Trend Micro - Securing Your Journey to the Cloud Business
Success
Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Cannot access InterScan Messaging Security Suite (IMSS) 7.1 Linux web console using Firefox, error “ssl_error_weak_server_ephemeral_dh_key”

    • Updated:
    • 24 Nov 2016
    • Product/Version:
    • InterScan Messaging Security Suite
    • InterScan Messaging Security Suite 7.1 Linux
    • Platform:
    • Linux - Red Hat RHEL 4 32-bit
    • Linux - Red Hat RHEL 5 32-bit
    • Linux - Red Hat RHEL 6 32-bit
    • Linux - SuSE 10
    • Linux - SuSE 9.0
Summary

When using browsers such as Mozilla Firefox 39.0 to connect to IMSS 7.1 Linux web console, following error might occur:

SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error Code: ssl_error_weak_server_ephemeral_dh_key)

Details
Public

To fix this issue:

  1. Open the file ${install_dir} \imss\UI\adminUI\conf\server.xml for editing.
  2. Find port 8445 indicated by:

    <Connector port="8445" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true” keystoreFile="sslkey/.keystore" clientAuth="false" sslProtocol="TLS"/>

  3. Change sslProtocol="TLS" to sslProtocols="TLSv1, TLSv1.1, TLSv1.2".
  4. Supply the allowed cyphers by inserting the following right after "TLSv1, TLSv1.1, TLSv1.2" : 
    ciphers="TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_R
C4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_
128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH
_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECD
SA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P25
6,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256
_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_
WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECD
HE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_
DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DS
S_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_RC4_1
28_MD5,SSL_CK_RC4_128_WITH_MD5,SSL_CK_DES_192_EDE3_CBC_WITH_MD5,TLS_RSA_WIT
H_NULL_SHA256,TLS_RSA_WITH_NULL_SHA"
  5. Save and close the file.
  6. Restart admin UI using the command “${install_dir} /imss/script/S99ADMINUI restart”.

If you are using EUQ, Trend Micro also recommends that you configure EUQ UI to prevent vulnerabilities:

  • For EUQ UI tomcat:
    1. Open the file ${install_dir} /imss/UI/euqUI/conf/server.xml for editing.
    2. Find port 8446 indicated by:

      <Connector port="8446" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true” keystoreFile="sslkey/.keystore" clientAuth="false" sslProtocol="TLS"/>

    3. Change sslProtocol="TLS" to sslProtocols="TLSv1, TLSv1.1, TLSv1.2".
    4. Supply the allowed cyphers by inserting the following right after "TLSv1, TLSv1.1, TLSv1.2" : 
      ciphers="TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_R
C4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_
128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH
_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECD
SA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P25
6,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256
_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_
WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECD
HE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_
DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DS
S_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_RC4_1
28_MD5,SSL_CK_RC4_128_WITH_MD5,SSL_CK_DES_192_EDE3_CBC_WITH_MD5,TLS_RSA_WIT
H_NULL_SHA256,TLS_RSA_WITH_NULL_SHA"
    5. Save the file.
    6. Restart EUQ UI using the command “${install_dir} /imss/script/S99EUQ restart”.
  • For EUQ UI apache:
    1. Open the file ${install_dir}/imss/UI/euqUI/conf/EUQ.conf.
    2. Add the following keys at the end of the file:

      SSLProtocol All -SSLv2 -SSLv3

      SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP

       
      Note: Modify the values if SSLProtocol and SSLCipherSuite already exist.
    3. Restart EUQ UI using the command “${install_dir} /imss/script/S99EUQ restart”.
Premium
Internal
Partner
Rating:
Category:
Troubleshoot
Solution Id:
1111943
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.
Related Articles