Skip to Content

Problem: Chrome and Firefox recently updated and suddenly stopped allowing connections to your SMP3 Admin and possibly your applications and is giving you the error Server has a weak ephemeral Diffie-Hellman public key

WeakDHkey.png

This is an attempt by the browsers to protect you from connecting to a Server that is using outdated cipher settings which could lead to a recently published SSL vulnerability “logjam”.

The ciphers being used by SMP3 SP08 and prior server versions are defaulting to obsolete choices.  I believe this is being updated for the SMP3 SP09 release.  However, in the meantime you can make a similar change to your server to update the ciphers using the following procedure.

The quickest fix is to just remove the TLS_DHE_RSA_WITH_AES_128_CBC_SHA from the default cihpers list.  This removes the one google is complaining about.  You can also just update the ciphers as indicated below to add support for some of the newer cihphers.  This won’t hurt anything but I also don’t know which ones are actually used or support by the browsers.

Solution:

  • Stop the SMP3 server
  • Edit the Server\confg_master\org.eclipse.gemini.web.tomcat\default-server.xml file
  • Find the ciphers line in each of the following Connector tags and replace the value with the ciphers below.
    • Connector smpConnectorName=”oneWaySSL”
    • Connector smpConnectorName=”AdminSSL”
    • Connector smpConnectorName=”mutualSSL”
    • ciphers=”TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA
  • Save and restart the SMP3 server.  Now connections from Chrome and Firefox should no longer give that error.

The key is to remove the TLS_DHE_* ciphers.  This list contains probably more options that you will need but I leave it to you to determine which ones you want to support.

For Agentry clients be sure to test each device you will be using BEFORE making this change in production.  If your device does not support the newer ciphers it will probably fail to connect and you may need to either update your device or re-implement the obsolete cipher.

To report this post you need to login first.

33 Comments

You must be Logged on to comment or reply to a post.

  1. Kenichi Unnai

    Thanks for sharing this. This issue should happen with SAP HANA Cloud Connector too. The solution seems a bit different than SMP3.

    As you’ll find in the default-server.xml, the cipher attribute is commented out:

        <!– add a list of secure ciphers that work with your JCE implementation,

             e.g. the JCE implementation of SAP JVM 7.1 will work with the following settings:

             ciphers=”TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256″ –>

    So the solution for SCC is copy&paste this cipher attribute in the <Connector port=”8443″…

    tag and got rid of the items which start with “TLS_DHE_*” strings.

    Looks now the browser can open Cloud Connector Login.

    (0) 
    1. Govardhan Porla

      HI Bill,

      Thanks for the wonderful blog it worked for me for windows environment but when i tried in the Linux environment server getting the below error.

      This webpage is not available

      Please suggest if you have any recommendation here.

      Regards,

      Govardhan.

      (0) 
  2. Hemendra Sabharwal

    Thank you so much Bill, we were facing the similar problem. It was impacting us badly, because we were not able to run even our Native Android App for Client, which is accessing Non-SAP/SAP back-end through SMP. I am going to implement your suggested changes, and hope everything would be fine now onward.

    Warm Regards

    Hemendra

    (0) 
  3. George Lazaridis

    Hi,

    Has anyone tried to fix the same on SMP 2.3 ?

    I have 2 versions installed on my servers and while fixed for 3.0 i am struggling to find where the cipher properties sit on 2.3

    Thanks

    George Lazaridis

    (0) 
  4. Sushmitha Nuthalapati

    Hi Bill,

    This is really a great blog. Thanks for the info and solution. However, one of our customers having similar issue on SMP2.3. This solution doesn’t work for SMP2.3 as we don’t find the Ciphers path for the 2.3 setup.

    Please help us on this.

    Kind Regards,
    Sushmitha

    (0) 
    1. Bill Froelich Post author

      I don’t believe JVM 7 will fix this issue as it is a cipher issue with the platform more so than a java version issue.  I don’t do much with SMP 2.3 so I will have to look into it if I can get a system up.

      –Bill

      (0) 
            1. Kevin Bates

              Ciphers.jpgIn 2.3.6 you can edit the security profile in SCC to add/remove encryption algorythms, have you tried that?  Select profile and then select Ciphers

              Regards,

              Kevin

              (0) 
              1. Sushmitha Nuthalapati

                Hi Kevin,

                From the list of ciphers given in solution on SMP3.0, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA

                only the bolded ciphers are available and are already added in SCC 2.3. So, no luck with this solution.

                Cheers,
                Sushmitha

                (0) 
                          1. Kevin Bates

                            Sorry, I just realized you are talking about SCC and not SMP.  Not enough coffee yet this morning.  Port 8283 is the SCC server so making these adjustments in SMP has no impact.  Let me look at the SCC config.

                            Regards,

                            Kevin

                            (0) 
                              1. Jitendra Kansal

                                Ervin Szolke

                                ‘SCC’ (Sybase/SAP control center) what Sushmitha is talking about its Administration portal of Sybase unwired platform 2.x releases. <<listens on default port 8283>>

                                Link what you have shared is talking about SAP HANA cloud connector (SCC) <<listens on default port 8443>>

                                Regards,

                                JK

                                (0) 
  5. David Clegg

    SAP has been aware of the weak DH key issue for quite some time. SMP 3.0 SP09 will include SAP JVM 8.0 where the stronger DH keys are used by default. JVM 8.0 also has support for a system property…

    -Djdk.tls.ephemeralDHKeySize=2048

    to provide explicit control. The key size for JVM 7 is hard coded into a Sun JCE library and there is no way to change it.

    For now, removing the DHE cipher is the only workaround.

    Later versions of JCE are also offering some newer ciphers – thinking of the ECDH ones –

    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

    which are not vulnerable to this particular issue. One of the problems for recommending those though is that many mobile operating systems have not implemented these latest ciphers so it would have to be trial and error for customers to see what happens to work across the various mobile devices their users are using. Of course for the https:8083 admin port, that wouldn’t be a concern. Hopefully customers are using a modern browser for the Admin cockpit

    (0) 
  6. Bill Froelich Post author

    Yes, I successfully tested the WPF client against my SMP3 server after making this change.  Everything connected as expected.   My test was on a Win 8 client but I would not expect any different results under Win 7.

    –Bill

    (0) 
  7. Tomasz Sobkowiak

    Hi Everyone,

    I had the same issue with SMP 2.3 SP04 and finally I have figured out how to fix (workaround) this problem. All I have done was setting up the following environment variables: SCC_HOME (C:\SAP\SCC-3_2) and SCC_JAVA_HOME (C:\Program Files\Java\jre7). Then I stopped the SAP Control Center service and started it from CMD: “C:\SAP\SCC-3_2\bin\scc.bat”.

    Now I am able to open the SCC in chrome using an encrypted connection TLS1.2 AES_128_CBC.

    Good luck!

    Regards,

    TS

    (0) 
  8. Sรธren Hansen

    Hi All.

    Just a note: If you don’t want to perform changes to your SMP server, you can also fix this in the browser.

    For Chrome you can start it up using: “C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” –cipher-suite-blacklist=0x0039,0x0033

    This will blacklist the two ciphers:

    TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)

    TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)


    And I guess the server will then use others (I am NOT an expert in this area).


    This way you can still use Chrome to access SMP Admin Cockpit, without changing anything on the SMP server.


    Brgds,

    Søren Hansen

    (0) 

Leave a Reply