Cannot access web console using Firefox

Cannot access InterScan Messaging Security Suite (IMSS) 7.1 Linux web console using Firefox, error “ssl_error_weak_server_ephemeral_dh_key”

- Updated:
- 24 Nov 2016
- Product/Version:
- InterScan Messaging Security Suite
- InterScan Messaging Security Suite 7.1 Linux
- Platform:
- Linux - Red Hat RHEL 4 32-bit
- Linux - Red Hat RHEL 5 32-bit
- Linux - Red Hat RHEL 6 32-bit
- Linux - SuSE 10
- Linux - SuSE 9.0

To fix this issue:

Open the file ${install_dir} \imss\UI\adminUI\conf\server.xml for editing.
Find port 8445 indicated by:
<Connector port="8445" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true” keystoreFile="sslkey/.keystore" clientAuth="false" sslProtocol="TLS"/>
Change sslProtocol="TLS" to sslProtocols="TLSv1, TLSv1.1, TLSv1.2".

Supply the allowed cyphers by inserting the following right after "TLSv1, TLSv1.1, TLSv1.2" :

ciphers="TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_R
C4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_
128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH
_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECD
SA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P25
6,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256
_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_
WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECD
HE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_
DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DS
S_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_RC4_1
28_MD5,SSL_CK_RC4_128_WITH_MD5,SSL_CK_DES_192_EDE3_CBC_WITH_MD5,TLS_RSA_WIT
H_NULL_SHA256,TLS_RSA_WITH_NULL_SHA"

Save and close the file.
Restart admin UI using the command “${install_dir} /imss/script/S99ADMINUI restart”.

If you are using EUQ, Trend Micro also recommends that you configure EUQ UI to prevent vulnerabilities:

For EUQ UI tomcat:

Open the file ${install_dir} /imss/UI/euqUI/conf/server.xml for editing.
Find port 8446 indicated by:
<Connector port="8446" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true” keystoreFile="sslkey/.keystore" clientAuth="false" sslProtocol="TLS"/>
Change sslProtocol="TLS" to sslProtocols="TLSv1, TLSv1.1, TLSv1.2".

Supply the allowed cyphers by inserting the following right after "TLSv1, TLSv1.1, TLSv1.2" :

ciphers="TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_R
C4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_
128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH
_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECD
SA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P25
6,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256
_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_
WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECD
HE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_
DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DS
S_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_RC4_1
28_MD5,SSL_CK_RC4_128_WITH_MD5,SSL_CK_DES_192_EDE3_CBC_WITH_MD5,TLS_RSA_WIT
H_NULL_SHA256,TLS_RSA_WITH_NULL_SHA"

Save the file.
Restart EUQ UI using the command “${install_dir} /imss/script/S99EUQ restart”.

For EUQ UI apache:
1. Open the file ${install_dir}/imss/UI/euqUI/conf/EUQ.conf.
2. Add the following keys at the end of the file:
  SSLProtocol All -SSLv2 -SSLv3
  
  SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP
  
  Note: Modify the values if SSLProtocol and SSLCipherSuite already exist.
3. Restart EUQ UI using the command “${install_dir} /imss/script/S99EUQ restart”.

Need More Help?

Cannot access InterScan Messaging Security Suite (IMSS) 7.1 Linux web console using Firefox, error “ssl_error_weak_server_ephemeral_dh_key”