Google Chrome will no longer let anyone into the JSS

I was able to log in with Chrome (Version 44.0.2403.157 m). I did have a cert issue which prompts the warning that the website has not been verified. But our Net Admin is aware of it and just has to up the trust cert to stop the pesky warning page from coming up. JSS 9.72.

I just trying logging into JSS with Firefox (40.0.3) and geting the same issue:

received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

This is a Cipher issue on your Server.

See here.
https://jamfnation.jamfsoftware.com/article.html?id=384

https://jamfnation.jamfsoftware.com/article.html?id=384

This worked. Seems good so far. TY for all the quick responses!

Safari seems to work if you need to get in in an emergency.

I tried to fix the server.xml file and now Tomcat will not restart.

We are seeing ephemeral Diffie-Helman errors getting into a lot more services than just our JSS Server.

My Informacast server wouldn't let me in until a patch was installed.

Adobe's web site is asking for insecure connection exceptions. I open Photoshop and get a can't load plugin error because of security concerns.

We cannot register Google SketchUp into new student Macs, tells us the authorization key is 'just plain broke'. At least that is an error message I understand.

I think these are all related. Something's happening to security certificates all over the web.

Anyone know if the server.xml file will be updated with Casper 9.8?

If you copy and paste the above ciphers into the server.xml file the " symbol may be the reason why your Tomcat service won't start back up. I ran into this then checked what I pasted in and the " symbol was in a different font. I just deleted it and typed out the " and Tomcat started right up.

the response form mm270 did the trick for me. I was running a new 9.73 JSS and could not get in from chrome or firefox, so it seems the issue is not just updates from 9.72-9.73

https://jamfnation.jamfsoftware.com/article.html?id=384

While others here have cited the need to fix your SSL connections, if you need a quick workaround to keep working while you wait for change control to approve your request, you can bypass this security measure in FireFox 40.0.3 as follows:

1. In URL bar type about:config
2. Search for dhe
3. Set security.ssl3.dhe_rsa_aes_128_sha to false

I had the same issue this morning and made the suggested change, which fixes my Chrome/Firefox access, but BREAKS my scripting API access to the JSS. We have a PHP based inventory system that we tie in using PHP/curl, and I have some custom scripting using Ruby/httparty, both of which are now broken. Any suggestions?

Posted: 9/4/15 at 11:37 AM by stutz If you copy and paste the above ciphers into the server.xml file the " symbol may be the reason why your Tomcat service won't start back up. I ran into this then checked what I pasted in and the " symbol was in a different font. I just deleted it and typed out the " and Tomcat started right up.

Thanks for this! It saved me lots of head scratching when my JSS would not immediately come back up.

Tom

Posted: 9/4/15 at 11:37 AM by stutz If you copy and paste the above ciphers into the server.xml file the " symbol may be the reason why your Tomcat service won't start back up. I ran into this then checked what I pasted in and the " symbol was in a different font. I just deleted it and typed out the " and Tomcat started right up.

Thanks for this. I have been fighting with this for a while now. I copied all of the keys without the " and then pasted between them in the original server.xml file between the quotes. Worked like a charm. Thanks again.