SSL received a weak ephemeral Diffie-Hellman key reported by Chrome and Firefox

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Problem

When accessing Fisheye/Crucible, you'll see the following message in the browser and will not be able to access the site:

An error occurred during a connection to fisheye.server.com. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

Cause

Recent updates to Chrome and Firefox prevent access to websites that use the vulnerable Dillie-Heffman public key cipher. 

Workaround

Use a different browser such as IE or Edge.

Resolution

Follow our Configuring SSL cipher suites for Jetty guide to disable these weak ciphers. If you are using Fisheye/Crucible 3.5 or earlier, use these instructions to configure the below ciphers in jetty-web.xml.

  1. Shut down Fisheye.
  2. Open the config.xml file in your Fisheye instance directory (the data directory that the FISHEYE_INST system environment variable points to).

  3. Find the <ssl> element under the <web-server> element in the file, and add <includeCipherSuites><includeProtocols>, <excludeCipherSuites>, and <excludeProtocols>. For example:

    config.xml 
    <config version="1.0">
    <web-server context="/foo">
        <ssl bind=":443" keystore="/etc/dev/keystore" keystore-password="" truststore="/etc/dev/keystore" truststore-password="">
            <includeProtocols>
                <protocol>TLSv1</protocol>
                <protocol>TLSv1.1</protocol>
                <protocol>TLSv1.2</protocol>
            </includeProtocols>
            <includeCipherSuites>
                <cipherSuite>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</cipherSuite>
                <cipherSuite>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</cipherSuite>
                <cipherSuite>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</cipherSuite>
                <cipherSuite>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</cipherSuite>
                <cipherSuite>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</cipherSuite>
                <cipherSuite>TLS_DHE_DSS_WITH_AES_128_GCM_SHA256</cipherSuite>
                <cipherSuite>TLS_DHE_DSS_WITH_AES_256_GCM_SHA384</cipherSuite>
                <cipherSuite>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384</cipherSuite>
                <cipherSuite>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</cipherSuite>
                <cipherSuite>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</cipherSuite>
                <cipherSuite>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</cipherSuite>
                <cipherSuite>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</cipherSuite>
                <cipherSuite>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</cipherSuite>
                <cipherSuite>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384</cipherSuite>
                <cipherSuite>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</cipherSuite>
                <cipherSuite>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</cipherSuite>
                <cipherSuite>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</cipherSuite>
                <cipherSuite>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</cipherSuite>
                <cipherSuite>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</cipherSuite>
                <cipherSuite>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</cipherSuite>
                <cipherSuite>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</cipherSuite>
                <cipherSuite>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</cipherSuite>
                <cipherSuite>TLS_RSA_WITH_AES_128_GCM_SHA256</cipherSuite>
                <cipherSuite>TLS_RSA_WITH_AES_256_GCM_SHA384</cipherSuite>
                <cipherSuite>TLS_RSA_WITH_AES_128_CBC_SHA256</cipherSuite>
                <cipherSuite>TLS_RSA_WITH_AES_256_CBC_SHA256</cipherSuite>
                <cipherSuite>TLS_RSA_WITH_AES_128_CBC_SHA</cipherSuite>
                <cipherSuite>TLS_RSA_WITH_AES_256_CBC_SHA</cipherSuite>
                <cipherSuite>TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA</cipherSuite>
                <cipherSuite>TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA</cipherSuite>
                <cipherSuite>TLS_SRP_SHA_WITH_AES_256_CBC_SHA</cipherSuite>
                <cipherSuite>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256</cipherSuite>
                <cipherSuite>TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA</cipherSuite>
                <cipherSuite>TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA</cipherSuite>
                <cipherSuite>TLS_SRP_SHA_WITH_AES_128_CBC_SHA</cipherSuite>
                <cipherSuite>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</cipherSuite>
                <cipherSuite>TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA</cipherSuite>
                <cipherSuite>TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA</cipherSuite>
                <cipherSuite>TLS_RSA_WITH_CAMELLIA_256_CBC_SHA</cipherSuite>
                <cipherSuite>TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA</cipherSuite>
                <cipherSuite>TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA</cipherSuite>
                <cipherSuite>TLS_RSA_WITH_CAMELLIA_128_CBC_SHA</cipherSuite>
            </includeCipherSuites>
            <excludeProtocols>
                <protocol>SSLv3</protocol>
            </excludeProtocols>
            <excludeCipherSuites>
                <cipherSuite>SSL_RSA_WITH_3DES_EDE_CBC_SHA</cipherSuite>
                <cipherSuite>SSL_DHE_RSA_WITH_DES_CBC_SHA</cipherSuite>
                <cipherSuite>SSL_DHE_DSS_WITH_DES_CBC_SHA</cipherSuite>
                <cipherSuite>EXP-RC4-MD5</cipherSuite>
                <cipherSuite>EDH-RSA-DES-CBC-SHA</cipherSuite>
                <cipherSuite>EXP-EDH-RSA-DESCBC-SHA</cipherSuite>
                <cipherSuite>DES-CBC-SHA</cipherSuite>
                <cipherSuite>EXP-DES-CBC-SHA</cipherSuite>
                <cipherSuite>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</cipherSuite>
                <cipherSuite>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</cipherSuite>
            </excludeCipherSuites>
        </ssl>
    </web-server>

  4. Restart Fisheye.

Last modified on Nov 2, 2018

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.