Service Bullettin 20150911 Weak DH HTTPS Server Keys

From HSYCO
Revision as of 14:04, 11 September 2015 by Ulde (talk | contribs) (→‎References)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search


Service Bulletin - Chrome and Firefox drop support for servers using weak Diffie-Hellman public keys

New versions of some web borwsers have dropped support for web servers using Diffie-Hellman public keys shorter than 1024 bits.

Release Date

September 10, 2015

Affected Platforms

  • Any HSYCO Server using the Java 6 virtual machine, independently of the HSYCO software version
  • Google Chrome version 45
  • Mozilla Firefox 39.0


HSYCO servers using Java 7 are not affected. Most HSYCO units shipped after the first half of 2012 have Java 7 pre-installed.


Description

HSYCO uses native Java libraries, embedded in the installed Oracle Java Virtual Machine, to implement its internal HTTPS server. Java 6's HTTPS libraries use Diffie-Hellman public keys that Google and Mozilla now consider weak, after the so-called Logjam vulnerability has been discovered. This is independent of the HSYCO software version currently installed on the server.

When you try to access an HSYCO running on Java 6 via a secure HTTPS connection using the latest versions of Chrome or Firefox, the connection will not work. HTTP (not encrypted) connections are not affected by this issue.

Resolution

Both Chrome and Firefox have decided to implement these more restrictive HTTPS requirements, but failed to offer their users an option to either accept of reject a connection to a server which doesn't match these requirements.

To continue using your HSYCO, you have the following options:

  • use a different browser, that still accepts Diffie-Hellman public keys generated by Java 6, like Microsoft's Internet Explorer or Apple's Safari
  • implement the work-arounds that have been published on-line, and are described below
  • return the HSYCO Server for service to upgrade to Java 7. Please note that you will be charged a service fee for this upgrade.

Resolution: Chrome

The following solution is reported here, for your convenience only, as found on unverified on-line resources available to the public. Home Systems Consulting is not responsible, and cannot guarantee, that it will work correctly and that there are no side-effects that could affect the stability, integrity and security of your systems. Use at your own risk.


You should launch Chrome with the following startup option:

--cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

On Windows:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

Execute ad Administrator.

On Mac OSX:

/Applications/Google\ Chrome.app --args '--cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013'


Resolution: Firefox

The following solution is reported here, for your convenience only, as found on unverified on-line resources available to the public. Home Systems Consulting is not responsible, and cannot guarantee, that it will work correctly and that there are no side-effects that could affect the stability, integrity and security of your systems. Use at your own risk.


  • in Firefox, Enter “about:config” in the URL field and press enter
  • accept the “This might void your warranty!” warning by clicking “I’ll be careful, I promise!” button
  • in the search field, enter “security.ssl3.dhe_rsa_aes”
  • double click each result (128 SHA and 256 SHA) to toggle the Value to “false”.

References