Weak ephemeral Diffie-Hellman public key
Problem: Chrome and Firefox recently updated and suddenly stopped allowing connections to your SMP3 Admin and possibly your applications and is giving you the error Server has a weak ephemeral Diffie-Hellman public key
This is an attempt by the browsers to protect you from connecting to a Server that is using outdated cipher settings which could lead to a recently published SSL vulnerability “logjam”.
The ciphers being used by SMP3 SP08 and prior server versions are defaulting to obsolete choices. I believe this is being updated for the SMP3 SP09 release. However, in the meantime you can make a similar change to your server to update the ciphers using the following procedure.
The quickest fix is to just remove the TLS_DHE_RSA_WITH_AES_128_CBC_SHA from the default cihpers list. This removes the one google is complaining about. You can also just update the ciphers as indicated below to add support for some of the newer cihphers. This won’t hurt anything but I also don’t know which ones are actually used or support by the browsers.
Solution:
- Stop the SMP3 server
- Edit the Server\confg_master\org.eclipse.gemini.web.tomcat\default-server.xml file
- Find the ciphers line in each of the following Connector tags and replace the value with the ciphers below.
- Connector smpConnectorName=”oneWaySSL”
- Connector smpConnectorName=”AdminSSL”
- Connector smpConnectorName=”mutualSSL”
- ciphers=”
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA“ - Save and restart the SMP3 server. Now connections from Chrome and Firefox should no longer give that error.
The key is to remove the TLS_DHE_* ciphers. This list contains probably more options that you will need but I leave it to you to determine which ones you want to support.
For Agentry clients be sure to test each device you will be using BEFORE making this change in production. If your device does not support the newer ciphers it will probably fail to connect and you may need to either update your device or re-implement the obsolete cipher.
Thanks for sharing this. This issue should happen with SAP HANA Cloud Connector too. The solution seems a bit different than SMP3.
As you'll find in the default-server.xml, the cipher attribute is commented out:
--
<!-- add a list of secure ciphers that work with your JCE implementation,
e.g. the JCE implementation of SAP JVM 7.1 will work with the following settings:
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" -->
--
So the solution for SCC is copy&paste this cipher attribute in the <Connector port="8443"...
tag and got rid of the items which start with "TLS_DHE_*" strings.
Looks now the browser can open Cloud Connector Login.
HI Bill,
Thanks for the wonderful blog it worked for me for windows environment but when i tried in the Linux environment server getting the below error.
This webpage is not available
Please suggest if you have any recommendation here.
Regards,
Govardhan.
Hi,
as for the cloud connector take a look at this:
http://scn.sap.com/community/developer-center/cloud-platform/blog/2015/09/09/cloud-connector-and-errsslweakserverephemeraldhkey-with-chrome
Regards,
Ervin
Thank you so much Bill, we were facing the similar problem. It was impacting us badly, because we were not able to run even our Native Android App for Client, which is accessing Non-SAP/SAP back-end through SMP. I am going to implement your suggested changes, and hope everything would be fine now onward.
Warm Regards
Hemendra
Great Bill, it worked for me. I am able to access "SMP Admin" in chrome. Now let me check the same for "Android Native App" SMP connection.
Hi,
Has anyone tried to fix the same on SMP 2.3 ?
I have 2 versions installed on my servers and while fixed for 3.0 i am struggling to find where the cipher properties sit on 2.3
Thanks
George Lazaridis
Hi Bill,
This is really a great blog. Thanks for the info and solution. However, one of our customers having similar issue on SMP2.3. This solution doesn't work for SMP2.3 as we don't find the Ciphers path for the 2.3 setup.
Please help us on this.
Kind Regards,
Sushmitha
Hi Bill Froelich,
I have the same question, SMP 2.3 with SP06 on my system, what is the fix for it? will JVM 7 be the solution for it?
Regards,
Nagesh
I don't believe JVM 7 will fix this issue as it is a cipher issue with the platform more so than a java version issue. I don't do much with SMP 2.3 so I will have to look into it if I can get a system up.
--Bill
Thanks Bill.
Looping in Ali Chalhoub and Kevin Bates
Any fix for 2.3 version?
Regards,
Nagesh
Hi ,
Can you try manually adding the above entries in defalut-applicaion-server.xml(servers/unwiredserver/config) file and check.
Regards,
Govardhan.
Regards,
Kevin
Hi Kevin,
From the list of ciphers given in solution on SMP3.0, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA
only the bolded ciphers are available and are already added in SCC 2.3. So, no luck with this solution.
Cheers,
Sushmitha
Hi Kevin,
I guess this should solve.
Regards,
Nagesh
Hi Nagesh,
This solution didn't work in Chrome again.
Cheers,
Sushmitha
I would guess that you want to remove all TLS_DHE_* entries and then try connecting with Chrome.
--BIll
I tried removing all the TLS_DHE_* ciphers, but no success yet.
Cheers,
Sushmitha
Sushmitha,
Make sure you restart the SMP server after each change as ciphers are loaded at startup.
Regards,
Kevin
Kevin,
I already restarted the server once the cipher changes happened. Still getting the same error.
Kind Regards,
Sushmitha
Sorry, I just realized you are talking about SCC and not SMP. Not enough coffee yet this morning. Port 8283 is the SCC server so making these adjustments in SMP has no impact. Let me look at the SCC config.
Regards,
Kevin
Hi,
did you check this new blog ? Might be useful if you run into problems with SCC:
http://scn.sap.com/community/developer-center/cloud-platform/blog/2015/09/09/cloud-connector-and-errsslweakserverephemeraldhkey-with-chrome
Cheers,
Ervin
Ervin Szolke
'SCC' (Sybase/SAP control center) what Sushmitha is talking about its Administration portal of Sybase unwired platform 2.x releases. <<listens on default port 8283>>
Link what you have shared is talking about SAP HANA cloud connector (SCC) <<listens on default port 8443>>
Regards,
JK
ouch, sorry. Did not know that. Perhaps we should change all 3 letter abbreviations to 4 or 5 letters. 🙂
Just like SMP is Service MarketPlace, right? 😀
Cheers, Mike
SAP Technology RIG
Exactly! 🙂
MDM (Master Data Management vs. Mobile Device Management).
ADS (Adobe Document Services vs. Advantage Database Server)
FYI, I requested development take a look. I can't figure out how to edit the cipher suites on SCC Jetty.
Regards,
Kevin
Thank you.
Hi Govardhan,
Have tried doing that but there is no cipher property on the specific file to replace the values.
Kind Regards,
George Lazaridis
SAP has been aware of the weak DH key issue for quite some time. SMP 3.0 SP09 will include SAP JVM 8.0 where the stronger DH keys are used by default. JVM 8.0 also has support for a system property...
-Djdk.tls.ephemeralDHKeySize=2048
to provide explicit control. The key size for JVM 7 is hard coded into a Sun JCE library and there is no way to change it.
For now, removing the DHE cipher is the only workaround.
Later versions of JCE are also offering some newer ciphers - thinking of the ECDH ones -
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
which are not vulnerable to this particular issue. One of the problems for recommending those though is that many mobile operating systems have not implemented these latest ciphers so it would have to be trial and error for customers to see what happens to work across the various mobile devices their users are using. Of course for the https:8083 admin port, that wouldn't be a concern. Hopefully customers are using a modern browser for the Admin cockpit
Yes, I successfully tested the WPF client against my SMP3 server after making this change. Everything connected as expected. My test was on a Win 8 client but I would not expect any different results under Win 7.
--Bill
Hi Everyone,
I had the same issue with SMP 2.3 SP04 and finally I have figured out how to fix (workaround) this problem. All I have done was setting up the following environment variables: SCC_HOME (C:\SAP\SCC-3_2) and SCC_JAVA_HOME (C:\Program Files\Java\jre7). Then I stopped the SAP Control Center service and started it from CMD: "C:\SAP\SCC-3_2\bin\scc.bat".
Now I am able to open the SCC in chrome using an encrypted connection TLS1.2 AES_128_CBC.
Good luck!
Regards,
TS
Hi All.
Just a note: If you don't want to perform changes to your SMP server, you can also fix this in the browser.
For Chrome you can start it up using: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --cipher-suite-blacklist=0x0039,0x0033
This will blacklist the two ciphers:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
And I guess the server will then use others (I am NOT an expert in this area).
This way you can still use Chrome to access SMP Admin Cockpit, without changing anything on the SMP server.
Brgds,
Søren Hansen