When using browsers such as Mozilla Firefox 39.0 to connect to IMSS 7.1 Linux web console, following error might occur:
SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error Code: ssl_error_weak_server_ephemeral_dh_key)
To fix this issue:
- Open the file ${install_dir} \imss\UI\adminUI\conf\server.xml for editing.
- Find port 8445 indicated by:
<Connector port="8445" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true” keystoreFile="sslkey/.keystore" clientAuth="false" sslProtocol="TLS"/>
- Change sslProtocol="TLS" to sslProtocols="TLSv1, TLSv1.1, TLSv1.2".
- Supply the allowed cyphers by inserting the following right after "TLSv1, TLSv1.1, TLSv1.2" :
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_R C4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_ 128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH _AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECD SA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P25 6,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256 _CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_ WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECD HE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DS S_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_RC4_1 28_MD5,SSL_CK_RC4_128_WITH_MD5,SSL_CK_DES_192_EDE3_CBC_WITH_MD5,TLS_RSA_WIT H_NULL_SHA256,TLS_RSA_WITH_NULL_SHA"
- Save and close the file.
- Restart admin UI using the command “${install_dir} /imss/script/S99ADMINUI restart”.
If you are using EUQ, Trend Micro also recommends that you configure EUQ UI to prevent vulnerabilities:
- For EUQ UI tomcat:
- Open the file ${install_dir} /imss/UI/euqUI/conf/server.xml for editing.
- Find port 8446 indicated by:
<Connector port="8446" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true” keystoreFile="sslkey/.keystore" clientAuth="false" sslProtocol="TLS"/>
- Change sslProtocol="TLS" to sslProtocols="TLSv1, TLSv1.1, TLSv1.2".
- Supply the allowed cyphers by inserting the following right after "TLSv1, TLSv1.1, TLSv1.2" :
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_R C4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_ 128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH _AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECD SA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P25 6,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256 _CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_ WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECD HE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DS S_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_RC4_1 28_MD5,SSL_CK_RC4_128_WITH_MD5,SSL_CK_DES_192_EDE3_CBC_WITH_MD5,TLS_RSA_WIT H_NULL_SHA256,TLS_RSA_WITH_NULL_SHA"
- Save the file.
- Restart EUQ UI using the command “${install_dir} /imss/script/S99EUQ restart”.
- For EUQ UI apache:
- Open the file ${install_dir}/imss/UI/euqUI/conf/EUQ.conf.
- Add the following keys at the end of the file:
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP
Note: Modify the values if SSLProtocol and SSLCipherSuite already exist. - Restart EUQ UI using the command “${install_dir} /imss/script/S99EUQ restart”.