Service Bullettin 20150911 Weak DH HTTPS Server Keys
Contents
Service Bulletin - Chrome and Firefox drop support for servers using weak Diffie-Hellman public keys
New versions of some web borwsers have dropped support for web servers using Diffie-Hellman public keys shorter than 1024 bits.
Release Date
September 10, 2015
Affected Platforms
- Any HSYCO Server using the Java 6 virtual machine, independently of the HSYCO software version
- Google Chrome version 45
- Mozilla Firefox 39.0
Description
HSYCO uses native Java libraries, embedded in the installed Oracle Java Virtual Machine, to implement its internal HTTPS server. Java 6's HTTPS libraries use Diffie-Hellman public keys that Google and Mozilla now consider weak, after the so-called Logjam vulnerability has been discovered. This is independent of the HSYCO software version currently installed on the server.
When you try to access an HSYCO running on Java 6 via a secure HTTPS connection using the latest versions of Chrome or Firefox, the connection will not work. HTTP (not encrypted) connections are not affected by this issue.
Resolution
Both Chrome and Firefox have decided to implement these more restrictive HTTPS requirements, but failed to offer their users an option to either accept of reject a connection to a server which doesn't match these requirements.
To continue using your HSYCO, you have the following options:
- use a different browser, that still accepts Diffie-Hellman public keys generated by Java 6, like Microsoft's Internet Explorer or Apple's Safari
- implement the work-arounds that have been published on-line, and are described below
- return the HSYCO Server for service to upgrade to Java 7. Please note that you will be charged a service fee for this upgrade.
Resolution: Chrome
You should launch Chrome with the following startup option:
--cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013
On Windows:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013
Execute ad Administrator.
On Mac OSX:
/Applications/Google\ Chrome.app --args '--cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013'
Resolution: Firefox
- in Firefox, Enter “about:config” in the URL field and press enter
- accept the “This might void your warranty!” warning by clicking “I’ll be careful, I promise!” button
- in the search field, enter “security.ssl3.dhe_rsa_aes”
- double click each result (128 SHA and 256 SHA) to toggle the Value to “false”.