Server has a weak ephemeral Diffie-Hellman public key. How to by-pass it?

Question

While I'm trying to visit a specific website (that one: https://login.uj.edu.pl) I'm getting ERR_INVALID_ARGUMENT error. Here is the problem: "Server has a weak ephemeral Diffie-Hellman public key". More about the issue there: https://productforums.google.com/forum/#!topic/chrome/o3vZD-Mg2Ic

I know that it should be fixed by a webmaster but until it happens I have to access the page every day anyway. I found an extension to Firefox to avoid this error: https://addons.mozilla.org/en-us/firefox/addon/disable-dhe/

Now i want to get rid of the error in Google Chrome (well, Chromium actually). Is there any possibility to make it work? It's my university's page and it can take years for the site administrator to fix that secure connection issue.

What's strange the problem occurs in Linux only, in all the browsers. In Windows, Chrome-OS or Android there is nothing wrong. I know that using insecure connection is wrong but in that case I have no choice.

EDIT: I cannot accept any solution because the site I was trying to access changed its encryption to the right one. Now I can't test your solutions because the problem is already solved by site admins.

Answer 1

Are you by any chance on the Chrome development channel, or possibly the Beta channel? I know that the dev channel currently has some stricter rules on SSL keys, and Beta might as well. You might try getting the stable release from https://www.chromium.org/getting-involved/dev-channel and see if that runs without the error.

Answer 2

I found the solution for apache tomcat in this stackoverflow question, I just copy the solution:

Just edit 'conf/server.xml' adding the 'ciphers' attribute to your https connector:

 <Connector
        ...
        ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
        ...

Practically you're explicitly defining the list of allowed ciphers, excluding the Diffie-Hellman ones (the one with 'DHE' in the name).

Answer 3

The solution is:

Type in your browser (I tried in Iceweasel)

    about:config 

Search for

    security.ssl3.dhe_rsa_aes_128_sha 

    security.ssl3.dhe_rsa_aes_256_sha 

Set them both to false (just double click to set them to false or true).

That's it!

Answer 4

I have also facing this issue and resolved by @Duccio Fabbri answer,

 --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

I don't know why this works but it works, for permanent use of this you can follow below step.

1. Go to browser short cut
2. Right click and Go to properties
3. Go to Short cut tab

4. Go to Target textbox, in this you will find your chrome full path , add above string at the end of path. and it will look like

   "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

5. Apply and close it.

Now it will work.when you open it next time.

Answer 5

At Fireforx I was facing the same problem, I did the following changes and it worked for me,

Firefox:

1. Go to about:config from browser tab

2. Search for security.ssl3.dhe_rsa_aes_128_sha and security.ssl3.dhe_rsa_aes_256_sha parameter.

3. Set them both to false.

Answer 6

Quick hack to get around this issue (Mac OSX)

• Run this in commandline to workaround the issue while launching Chrome

Chrome:

• open /Applications/Google\ Chrome.app --args --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

Canary:

• open /Applications/Google\ Chrome\ Canary.app --args --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

For Firefox

• Go to about:config
• Search for security.ssl3.dhe_rsa_aes_128_sha and security.ssl3.dhe_rsa_aes_256_sha
• Set them both to false.

NOTE: Permanently fix would be to update the DH key with a length > 1024

Answer 7

This solution worked for me:

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

The recent release (Sep. 1) to Chrome 45 contains the fix for the Logjam attack as detailed in https://weakdh.org but it introduce this kind of problem.

I found it in this post

Answer 8

Open Server.xml file in your tomcat and set attribute "ciphers"

<Connector port="8007" protocol="AJP/1.3" redirectPort="8443" ciphers="SSL_RSA_WITH_RC4_128_SHA" />

Answer 9

I was also getting this error, I reset the chrome settings to fix it: Settings > show advanced settings > Reset setting

Answer 10

Use netsurf (netsurf aur) on that site. I am on the same boat with you. Using Arch and Chromium and Firefox both refuses to enter certain websites. Netsurf can do the job for me.