Forum Discussion

ITOPSNetwTeam_6's avatar
ITOPSNetwTeam_6
Icon for Nimbostratus rankNimbostratus
Sep 23, 2015

ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY SSL error with Chrome 45

Hi,

 

The new Chrome browser version V45 seems to block access to ssl-sites using a public key smaller than 1024 bits. We offload the SSL for our websites to our LTM (V11.5.3) using a client SSL Profile :

 

ltm profile client-ssl /Common/our-profile { app-service none cert /Common/our-certificate.crt cert-key-chain { ourcertchain { cert /Common/xxx.crt chain /Common/xxx.crt key /Common/xxx.key passphrase xxxx } } chain /Common/xxxx.crt ciphers DEFAULT:!ADH:!EXPORT40:!EXP:!LOW:!SSLv3:!RC4 defaults-from /Common/clientssl inherit-certkeychain false key /Common/xxxx.key passphrase xxxx renegotiation disabled

 

Which settings do we have to change to solve this Chrome 45 issue?

 

Thanks four your help.

 

Ivo

 

10 Replies

    • ITOPSNetwTeam_6's avatar
      ITOPSNetwTeam_6
      Icon for Nimbostratus rankNimbostratus
      I cross-checked the cipher string, and it is as mentioned above : DEFAULT:!ADH:!EXPORT40:!EXP:!LOW:!SSLv3:!RC4 Also the Version is 11.5.3
    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      I don't have an 11.5.3 box any where, but can you check the ciphers from your string by typing "tmm --clientciphers 'DEFAULT:!ADH:!EXPORT40:!EXP:!LOW:!SSLv3:!RC4'" and ensure there are none using DHE/EDH?
    • ITOPSNetwTeam_6's avatar
      ITOPSNetwTeam_6
      Icon for Nimbostratus rankNimbostratus
      Here's the output : tmm --clientciphers 'DEFAULT:!ADH:!EXPORT40:!EXP:!LOW:!SSLv3:!RC4' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 1: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 2: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 3: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 4: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 5: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 6: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 7: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 8: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 9: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 10: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA 11: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA 12: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA 13: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA 14: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 15: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 16: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 17: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 18: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 19: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 20: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 21: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 22: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA 23: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA 24: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA
    • ITOPSNetwTeam_6's avatar
      ITOPSNetwTeam_6
      Icon for Nimbostratus rankNimbostratus
      I cross-checked the cipher string, and it is as mentioned above : DEFAULT:!ADH:!EXPORT40:!EXP:!LOW:!SSLv3:!RC4 Also the Version is 11.5.3
    • Brad_Parker_139's avatar
      Brad_Parker_139
      Icon for Nacreous rankNacreous
      I don't have an 11.5.3 box any where, but can you check the ciphers from your string by typing "tmm --clientciphers 'DEFAULT:!ADH:!EXPORT40:!EXP:!LOW:!SSLv3:!RC4'" and ensure there are none using DHE/EDH?
    • ITOPSNetwTeam_6's avatar
      ITOPSNetwTeam_6
      Icon for Nimbostratus rankNimbostratus
      Here's the output : tmm --clientciphers 'DEFAULT:!ADH:!EXPORT40:!EXP:!LOW:!SSLv3:!RC4' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 1: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 2: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 3: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 4: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 5: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 6: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 7: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 8: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 9: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 10: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA 11: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA 12: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA 13: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA 14: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 15: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 16: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 17: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 18: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 19: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 20: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 21: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 22: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA 23: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA 24: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA
  • The origin of the problem has been found: it turns out that the traffic from our test network for this site was erroneously routed to one of the member servers instead of the Virtual server, and this member server still uses DH. This (mis)configuration was introduced several years ago and functionally worked fine, so it remained unnoticed until now.

     

    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      Thanks for the update. I thought I was going crazy. That version and cipher string shouldn't have been and isn't using DH. I'm glad you found it.