SSL received a weak ephemeral Diffie-Hellman key reported by Chrome and Firefox

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

この記事はアトラシアンのサーバー製品にのみ適用されます。クラウドとサーバー製品の違いについてはこちらをご確認ください。

問題

When accessing Fisheye/Crucible, you'll see the following message in the browser and will not be able to access the site:

An error occurred during a connection to fisheye.server.com. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

原因

Recent updates to Chrome and Firefox prevent access to websites that use the vulnerable Dillie-Heffman public key cipher. 

回避策

Use a different browser such as IE or Edge.

ソリューション

Follow our Configuring SSL cipher suites for Jetty guide to disable these weak ciphers. If you are using Fisheye/Crucible 3.5 or earlier, use these instructions to configure the below ciphers in jetty-web.xml.

  1. Shut down Fisheye.
  2. Open the config.xml file in your Fisheye instance directory (the data directory that the FISHEYE_INST system environment variable points to).
  3. Find the <ssl> element under the <web-server> element in the file, and add <includeCipherSuites><includeProtocols>, <excludeCipherSuites>, and <excludeProtocols>. For example:

    config.xml
    <config version="1.0">
        <web-server context="/foo">
            <ssl bind=":443" keystore="/etc/dev/keystore" keystore-password="" truststore="/etc/dev/keystore" truststore-password="">
                <includeProtocols>
                    <protocol>TLSv1</protocol>
                    <protocol>TLSv1.1</protocol>
                    <protocol>TLSv1.2</protocol>
                </includeProtocols>
                <includeCipherSuites>
                    <cipherSuite>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</cipherSuite>
                    <cipherSuite>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</cipherSuite>
                    <cipherSuite>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</cipherSuite>
                    <cipherSuite>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</cipherSuite>
                    <cipherSuite>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</cipherSuite>
                    <cipherSuite>TLS_DHE_DSS_WITH_AES_128_GCM_SHA256</cipherSuite>
                    <cipherSuite>TLS_DHE_DSS_WITH_AES_256_GCM_SHA384</cipherSuite>
                    <cipherSuite>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384</cipherSuite>
                    <cipherSuite>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</cipherSuite>
                    <cipherSuite>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</cipherSuite>
                    <cipherSuite>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</cipherSuite>
                    <cipherSuite>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</cipherSuite>
                    <cipherSuite>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</cipherSuite>
                    <cipherSuite>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384</cipherSuite>
                    <cipherSuite>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</cipherSuite>
                    <cipherSuite>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</cipherSuite>
                    <cipherSuite>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</cipherSuite>
                    <cipherSuite>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</cipherSuite>
                    <cipherSuite>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</cipherSuite>
                    <cipherSuite>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</cipherSuite>
                    <cipherSuite>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</cipherSuite>
                    <cipherSuite>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</cipherSuite>
                    <cipherSuite>TLS_RSA_WITH_AES_128_GCM_SHA256</cipherSuite>
                    <cipherSuite>TLS_RSA_WITH_AES_256_GCM_SHA384</cipherSuite>
                    <cipherSuite>TLS_RSA_WITH_AES_128_CBC_SHA256</cipherSuite>
                    <cipherSuite>TLS_RSA_WITH_AES_256_CBC_SHA256</cipherSuite>
                    <cipherSuite>TLS_RSA_WITH_AES_128_CBC_SHA</cipherSuite>
                    <cipherSuite>TLS_RSA_WITH_AES_256_CBC_SHA</cipherSuite>
                    <cipherSuite>TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA</cipherSuite>
                    <cipherSuite>TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA</cipherSuite>
                    <cipherSuite>TLS_SRP_SHA_WITH_AES_256_CBC_SHA</cipherSuite>
                    <cipherSuite>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256</cipherSuite>
                    <cipherSuite>TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA</cipherSuite>
                    <cipherSuite>TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA</cipherSuite>
                    <cipherSuite>TLS_SRP_SHA_WITH_AES_128_CBC_SHA</cipherSuite>
                    <cipherSuite>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</cipherSuite>
                    <cipherSuite>TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA</cipherSuite>
                    <cipherSuite>TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA</cipherSuite>
                    <cipherSuite>TLS_RSA_WITH_CAMELLIA_256_CBC_SHA</cipherSuite>
                    <cipherSuite>TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA</cipherSuite>
                    <cipherSuite>TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA</cipherSuite>
                    <cipherSuite>TLS_RSA_WITH_CAMELLIA_128_CBC_SHA</cipherSuite>
                </includeCipherSuites>
                <excludeProtocols>
                    <protocol>SSLv3</protocol>
                </excludeProtocols>
                <excludeCipherSuites>
                    <cipherSuite>SSL_RSA_WITH_3DES_EDE_CBC_SHA</cipherSuite>
                    <cipherSuite>SSL_DHE_RSA_WITH_DES_CBC_SHA</cipherSuite>
                    <cipherSuite>SSL_DHE_DSS_WITH_DES_CBC_SHA</cipherSuite>
                    <cipherSuite>EXP-RC4-MD5</cipherSuite>
                    <cipherSuite>EDH-RSA-DES-CBC-SHA</cipherSuite>
                    <cipherSuite>EXP-EDH-RSA-DESCBC-SHA</cipherSuite>
                    <cipherSuite>DES-CBC-SHA</cipherSuite>
                    <cipherSuite>EXP-DES-CBC-SHA</cipherSuite>
                    <cipherSuite>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</cipherSuite>
                    <cipherSuite>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</cipherSuite>
                </excludeCipherSuites>
            </ssl>
        </web-server>
  4. Restart Fisheye.

最終更新日 2018 年 11 月 2 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.