Skip to Content
Author's profile photo Bill Froelich

Weak ephemeral Diffie-Hellman public key

Problem: Chrome and Firefox recently updated and suddenly stopped allowing connections to your SMP3 Admin and possibly your applications and is giving you the error Server has a weak ephemeral Diffie-Hellman public key

WeakDHkey.png

This is an attempt by the browsers to protect you from connecting to a Server that is using outdated cipher settings which could lead to a recently published SSL vulnerability “logjam”.

The ciphers being used by SMP3 SP08 and prior server versions are defaulting to obsolete choices.  I believe this is being updated for the SMP3 SP09 release.  However, in the meantime you can make a similar change to your server to update the ciphers using the following procedure.

The quickest fix is to just remove the TLS_DHE_RSA_WITH_AES_128_CBC_SHA from the default cihpers list.  This removes the one google is complaining about.  You can also just update the ciphers as indicated below to add support for some of the newer cihphers.  This won’t hurt anything but I also don’t know which ones are actually used or support by the browsers.

Solution:

  • Stop the SMP3 server
  • Edit the Server\confg_master\org.eclipse.gemini.web.tomcat\default-server.xml file
  • Find the ciphers line in each of the following Connector tags and replace the value with the ciphers below.
    • Connector smpConnectorName=”oneWaySSL”
    • Connector smpConnectorName=”AdminSSL”
    • Connector smpConnectorName=”mutualSSL”
    • ciphers=”TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA
  • Save and restart the SMP3 server.  Now connections from Chrome and Firefox should no longer give that error.

The key is to remove the TLS_DHE_* ciphers.  This list contains probably more options that you will need but I leave it to you to determine which ones you want to support.

For Agentry clients be sure to test each device you will be using BEFORE making this change in production.  If your device does not support the newer ciphers it will probably fail to connect and you may need to either update your device or re-implement the obsolete cipher.

Assigned tags

      33 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Kenichi Unnai
      Kenichi Unnai

      Thanks for sharing this. This issue should happen with SAP HANA Cloud Connector too. The solution seems a bit different than SMP3.

      As you'll find in the default-server.xml, the cipher attribute is commented out:

      --

          <!-- add a list of secure ciphers that work with your JCE implementation,

               e.g. the JCE implementation of SAP JVM 7.1 will work with the following settings:

               ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" -->

      --

      So the solution for SCC is copy&paste this cipher attribute in the <Connector port="8443"...

      tag and got rid of the items which start with "TLS_DHE_*" strings.

      Looks now the browser can open Cloud Connector Login.

      Author's profile photo Former Member
      Former Member

      HI Bill,

      Thanks for the wonderful blog it worked for me for windows environment but when i tried in the Linux environment server getting the below error.

      This webpage is not available

      Please suggest if you have any recommendation here.

      Regards,

      Govardhan.

      Author's profile photo Ervin Szolke
      Ervin Szolke
      Author's profile photo Hemendra Sabharwal
      Hemendra Sabharwal

      Thank you so much Bill, we were facing the similar problem. It was impacting us badly, because we were not able to run even our Native Android App for Client, which is accessing Non-SAP/SAP back-end through SMP. I am going to implement your suggested changes, and hope everything would be fine now onward.

      Warm Regards

      Hemendra

      Author's profile photo Hemendra Sabharwal
      Hemendra Sabharwal

      Great Bill, it worked for me. I am able to access "SMP Admin" in chrome. Now let me check the same for "Android Native App" SMP connection.

      Author's profile photo George Lazaridis
      George Lazaridis

      Hi,

      Has anyone tried to fix the same on SMP 2.3 ?

      I have 2 versions installed on my servers and while fixed for 3.0 i am struggling to find where the cipher properties sit on 2.3

      Thanks

      George Lazaridis

      Author's profile photo Former Member
      Former Member

      Hi Bill,

      This is really a great blog. Thanks for the info and solution. However, one of our customers having similar issue on SMP2.3. This solution doesn't work for SMP2.3 as we don't find the Ciphers path for the 2.3 setup.

      Please help us on this.

      Kind Regards,
      Sushmitha

      Author's profile photo Nagesh Caparthy
      Nagesh Caparthy

      Hi Bill Froelich,

      I have the same question, SMP 2.3 with SP06 on my system, what is the fix for it? will JVM 7 be the solution for it?

      Regards,

      Nagesh

      Author's profile photo Bill Froelich
      Bill Froelich
      Blog Post Author

      I don't believe JVM 7 will fix this issue as it is a cipher issue with the platform more so than a java version issue.  I don't do much with SMP 2.3 so I will have to look into it if I can get a system up.

      --Bill

      Author's profile photo Nagesh Caparthy
      Nagesh Caparthy

      Thanks Bill.

      Author's profile photo Nagesh Caparthy
      Nagesh Caparthy

      Looping in Ali Chalhoub and Kevin Bates

      Any fix for 2.3 version?

      Regards,

      Nagesh

      Author's profile photo Former Member
      Former Member

      Hi ,

      Can you try manually adding the above entries in defalut-applicaion-server.xml(servers/unwiredserver/config) file and check.

      Regards,

      Govardhan.

      Author's profile photo Kevin Bates
      Kevin Bates

      Ciphers.jpgIn 2.3.6 you can edit the security profile in SCC to add/remove encryption algorythms, have you tried that?  Select profile and then select Ciphers

      Regards,

      Kevin

      Author's profile photo Former Member
      Former Member

      Hi Kevin,

      From the list of ciphers given in solution on SMP3.0, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA

      only the bolded ciphers are available and are already added in SCC 2.3. So, no luck with this solution.

      Cheers,
      Sushmitha

      Author's profile photo Nagesh Caparthy
      Nagesh Caparthy

      Hi Kevin,

      I guess this should solve.

      Regards,

      Nagesh

      Author's profile photo Former Member
      Former Member

      Hi Nagesh,

      This solution didn't work in Chrome again.

      Cheers,
      Sushmitha

      Author's profile photo Bill Froelich
      Bill Froelich
      Blog Post Author

      I would guess that you want to remove all TLS_DHE_* entries and then try connecting with Chrome.

      --BIll

      Author's profile photo Former Member
      Former Member

      I tried removing all the TLS_DHE_* ciphers, but no success yet.

      Cheers,
      Sushmitha

      Author's profile photo Kevin Bates
      Kevin Bates

      Sushmitha,

      Make sure you restart the SMP server after each change as ciphers are loaded at startup.

      Regards,

      Kevin

      Author's profile photo Former Member
      Former Member

      Kevin,

      I already restarted the server once the cipher changes happened. Still getting the same error.

      Kind Regards,
      Sushmitha

      Author's profile photo Kevin Bates
      Kevin Bates

      Sorry, I just realized you are talking about SCC and not SMP.  Not enough coffee yet this morning.  Port 8283 is the SCC server so making these adjustments in SMP has no impact.  Let me look at the SCC config.

      Regards,

      Kevin

      Author's profile photo Ervin Szolke
      Ervin Szolke

      Hi,

      did you check this new blog ? Might be useful if you run into problems with SCC:

      http://scn.sap.com/community/developer-center/cloud-platform/blog/2015/09/09/cloud-connector-and-errsslweakserverephemeraldhkey-with-chrome

      Cheers,

      Ervin

      Author's profile photo Jitendra Kansal
      Jitendra Kansal

      Ervin Szolke

      'SCC' (Sybase/SAP control center) what Sushmitha is talking about its Administration portal of Sybase unwired platform 2.x releases. <<listens on default port 8283>>

      Link what you have shared is talking about SAP HANA cloud connector (SCC) <<listens on default port 8443>>

      Regards,

      JK

      Author's profile photo Ervin Szolke
      Ervin Szolke

      ouch, sorry. Did not know that. Perhaps we should change all 3 letter abbreviations to 4 or 5 letters. 🙂

      Author's profile photo Michael Appleby
      Michael Appleby

      Just like SMP is Service MarketPlace, right?  😀

      Cheers, Mike

      SAP Technology RIG

      Author's profile photo Ervin Szolke
      Ervin Szolke

      Exactly! 🙂

      MDM (Master Data Management vs. Mobile Device Management).

      ADS (Adobe Document Services vs. Advantage Database Server)

      Author's profile photo Kevin Bates
      Kevin Bates

      FYI, I requested development take a look.  I can't figure out how to edit the cipher suites on SCC Jetty.

      Regards,

      Kevin

      Author's profile photo Nagesh Caparthy
      Nagesh Caparthy

      Thank you.

      Author's profile photo George Lazaridis
      George Lazaridis

      Hi Govardhan,

      Have tried doing that but there is no cipher property on the specific file to replace the values.

      Kind Regards,

      George Lazaridis

      defaultapplicationserverxml.PNG

      Author's profile photo Former Member
      Former Member

      SAP has been aware of the weak DH key issue for quite some time. SMP 3.0 SP09 will include SAP JVM 8.0 where the stronger DH keys are used by default. JVM 8.0 also has support for a system property...

      -Djdk.tls.ephemeralDHKeySize=2048

      to provide explicit control. The key size for JVM 7 is hard coded into a Sun JCE library and there is no way to change it.

      For now, removing the DHE cipher is the only workaround.

      Later versions of JCE are also offering some newer ciphers - thinking of the ECDH ones -

      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

      which are not vulnerable to this particular issue. One of the problems for recommending those though is that many mobile operating systems have not implemented these latest ciphers so it would have to be trial and error for customers to see what happens to work across the various mobile devices their users are using. Of course for the https:8083 admin port, that wouldn't be a concern. Hopefully customers are using a modern browser for the Admin cockpit

      Author's profile photo Bill Froelich
      Bill Froelich
      Blog Post Author

      Yes, I successfully tested the WPF client against my SMP3 server after making this change.  Everything connected as expected.   My test was on a Win 8 client but I would not expect any different results under Win 7.

      --Bill

      Author's profile photo Tomasz Sobkowiak
      Tomasz Sobkowiak

      Hi Everyone,

      I had the same issue with SMP 2.3 SP04 and finally I have figured out how to fix (workaround) this problem. All I have done was setting up the following environment variables: SCC_HOME (C:\SAP\SCC-3_2) and SCC_JAVA_HOME (C:\Program Files\Java\jre7). Then I stopped the SAP Control Center service and started it from CMD: "C:\SAP\SCC-3_2\bin\scc.bat".

      Now I am able to open the SCC in chrome using an encrypted connection TLS1.2 AES_128_CBC.

      Good luck!

      Regards,

      TS

      Author's profile photo Søren Hansen
      Søren Hansen

      Hi All.

      Just a note: If you don't want to perform changes to your SMP server, you can also fix this in the browser.

      For Chrome you can start it up using: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --cipher-suite-blacklist=0x0039,0x0033

      This will blacklist the two ciphers:

      TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)

      TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)


      And I guess the server will then use others (I am NOT an expert in this area).


      This way you can still use Chrome to access SMP Admin Cockpit, without changing anything on the SMP server.


      Brgds,

      Søren Hansen