SAP HANA Cloud Connector and ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY with Chrome
With the update to version 45.0.2454.85, Chrome is more restrictive on the use of certain ciphers that are used for HTTPS connections, when using cipher suites with DHE. It will block the connection and instead of seeing the web page you’d like to access, you will see an error document instead containing a sentence fitting to the used default locale and in addition also the error code ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY. Exactly this message can be seen now often, when trying to access the Cloud Connector administration UI with Chrome. The root cause is the cipher chosen by the Cloud Connector during SSL handshake. The one to use is chosen by the JCE implementation, which is depending on the Java Virtual Machine in use by your Cloud Connector. Unfortunately, JCE implementations contained in older versions of the JVMs prefer DHE ciphers to other ones, the used public key is a compromised one and as the server decides, we end up in the situation with the unrecoverable error message in Chrome. So what can be done now? See suggestions below for workarounds and the true solutions.
- Use Firefox instead. With version 40 and higher It shows a similar message (ssl_error_weak_server_ephemeral_dh_key), however it is possible in about:config to allow it again by setting security.ssl3.dhe_rsa_aes_128_sha to false. This should be reverted after having applied one of the solutions mentioned below.
- Limit the cipher suites supported by the Cloud Connector to one that is still allowed by Chrome. This requires manual changes in <sccroot>/config_master/org.eclipse.gemini.web.tomcat/default-server.xml: Search the Connector for port 8443. Add an attribute for the allowed ciphers: ciphers=”TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256″. This very limited set will make it work again for both SAP JVM 6 and 7.
- Use Internet Explorer
- Use the latest SAP JVM 7 – at least 7.1.032 downloadable from Support Portal (download authorization required). Download the fitting archive for your platform from there until it is also available from the Cloud Tools page.
- If you still need to stick to SAP JVM 6, use the latest one – at least 6.1.081 downloadable from Support Portal (download authorization required). Download the fitting archive for your platform from there until it is also available from the Cloud Tools page.