Google Chrome and the 'weak ephemeral Diffie-Hellman public key'

paulhoughton

Member
Joined
Feb 21, 2013
Messages
16
Recently (not sure in which release)... Google Chrome implemented tighter security on SSL certs.

From their support pages found here:
https://support.google.com/chrome/answer/6098869?p=dh_error&rd=1#DHkey

""Server has a weak ephemeral Diffie-Hellman public key" or ERR_SSL_WEAK_EPHEMERAL_DH_KEY
If you see this error, it means that a secure connection can't be established because of outdated security code on the website. Chrome protects your privacy by preventing you from connecting to these sites. You won't be able to visit this page using Chrome.

If you're a website administrator, we recommend you update your server to support ECDHE and disable DHE. If ECDHE is unavailable, you can instead disable all DHE cipher suites and rely on plain RSA."

I am trying to access my Internal hardware Firewall, a Netgear UTM25S but I can't get to the Login screen due to this issue. Unfortunately Netgear will be removing themselves from the Firewall market completely and I dont see this as a priority for them in any future firmware releases.

I will continue to investigate the issue and if I find a resolution I'll post the fix in this thread. I've seen one or two hacks on some sites but don't want to compromise the security of my browser just to fix this one issue.
 

ginggs

༼ つ ◕_◕ ༽つ
Super Moderator
Joined
Jun 26, 2006
Messages
12,066
Firefox introduced this same change in June/July and it also affected Cisco routers, see:
https://support.mozilla.org/en-US/questions/1071500

In Firefox you can work around this by changing the following settings:
(1) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.

(2) In the search box above the list, type or paste dhe and pause while the list is filtered

(3) Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (disable Firefox from using this cipher)

(4) Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (disable Firefox from using this cipher)
^^^ I think you actually want to do the opposite (false to true), but double-clicking should just flip the state.
 
Top