Force Chrome to Ignore a "weak ephemeral Diffie-Hellman public key”
Solution 1
Hacky fix to get around this issue (Mac OSX)
- Run this in commandline to workaround the issue while launching Chrome
Chrome:
open /Applications/Google\ Chrome.app --args --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013
Canary:
open /Applications/Google\ Chrome\ Canary.app --args --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013
For Firefox
- Go to about:config
- Search for
security.ssl3.dhe_rsa_aes_128_sha
andsecurity.ssl3.dhe_rsa_aes_256_sha
- Set them both to
false
.
NOTE: Permanently fix would be to update the DH key with a length > 1024
Solution 2
Indeed, seems that browsers have taken seriously the Diffie-Hellman issue with lower keys than 1024 in length, which in a part is great news, but on the other hand, it has generated a lot of angry Chrome users.
The fix for this issue (and many others related to security) is sysadmins' responsibility, so as I understand it, the decision of blocking any website that offers a weak 512 bit or lower Diffie-Hellman key is a measure of pressure directed to the ones who manage security on remote sites, with the "downside" of users suffering the effects.
It is currently possible to blacklist some Cipher Suites when launching the Google Chrome browser by running it with the --cipher-suite-blacklist=
0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013
parameter, which seem to disable the ones related to the LogJam vulnerability and permits users join the sites, but I insist that it should be sysadmins' responsibility to fix the issue with their Diffie-Hellmann's keys.
Raine Dragon
Updated on September 18, 2022Comments
-
Raine Dragon over 1 year
With the update of Chrome to v45, it's blocking access to pages with weak ephermeral Diffie-Hellman public keys. I understand that this is due to Logjam. I understand that switching from https to http is a "solution" in some cases.
However, I can not switch from https to http because I am auto redirected to https by the web-based software we use on our intranet.
Obviously, the solution would be to have security change the various intranet servers to be secure from logjam, I understand that, but that isn't an option right this minute, and I can not do any more work until it's fixed. Because it's an intranet and simply connecting at all requires that one be physically here, the risk is minuscule.
Is there any way that I can continue to access pages via https protocol, with weak ephemeral Diffie-Hellman public keys in Chrome version 45?
-
Raine Dragon over 8 yearsPer: productforums.google.com/forum/#!topic/chrome/xAMNtyxfoYM it seems to be possible to disable individual cipher suits to work around the issue. Outside of the obvious (reducing your security increases your risks on outside networks), are there any downsides to using this on an intranet? And more info on: fehlis.blogspot.com/2013/12/… code.google.com/p/chromium/issues/detail?id=58833
-
-
Christopher Chipps over 8 yearsThank you nKn, worked like a charm with Cisco Finesse as Chrome updated to version 45... and I was unable to access the program now I am.