3 Replies Latest reply on Sep 8, 2015 8:36 AM by James Smith

    Firefox Version 39 - SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

    James Smith
      Share This:

      This is an issue with the new Firefox Version 39. They increased security that will block connections to BNA 8.6.X and below. This can be resolved by performing the following steps on the BNA application server.

       

       

      This issue can be fixed on BNA server side as below -

       

      1. Stop BNA service

       

      2. Remove all the _DHE_ ciphers (property - bna.connector.ciphers)from the catalina.properties file Remove below - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

       

      keep below -

      TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,

      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,

      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,

      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,

      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,

      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521, TLS_RSA_WITH_NULL_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA

       

      3. Restart the BNA service.