Firefox 39+ Returns Error code:ssl_error_weak_server_ephemeral_dh_key with SSL

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Fisheye および Crucible は除く

アトラシアンの製品はSSLに対応しています。しかし、アトラシアンのサポートはその設定に対して支援は行いません。したがって、アトラシアンは、そのためのサポートの提供を保証できません

  • SSL証明書の変更に際してサポートが必要であれば、証明書の提供元のベンダーに相談してください。
  • 設定に関してサポートが必要であれば、Atlassian Answers に質問をあげてください。

問題

Browsing to Confluence on Firefox versions 39 or above results in the following error:

An error occurred during connection to [URL]. SSL received a weak ephermeral Diffie-Hellman key in Server Key Exchange handshake message (Error code:ssl_error_weak_server_ephemeral_dh_key). The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the web site owners to inform them of this problem.

診断

環境

  • Firefox 39 and the Firefox 31 and 38 ESR releases upgrade the TLS implementation NSS to version 3.19.1. To harden the browser against Logjam attack the minimum key length for DH parameter within the TLS handshake is now 1023 bits
  • Older versions of Confluence (eg. 4.0.3) are bundled with a version of Tomcat that uses key lengths that do not meet the minimum requirements set by Mozilla.

回避策 1

Add the following line to Server.xml to restrict the ciphers being used for SSL/TLS

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"

Example connector from a Confluence 4.0.3 instance with this change added:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
              maxHttpHeaderSize="8192" SSLEnabled="true"
              maxThreads="150" minSpareThreads="25"
              enableLookups="false" disableUploadTimeout="true"
              acceptCount="100" scheme="https" secure="true"
              clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"
              keyAlias="confluence" keystoreFile="<confluence-home>/confluence.jks" keystorePass="password" keystoreType="JKS"  
              protocols="TLSv1,TLSv1.1,TLSv1.2" 
              ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"
              />

回避策 2

These steps would need to be completed on every installation of Firefox experiencing the issue: 

  • In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.
  • In the search box above the list, type or paste ssl3 and pause while the list is filtered
  • Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (this usually would be the first item on the list)
  • Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (this usually would be the second item on the list)

ソリューション

Upgrade Confluence to a newer version

Last modified on Mar 30, 2016

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.