Firefox v39 Issues connecting to JSS

Stonham
New Contributor II

Hi All,

I just updated to Firefox 39 and found that i could no longer connect to the JSS admin console. Firefox would throw the following error when trying to connect.

Secure Connection Failed

An error occurred during a connection to <JSS DNS>:8443. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.

I believe this is cause by the team over at Mozilla being strict about allowing connections to sites that use versions of TLS that a suceptible to the LogJam vulnerability. more info here https://weakdh.org/

As a workaround i have found modifying the server.xml file in
/usr/local/jss/tomcat/conf/sever.xml

Change the line chipher string

FROM:

ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"

TO:

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"

I am still testing this out but it seems to solve the problem.

Regards,

Ash

1 ACCEPTED SOLUTION

Stonham
New Contributor II

Separating this out to highlight it as a solution.

As a workaround i have found modifying the server.xml file in
/usr/local/jss/tomcat/conf/sever.xml

Change the line chipher string

FROM:

ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"

TO:

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"

View solution in original post

28 REPLIES 28

L3nny5
New Contributor III

Having the same issue here... -> ssl_error_weak_server_ephemeral_dh_key

I'm using Chrome for Casper, no issues there...

Stonham
New Contributor II

Separating this out to highlight it as a solution.

As a workaround i have found modifying the server.xml file in
/usr/local/jss/tomcat/conf/sever.xml

Change the line chipher string

FROM:

ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"

TO:

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"

andysemak
Contributor

This fixed a separate issue for us where we couldn't view the JSS over 844.

Thanks!

zac4WHST
New Contributor

Thanks for cipher solution!

I just wanted to add my symptom for the next person because Chrome acted more vague...

  • Chrome (build 43.0.2357.130) on Fedora 21 just gave the error "ERR_INVALID_ARGUMENT".
  • Wireshark showed traffic going back and forth, but ended with JSS sending RST packets for each connection.
  • Tested with Firefox and received the same error as OP.

Oddly enough Chrome (same build number) on Windows 7 was working just fine.

itupshot
Contributor II

I just got the same error this weekend when trying to log into the JSS with Firefox 39. I then tried Safari (8.0.7), and it was able to load the web page.

cbrewer
Valued Contributor II

Since RC4 is on it's way out...

Anyone try this cipher list without the 2 RC4 ciphers? I know it shouldn't impact accessing the JSS from a modern browser, but what about client communication?

tnielsen
Valued Contributor

Thanks for the prompt solution. I was just starting to investigate this today. Saved me a few hours for sure.

You guys are great.

maclab
New Contributor

This is because of the Logjam attack on the Diffie-Hellman key exchange. You can read more at https://weakdh.org

obi-k
Valued Contributor II

I downgraded to FF 38.0.1. It works, so that's an option.

Emmert
Valued Contributor

Well, that was an easy fix to a scary problem.

bhoumikb
New Contributor III
Since RC4 is on it's way out... Anyone try this cipher list without the 2 RC4 ciphers? I know it shouldn't impact accessing the JSS from a modern browser, but what about client communication?

@cbrewer I would like to know that as well. I'm going to remove RC4 ciphers on our test server, check client communication and report findings here!

jpilege
New Contributor III

I haven't tested this on Firefox for Mac, but found a way to get through it on Firefox on Windows.

Edit: I tested this, this morning and was able to get to the JSS. I'm not sure if it took a minute to make the change, but I had to close out Firefox and relaunch it and all was well.

Go to about:config and search for security.ssl3.

Change the security.ssl3.dhe_rsa_aes_128_sha to false.
Change the security.ssl3.dhe_rsa_aes_256_sha to false.

This allows me to get it after accepting the certificate.

BVikse
New Contributor III

Thank you so much for the fast solution! I started up Firefox this morning and got the updating Firefox window and thought nothing of it. I never expected that a simple browser update would kill my access to the JSS.

Person
New Contributor III

This solved my issue I ran into this morning and was able to fix this quickly. Thank You!

dpenny
New Contributor III

We ran into an issue using Safari on Mac OS X 10.11 and this solved the issue. Thanks!

jbmiller
New Contributor III

I can confirm that this fixed our issue as well. The only slight problem we had when implementing the fix was we forgot to append the keystore back into the text after pasting it into the xml file. After copying back in from a backup of the original we were just fine.

dexterrivera
New Contributor III

@jpilege I like your suggestion better. I'd rather make a change on my browser than the server. I found that just setting security.ssl3.dhe_rsa_aes_128_sha to false worked for me.

LRZ_Jamf
Contributor

I had to change the cipher list too to make Firefox working again.... I thought I could change the Protocols too....
But the SelfService still needs TLS1.0 :-(((((

This may be the proper settings for current installs:

sslProtocol="TLS" sslEnabledProtocols="TLSv1.2, TLSv1.1, TLSv1" ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 , TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA"

jarednichols
Honored Contributor

If you generally want to test the cryptographic strength of your server communications, Qualys has a great test suite.

https://www.ssllabs.com/ssltest/

Secure your shit.

I have a blog post here for the noobs: https://nerdily.org/hillary-clinton

mpeski
New Contributor III

You can use the Disable DHE add-on (https://addons.mozilla.org/en-US/firefox/addon/disable-dhe/) as well to get Firefox 39 to work with the JSS admin console again.

powellbc
Contributor II

This post elaborates a little on the change suggested by @Stonham:

How to Disable Weak Ciphers and SSL 2.0 in Tomcat

Comodo has an article too, which does not reference Java/JDK 6 (which is still on our server(s).

HOW TO -- Disable weak ciphers in Tomcat 7 & 8

If I elect to update the JDK to a newer version on our JSS, I am assuming I need to generate a new keystore—is that correct? Any other potential impact?

matt_jamison
Contributor

I highly recommend removing SSL_RSA_WITH_RC4_128_SHA as it's a weak cipher and any type of SSL/TLS scan will ding you on this.

DBrowning
Valued Contributor II

@Stonham Do you have 9.72 installed for this?

Are people seeing this with 9.72 installed?

jhalvorson
Valued Contributor

I believe the JAMF recommended solution is here Configuring Supported Ciphers for Tomcat HTTPS Connections

cbrewer
Valued Contributor II

This doesn't really have anything to do with 9.72 versus 9.73, unless you've installed 9.73 from scratch.

It has everything to do with ciphers.

https://jamfnation.jamfsoftware.com/article.html?id=384

yellow
Contributor

Thanks, this fixed it for me as well.

jhalvorson
Valued Contributor

I followed the cipher directions here Configuring Supported Ciphers for Tomcat HTTPS Connections and now systems with 10.5 and older are not able to connect to the JSS and Casper Remote can't be used with them. I suspect this is a limitation in that older versions of Mac OS X don't support the stronger ciphers.

Have others observed this with 10.5 and older devices?

BelleFairy
New Contributor

Thank you so much all, Stonham's solution worked for us too!