I upgraded Firefox today and found that a previously accessible website was blocked, prompting "Error connecting to 10.0.0.5. SSL received a weak ephemeral Diffie-Hellman key in the server key exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key) ),As shown below:
There are three workarounds:
Method 1: Modify the tomcat configuration, disable the unsafe method, and modify the Connector node in server.xml as follows:
- <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
- maxThreads="150" scheme="https" secure="true"
- clientAuth="false" sslProtocol="TLS"
- ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
- keystoreFile="/usr/local/apache-tomcat-7.0.62/tomcat.key"
- keystorePass="aaa"/>
Apache and Nginx also have similar configurations, please find them yourself.
Method 2: Install the Disable DHE plugin
Method 3: Open about:config
Create or modify the following 4 boolean values to false (you can find them by searching for dhe):
- security.ssl3.dhe_dss_aes_128_sha
- security.ssl3.dhe_rsa_aes_128_sha
- security.ssl3.dhe_rsa_aes_256_sha
- security.ssl3.dhe_rsa_des_ede3_sha
This issue occurs in Firefox 39 and above.