects your privacy by preventing you from connecting to these sites.
In this case you can try the following options:

- Enable ECDHE and disable DHE (preferable)
- Use a 1024-bit (or larger) Diffie-Hellman group for the DHE_RSA SSL cipher suites
- Disable all DHE SSL cipher suites

You can find a reference guide on how to deploying Diffie-Hellman at: https://weakdh.org/sysadmin.html

The three steps are posted below from the web site:

''We have three recommendations for correctly deploying Diffie-Hellman for TLS:
1. Disable Export Cipher Suites. Even though modern browsers no longer support export suites, the FREAK and Logjam attacks allow a man-in-the-middle attacker to trick browsers into using export-grade cryptography, after which the TLS connection can be decrypted. Export ciphers are a remnant of 1990s-era policy that prevented strong cryptographic protocols from being exported from United States. No modern clients rely on export suites and there is little downside in disabling them.
2. Deploy (Ephemeral) Elliptic-Curve Diffie-Hellman (ECDHE). Elliptic-Curve Diffie-Hellman (ECDH) key exchange avoids all known feasible cryptanalytic attacks, and modern web browsers now prefer ECDHE over the original, finite field, Diffie-Hellman. The discrete log algorithms we used to attack standard Diffie-Hellman groups do not gain as strong of an advantage from precomputation, and individual servers do not need to generate unique elliptic curves.
3. Use a Strong, Diffie Hellman Group. A few 1024-bit groups are used by millions of servers, which makes them an optimal target for precomputation, and potential eavesdropping. Administrators should use 2048-bit or stronger Diffie-Hellman groups with ''safe'' primes.

Steps (1) and (2) can be accomplished simultaneously by configuring your server to only use modern, secure cipher suites. ''

Marked as spam
Posted by (Questions: 17, Answers: 266)
Answered on October 13, 2015 12:29 pm
EyeOnTesting