Firefox 39+ Returns Error code:ssl_error_weak_server_ephemeral_dh_key with SSL
Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.
Atlassian applications allow the use of SSL within our products, however Atlassian Support does not provide assistance for configuring it. Consequently, Atlassian cannot guarantee providing any support for it.
- If assistance with conversions of certificates is required, please consult with the vendor who provided the certificate.
- If assistance with configuration is required, please raise a question on Atlassian Answers.
Browsing to JIRA on Firefox versions 39 or above results in the following error:
An error occurred during connection to [URL]. SSL received a weak ephermeral Diffie-Hellman key in Server Key Exchange handshake message (Error code:ssl_error_weak_server_ephemeral_dh_key). The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the web site owners to inform them of this problem.
- Firefox 39 and the Firefox 31 and 38 ESR releases upgrade the TLS implementation NSS to version 3.19.1. To harden the browser against Logjam attack the minimum key length for DH parameter within the TLS handshake is now 1023 bits.
- Older versions of JIRA (eg. 4.4.5) are bundled with a version of Tomcat that uses key lengths that do not meet the minimum requirements set by Mozilla.
Add the following line to Server.xml to restrict the ciphers being used for SSL/TLS
Example connector from a JIRA 4.4.5 instance with this change added:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxHttpHeaderSize="8192" SSLEnabled="true" maxThreads="150" minSpareThreads="25" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true" keyAlias="jira" keystoreFile="<jira-home>/jira.jks" keystorePass="password" keystoreType="JKS" protocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA" />
These steps would need to be completed on every installation of Firefox experiencing the issue:
- In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.
- In the search box above the list, type or paste ssl3 and pause while the list is filtered
- Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (this usually would be the first item on the list)
- Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (this usually would be the second item on the list)
Upgrade JIRA to a newer version