Firefox 39 - Secure Connection Failed - weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message
Solution 1
Depending on the software, an upgrade may not be necessary.
I had this issue as well. In my case, the application was using Tomcat and I was able to change config settings in the server.xml
file. I found the solution here.
To quote the relevant portion:
Tomcat has several weak ciphers enabled by default. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. If you have a Tomcat server (version 4.1.32 or later), you can disable SSL 2.0 and disable weak ciphers by following these instructions. Open your
server.xml
file add the following to your SSL connector<connector port="443" maxhttpheadersize="8192" address="127.0.0.1" enablelookups="false" disableuploadtimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" SSLEnabled="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" keystoreFile="mydomain.key" keystorePass="changeit" truststoreFile="mytruststore.truststore" truststorePass="changeit" />
In my situation, the only part that I had to modify in the server.xml
file was the ciphers="..."
portion.
After you do this, restart your application.
Solution 2
I wanted to let people know a workaround to this as upgrading old software isn't always a possibility. You can install Fiddler and in the options enable decrypting of HTTPS traffic. Then access the site with Fiddler running. Fiddler will proxy the traffic for you and Firefox will think everything is fine (other than warning about the SSL certificate created by Fiddler to do its man-in-the-middle SSL proxying, but it lets you bypass that warning).
The drawback to this is that Firefox is giving this warning for a reason, so only use this if the security risks are outweighed by the benefits. You could also use a different browser (though in my case the site worked best with Firefox), or you could install a portable / standalone version of Firefox that's an older version and use it solely for accessing that site (i.e. don't access other websites since it will be lacking security updates present in the latest version of Firefox).
Related videos on Youtube
sa289
Updated on September 18, 2022Comments
-
sa289 over 1 year
As of Firefox 39, connecting to an old administrative interface for some third party software gave the following message:
Secure Connection Failed
An error occurred during a connection to backup.trinetsolutions.com. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)
- The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
- Please contact the website owners to inform them of this problem.
-
ytg almost 9 yearsI had the same issue: superuser.com/a/940887/21149 (Depending on the server you connect to the solution I got may work for you as well.)
-
sa289 almost 9 years@ytg - that worked for me and is a far better solution than what I published. Do you want to post it on this question too?