Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Cannot access InterScan Messaging Security Suite (IMSS) 7.1 Linux web console using Firefox, error “ssl_error_weak_server_ephemeral_dh_key”

    • Updated:
    • 3 Aug 2015
    • Product/Version:
    • InterScan Messaging Security Suite 7.1 Linux
    • Platform:
    • Linux - Red Hat RHEL 4 32-bit
    • Linux - Red Hat RHEL 5 32-bit
    • Linux - Red Hat RHEL 6 32-bit
    • Linux - SuSE 10
    • Linux - SuSE 9.0
Summary

When using browsers such as Mozilla Firefox 39.0 to connect to IMSS 7.1 Linux web console, following error might occur:

SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error Code: ssl_error_weak_server_ephemeral_dh_key)

Details
Public

To fix this issue:

  1. Open the file ${install_dir} \imss\UI\adminUI\conf\server.xml for editing.
  2. Find port 8445 indicated by:

    <Connector port="8445" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true” keystoreFile="sslkey/.keystore" clientAuth="false" sslProtocol="TLS"/>

  3. Change sslProtocol="TLS" to sslProtocols="TLSv1, TLSv1.1, TLSv1.2".
  4. Supply the allowed cyphers by inserting the following right after "TLSv1, TLSv1.1, TLSv1.2" :
    ciphers="TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,
    TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_R
    C4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_
    128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH
    _AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECD
    SA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P25
    6,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256
    _CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_
    WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECD
    HE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_
    DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DS
    S_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_RC4_1
    28_MD5,SSL_CK_RC4_128_WITH_MD5,SSL_CK_DES_192_EDE3_CBC_WITH_MD5,TLS_RSA_WIT
    H_NULL_SHA256,TLS_RSA_WITH_NULL_SHA"
  5. Save and close the file.
  6. Restart admin UI using the command “${install_dir} /imss/script/S99ADMINUI restart”.

If you are using EUQ, Trend Micro also recommends that you configure EUQ UI to prevent vulnerabilities:

  • For EUQ UI tomcat:
    1. Open the file ${install_dir} /imss/UI/euqUI/conf/server.xml for editing.
    2. Find port 8446 indicated by:

      <Connector port="8446" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true” keystoreFile="sslkey/.keystore" clientAuth="false" sslProtocol="TLS"/>

    3. Change sslProtocol="TLS" to sslProtocols="TLSv1, TLSv1.1, TLSv1.2".
    4. Supply the allowed cyphers by inserting the following right after "TLSv1, TLSv1.1, TLSv1.2" :
      ciphers="TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,
      TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_R
      C4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
      256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_
      128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH
      _AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECD
      SA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P25
      6,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256
      _CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_
      WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECD
      HE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_
      DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DS
      S_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_RC4_1
      28_MD5,SSL_CK_RC4_128_WITH_MD5,SSL_CK_DES_192_EDE3_CBC_WITH_MD5,TLS_RSA_WIT
      H_NULL_SHA256,TLS_RSA_WITH_NULL_SHA"
    5. Save the file.
    6. Restart EUQ UI using the command “${install_dir} /imss/script/S99EUQ restart”.
  • For EUQ UI apache:
    1. Open the file ${install_dir}/imss/UI/euqUI/conf/EUQ.conf.
    2. Add the following keys at the end of the file:

      SSLProtocol All -SSLv2 -SSLv3

      SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP

       
      Note: Modify the values if SSLProtocol and SSLCipherSuite already exist.
    3. Restart EUQ UI using the command “${install_dir} /imss/script/S99EUQ restart”.
Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1111943
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.