dhe exchange warnings confusing people
Good day.
We're starting to see the error from our user base and our employees.
Looks like this An error occurred during a connection to gb-dc3-bm09.liquidweb.com. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.
What I don't understand about this error is its saying it can not communicate because of a weak key - ok. That is fine.
Is there a reason the cipher isn't disabled in the first place? I feel its confusing to people, and if disabling the cipher with the weak key support results in the fix, I think it would be a smarter move instead of throwing the said warning.
Krejt Përgjigjet (3)
That happens when users go to HTTPS websites that are using older security with an up-to-date web browser that has the most recent security patches for known exploits.
Users can "allow" per domain thru a hidden preference in Firefox, but that isn't easy for the "average user", not is it advised. Each website needs to fix their security on their server, to protect the users of their website.
Logjam is the latest exploit that has been fixed and is causing issues in the latest browser versions which have the 'patches'. Mid-May 2015 is when it came to light in public by security researchers. Browser developers were informed months before to allow them time to develop 'patches' or to deprecate the involved protocols. https://www.schneier.com/blog/archives/2015/05/the_logjam_and_.html
Firefox 39 includes a fix for the Logjam vulnerability and has disabled weak DHE cipher suites that are involved with the Logjam attack.
- security.ssl3.dhe_rsa_aes_128_sha
- security.ssl3.dhe_rsa_aes_256_sha
Logjam: How Diffie-Hellman Fails in Practice:
See also:
cor-el & the-edmeister
Thanks for the responses! Certainly more info is helpful. I wanted to let you know I understand the aspects behind this issue, but the info is excellent.
More towards what I was wanting to convey is the following:
The warning is confusing.
The browser allows the connection in the config.
The browser throws a warning.
Disable the support for the support for the weak key and on a majority of sites the confusion goes away due to a higher bit key being exchanged at connection and things work without said confusion.
I also am confused because I thought that previous to these warnings we / Mozilla and other browsers disabled the ssl3 based protocol connections.
So I'm wondering if some type of change occurred either planned or unexpectedly due to possible regression.