Skip to Content

Weak ephemeral Diffie-Hellman public key

Problem: Chrome and Firefox recently updated and suddenly stopped allowing connections to your SMP3 Admin and possibly your applications and is giving you the error Server has a weak ephemeral Diffie-Hellman public key

WeakDHkey.png

This is an attempt by the browsers to protect you from connecting to a Server that is using outdated cipher settings which could lead to a recently published SSL vulnerability “logjam”.

The ciphers being used by SMP3 SP08 and prior server versions are defaulting to obsolete choices.  I believe this is being updated for the SMP3 SP09 release.  However, in the meantime you can make a similar change to your server to update the ciphers using the following procedure.

The quickest fix is to just remove the TLS_DHE_RSA_WITH_AES_128_CBC_SHA from the default cihpers list.  This removes the one google is complaining about.  You can also just update the ciphers as indicated below to add support for some of the newer cihphers.  This won’t hurt anything but I also don’t know which ones are actually used or support by the browsers.

Solution:

  • Stop the SMP3 server
  • Edit the Server\confg_master\org.eclipse.gemini.web.tomcat\default-server.xml file
  • Find the ciphers line in each of the following Connector tags and replace the value with the ciphers below.
    • Connector smpConnectorName=”oneWaySSL”
    • Connector smpConnectorName=”AdminSSL”
    • Connector smpConnectorName=”mutualSSL”
    • ciphers=”TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA
  • Save and restart the SMP3 server.  Now connections from Chrome and Firefox should no longer give that error.

The key is to remove the TLS_DHE_* ciphers.  This list contains probably more options that you will need but I leave it to you to determine which ones you want to support.

For Agentry clients be sure to test each device you will be using BEFORE making this change in production.  If your device does not support the newer ciphers it will probably fail to connect and you may need to either update your device or re-implement the obsolete cipher.

33 Comments
You must be Logged on to comment or reply to a post.
  • Thanks for sharing this. This issue should happen with SAP HANA Cloud Connector too. The solution seems a bit different than SMP3.

    As you’ll find in the default-server.xml, the cipher attribute is commented out:

        <!– add a list of secure ciphers that work with your JCE implementation,

             e.g. the JCE implementation of SAP JVM 7.1 will work with the following settings:

             ciphers=”TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256″ –>

    So the solution for SCC is copy&paste this cipher attribute in the <Connector port=”8443″…

    tag and got rid of the items which start with “TLS_DHE_*” strings.

    Looks now the browser can open Cloud Connector Login.

  • Thank you so much Bill, we were facing the similar problem. It was impacting us badly, because we were not able to run even our Native Android App for Client, which is accessing Non-SAP/SAP back-end through SMP. I am going to implement your suggested changes, and hope everything would be fine now onward.

    Warm Regards

    Hemendra

  • Hi,

    Has anyone tried to fix the same on SMP 2.3 ?

    I have 2 versions installed on my servers and while fixed for 3.0 i am struggling to find where the cipher properties sit on 2.3

    Thanks

    George Lazaridis

  • Hi Bill,

    This is really a great blog. Thanks for the info and solution. However, one of our customers having similar issue on SMP2.3. This solution doesn’t work for SMP2.3 as we don’t find the Ciphers path for the 2.3 setup.

    Please help us on this.

    Kind Regards,
    Sushmitha

  • SAP has been aware of the weak DH key issue for quite some time. SMP 3.0 SP09 will include SAP JVM 8.0 where the stronger DH keys are used by default. JVM 8.0 also has support for a system property…

    -Djdk.tls.ephemeralDHKeySize=2048

    to provide explicit control. The key size for JVM 7 is hard coded into a Sun JCE library and there is no way to change it.

    For now, removing the DHE cipher is the only workaround.

    Later versions of JCE are also offering some newer ciphers – thinking of the ECDH ones –

    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

    which are not vulnerable to this particular issue. One of the problems for recommending those though is that many mobile operating systems have not implemented these latest ciphers so it would have to be trial and error for customers to see what happens to work across the various mobile devices their users are using. Of course for the https:8083 admin port, that wouldn’t be a concern. Hopefully customers are using a modern browser for the Admin cockpit

  • Yes, I successfully tested the WPF client against my SMP3 server after making this change.  Everything connected as expected.   My test was on a Win 8 client but I would not expect any different results under Win 7.

    –Bill

  • Hi Everyone,

    I had the same issue with SMP 2.3 SP04 and finally I have figured out how to fix (workaround) this problem. All I have done was setting up the following environment variables: SCC_HOME (C:\SAP\SCC-3_2) and SCC_JAVA_HOME (C:\Program Files\Java\jre7). Then I stopped the SAP Control Center service and started it from CMD: “C:\SAP\SCC-3_2\bin\scc.bat”.

    Now I am able to open the SCC in chrome using an encrypted connection TLS1.2 AES_128_CBC.

    Good luck!

    Regards,

    TS

  • Hi All.

    Just a note: If you don’t want to perform changes to your SMP server, you can also fix this in the browser.

    For Chrome you can start it up using: “C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” –cipher-suite-blacklist=0x0039,0x0033

    This will blacklist the two ciphers:

    TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)

    TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)


    And I guess the server will then use others (I am NOT an expert in this area).


    This way you can still use Chrome to access SMP Admin Cockpit, without changing anything on the SMP server.


    Brgds,

    Søren Hansen