Environment
NetIQ Sentinel 7.3
Situation
After an update to Firefox browsers to version 39.0, logins to the
WebUI fail with the error;
Secure Connection Failed
An error occurred during a connection to <your server>. SSL received a weak ephemeral Diffie-Hellman key in Server key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)
Secure Connection Failed
An error occurred during a connection to <your server>. SSL received a weak ephemeral Diffie-Hellman key in Server key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)
Resolution
The fix for this issue is contained in Sentinel 7.3.1.0 patch. The
Fix requires that we use Java 8 which is only included post 7.3.1. If you have not done so, please apply 7.3.1.0 to fix this issue. If you have not yet applied 7.3.1, you will need to follow
the steps under "Work Around Steps".
Work Around Steps:
1. Backup the existing jetty-ssl.xml file
cp -a /etc/opt/novell/sentinel/3rdparty/jetty/jetty-ssl.xml /home/novell/jetty-ssl.xml.bak
2. Using vim edit the file and append the following ciphers at the end of the
" <!-- Only enable strong ciphers. -->
<Set name="ExcludeCipherSuites">
<Array type="java.lang.string>"
section of the file;
<!-- New Excluded Ciphers -->
<Item>SSL_RSA_WITH_RC4_128_MD5</Item>
<Item>SSL_RSA_WITH_RC4_128_SHA</Item>
<Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</Item>
<Item>TLS_RSA_WITH_NULL_SHA256</Item>
<Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256</Item>
<Item>TLS_DH_anon_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_DH_anon_WITH_AES_256_CBC_SHA256</Item>
3. Save the changes to the file and restart Sentinel
4. <optional> Clear all cache and cookies in your browser
Work Around Steps:
1. Backup the existing jetty-ssl.xml file
cp -a /etc/opt/novell/sentinel/3rdparty/jetty/jetty-ssl.xml /home/novell/jetty-ssl.xml.bak
2. Using vim edit the file and append the following ciphers at the end of the
" <!-- Only enable strong ciphers. -->
<Set name="ExcludeCipherSuites">
<Array type="java.lang.string>"
section of the file;
<!-- New Excluded Ciphers -->
<Item>SSL_RSA_WITH_RC4_128_MD5</Item>
<Item>SSL_RSA_WITH_RC4_128_SHA</Item>
<Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</Item>
<Item>TLS_RSA_WITH_NULL_SHA256</Item>
<Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
<Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256</Item>
<Item>TLS_DH_anon_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_DH_anon_WITH_AES_256_CBC_SHA256</Item>
3. Save the changes to the file and restart Sentinel
4. <optional> Clear all cache and cookies in your browser
Cause
Firefox has updated their browsers to require higher key sizes due
to security vulnerabilities such as LogJam, CVE-2015-4000.