Firefox 39+ Returns Error code:ssl_error_weak_server_ephemeral_dh_key with SSL


アトラシアン コミュニティをご利用ください。


プラットフォームについて: Server と Data Center のみ - この記事は、サーバーおよびデータセンター プラットフォームのアトラシアン製品にのみ適用されます。


  • SSL証明書の変更に際してサポートが必要であれば、証明書の提供元のベンダーに相談してください。
  • 設定について支援が必要な場合、Atlassian Answers に質問をご登録ください。


Browsing to JIRA on Firefox versions 39 or above results in the following error:

An error occurred during connection to [URL]. SSL received a weak ephermeral Diffie-Hellman key in Server Key Exchange handshake message (Error code:ssl_error_weak_server_ephemeral_dh_key). The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the web site owners to inform them of this problem.



  • Firefox 39 and the Firefox 31 and 38 ESR releases upgrade the TLS implementation NSS to version 3.19.1. To harden the browser against Logjam attack the minimum key length for DH parameter within the TLS handshake is now 1023 bits
  • Older versions of JIRA (eg. 4.4.5) are bundled with a version of Tomcat that uses key lengths that do not meet the minimum requirements set by Mozilla.

回避策 1

Add the following line to Server.xml to restrict the ciphers being used for SSL/TLS


Example connector from a JIRA 4.4.5 instance with this change added:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
              maxHttpHeaderSize="8192" SSLEnabled="true"
              maxThreads="150" minSpareThreads="25"
              enableLookups="false" disableUploadTimeout="true"
              acceptCount="100" scheme="https" secure="true"
              clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"
              keyAlias="jira" keystoreFile="<jira-home>/jira.jks" keystorePass="password" keystoreType="JKS"  

回避策 2

These steps would need to be completed on every installation of Firefox experiencing the issue: 

  • In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.
  • In the search box above the list, type or paste ssl3 and pause while the list is filtered
  • Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (this usually would be the first item on the list)
  • Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (this usually would be the second item on the list)


Upgrade JIRA to a newer version

Last modified on Mar 30, 2016


Powered by Confluence and Scroll Viewport.