Firefox 39+ Returns Error code:ssl_error_weak_server_ephemeral_dh_key with SSL

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Atlassian applications allow the use of SSL within our products, however Atlassian Support does not provide assistance for configuring it. Consequently, Atlassian cannot guarantee providing any support for it.

  • If assistance with conversions of certificates is required, please consult with the vendor who provided the certificate.
  • If assistance with configuration is required, please raise a question on Atlassian Answers.

Problem

Browsing to Confluence on Firefox versions 39 or above results in the following error:

An error occurred during connection to [URL]. SSL received a weak ephermeral Diffie-Hellman key in Server Key Exchange handshake message (Error code:ssl_error_weak_server_ephemeral_dh_key). The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the web site owners to inform them of this problem.

Diagnosis

Environment

  • Firefox 39 and the Firefox 31 and 38 ESR releases upgrade the TLS implementation NSS to version 3.19.1. To harden the browser against Logjam attack the minimum key length for DH parameter within the TLS handshake is now 1023 bits
  • Older versions of Confluence (eg. 4.0.3) are bundled with a version of Tomcat that uses key lengths that do not meet the minimum requirements set by Mozilla.

Workaround 1

Add the following line to Server.xml to restrict the ciphers being used for SSL/TLS

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"

Example connector from a Confluence 4.0.3 instance with this change added:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
              maxHttpHeaderSize="8192" SSLEnabled="true"
              maxThreads="150" minSpareThreads="25"
              enableLookups="false" disableUploadTimeout="true"
              acceptCount="100" scheme="https" secure="true"
              clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"
              keyAlias="confluence" keystoreFile="<confluence-home>/confluence.jks" keystorePass="password" keystoreType="JKS"  
              protocols="TLSv1,TLSv1.1,TLSv1.2" 
              ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"
              />

Workaround 2

These steps would need to be completed on every installation of Firefox experiencing the issue: 

  • In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.
  • In the search box above the list, type or paste ssl3 and pause while the list is filtered
  • Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (this usually would be the first item on the list)
  • Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (this usually would be the second item on the list)

Resolution

Upgrade Confluence to a newer version

Last modified on Mar 30, 2016

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.