Skip to Content

With the update to version 45.0.2454.85, Chrome is more restrictive on the use of certain ciphers that are used for HTTPS connections, when using cipher suites with DHE. It will block the connection and instead of seeing the web page you’d like to access, you will see an error document instead containing a sentence fitting to the used default locale and in addition also the error code ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY. Exactly this message can be seen now often, when trying to access the Cloud Connector administration UI with Chrome. The root cause is the cipher chosen by the Cloud Connector during SSL handshake. The one to use is chosen by the JCE implementation, which is depending on the Java Virtual Machine in use by your Cloud Connector. Unfortunately, JCE implementations contained in older versions of the JVMs prefer DHE ciphers to other ones, the used public key is a compromised one and as the server decides, we end up in the situation with the unrecoverable error message in Chrome. So what can be done now? See suggestions below for workarounds and the true solutions.

 

Workarounds:

  • Use Firefox instead. With version 40 and higher It shows a similar message (ssl_error_weak_server_ephemeral_dh_key), however it is possible in about:config to allow it again by setting security.ssl3.dhe_rsa_aes_128_sha to false. This should be reverted after having applied one of the solutions mentioned below.
  • Limit the cipher suites supported by the Cloud Connector to one that is still allowed by Chrome. This requires manual changes in <sccroot>/config_master/org.eclipse.gemini.web.tomcat/default-server.xml: Search the Connector for port 8443. Add an attribute for the allowed ciphers: ciphers=”TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256″. This very limited set will make it work again for both SAP JVM 6 and 7.
  • Use Internet Explorer

 

Solutions:

  • Use the latest SAP JVM 7 – at least 7.1.032 downloadable from Support Portal (download authorization required). Download the fitting archive for your platform from there until it is also available from the Cloud Tools page.
  • If you still need to stick to SAP JVM 6, use the latest one – at least 6.1.081 downloadable from Support Portal (download authorization required). Download the fitting archive for your platform from there until it is also available from the Cloud Tools page.
To report this post you need to login first.

12 Comments

You must be Logged on to comment or reply to a post.

  1. David Wouters

    Question, is just upgrading SAP JVM enough?  When you use SAP HANA Cloud Connector Settings -> UI Certificate to generate a CSR, will it not use <sccroot>/config_master/org.eclipse.gemini.web.tomcat/default-server.xml?

    (0) 
        1. Markus Tolksdorf Post author

          Hi Nagesh,

          I can’t tell whether it helps as I don’t know the architecture of SMP 2.3 well enough. But if it uses a tomcat internally plus the JVM JCE, I would give it a try …

          Best regards,

          Markus

          (0) 
            1. Kevin Bates

              I don’t think this is a JVM issue.  The listeners have a security setup on what cipher suites to support.  We expose the SMP cipher suites for editing, but I don’t see where we expose the SCC setup yet.  It runs with a different Jetty server.

              I’m still looking, but may need to get an SCC engineer.

              Regards,

              Kevin

              (0) 
            2. Andreas Wegmann

              Hi Nagesh,
              for SMP 2.3.x (in SCC) that’s actually not possible with standard config files or UI.
              I think it’s defined in a class(SslSocketConnector.class; setIncludeCipherSuites) of the Jetty server which can’t be modified easily.

              Waiting for some feedback from development.
              KR

              Andreas

              (0) 
    1. Andreas Wegmann

      Hi all,

      there is a workaround avilable for Chrome and SMP 3.0.x (I didn’t test with SMP 2.3, but that might also apply).

      You need to modify the “ciphers” parameter in the “default-server.xml” and “tomcat-server.xml” (there exists three of them inside each file) under ..\MobilePlatform3\Server\… as follows: ciphers=”TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_EC DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA” Afterwards you need to restart the SMP server.

      Please also take a backup of these two files BEFORE modifying.

      KR Andreas

      (0) 

Leave a Reply