Disclaimer:

All content provided in these articles is for informational purposes only.

Amitego gives no support or warranty for the accuracy or completeness of any information in these articles or found by following any link on this site.

Theme: OSGD     Audience: Administrators, System Integrators     Requirements: OSGD5.1, OSGD Gateway, Firefox 39.0

 

Symptom

After upgrade to Firefox 39.0 login to SGD via gateway is not possible. The recent Firefox update fixes the Logjam vulnerability against the TLS Protocol. This update produces following error if you login to OSGD via Gateway: SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key) .

This symptom arises because some cipher suites used by the OSGD Gateway (especially ssl3 suites) are vulnerable and are no longer considered secure against the Logjam threat.

Two possible workarounds are available. A serverside and a clientside approach. The serverside approach is the favorable for it offers a general solution to the ciphersuites and the logjam threat

Only OSGD 5.1 is affected by this issue. OSGD 5.2 is not affected.

 

 

Serverside Workaround

In this workaround some cipher suites have been erased from the original list of suites in order to get a working login with Firefox 39. The list of cipher suites used in this workaround is not complete. Other suites may work and have to be tested. In fact some suites not in this list may prove even more secure than the ones in this workaround.

Selected suites can be tested for vulnerabilty e.g. at https://www.ssllabs.com/ssltest/

To get the login to work again do the following steps:

1. change to cd /opt/SUNWsgdg/etc

 

2. Edit ciphersuites.xml to this list of allowed ciphers

<ciphersuites>
   <cipher>TLS_RSA_WITH_AES_128_CBC_SHA</cipher>
   <cipher>TLS_RSA_WITH_AES_256_CBC_SHA</cipher>
   <cipher>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</cipher>
   <cipher>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</cipher>
   <cipher>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</cipher>
</ciphersuites>

 

3. check if /opt/SUNWsgdg/etc/gateway.xml refers to ciphersuites.xml

<service id="sgd-ssl-service" class="SSL">
...
<keystore file="/opt/SUNWsgdg/proxy/etc/keystore.client" password="/opt/SUNWsgdg/etc/password">/
<xi:include href="ciphersuites.xml" parse="xml"/>; #here you see the refer
</service>
...
<service id="http-ssl-service" class="SSL">
...
<keystore file="/opt/SUNWsgdg/proxy/etc/keystore.client" password="/opt/SUNWsgdg/etc/password"/>
<xi:include href="ciphersuites.xml" parse="xml"/>; #here you see the refer
</service>

 

4. Restart the OSGD Gateway:  /opt/SUNWsgdg/bin/gateway restart

 

 

Clientsite Solution

1. open a new tab in Firefox

 

2. type about:config in the address bar

click the button promising to be careful

 

3. in the searchbox type ssl3

 

4. find and doubleclick preference to switch from true to false:

security.ssl3.dhe_rsa_aes_128_sha

security.ssl3.dhe_rsa_aes_256_sha

 

5. restart firefox

 

 

Copyright © VISULOX