Disclaimer:

All content provided in these articles is for informational purposes only.

Amitego gives no support or warranty for the accuracy or completeness of any information in these articles or found by following any link on this site.

Theme: OSGD     Audience: Administrators, System Integrators    

Requirements: OSGD5.1, OSGD Gateway, Firefox 39.0

 

Symptom

 

After upgrade to Firefox 39.0 login to SGD via gateway is not possible. The recent Firefox update fixes the Logjam vulnerability against the TLS Protocol.

This update produces following error if you login to OSGD via Gateway:

SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

This symptom arises because some cipher suites used by the OSGD Gateway (especially ssl3 suites) are vulnerable

and are no longer considered secure against the Logjam threat.

Workaround

 

 

In this workaround some cipher suites have been erased from the original list of suites in order to get a working

login with Firefox 39.

The list of cipher suites used in this workaround is not complete. Other suites may work and have to be tested.

In fact some suites not in this list may prove even more secure than the ones in this workaround.

Selected suites can be tested for vulnerabilty e.g. at https://www.ssllabs.com/ssltest/

 

To get the login to work again do the following steps:

 

1. change to
cd /opt/SUNWsgdg/etc

 

2. Edit ciphersuites.xml to this list of allowed ciphers
<ciphersuites>
   <cipher>TLS_RSA_WITH_AES_128_CBC_SHA</cipher>
   <cipher>TLS_RSA_WITH_AES_256_CBC_SHA</cipher>
   <cipher>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</cipher>
   <cipher>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</cipher>
   <cipher>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</cipher>
</ciphersuites>

 

3. check if /opt/SUNWsgdg/etc/gateway.xml refers to ciphersuites.xml
<service id="sgd-ssl-service" class="SSL">
...
<keystore file="/opt/SUNWsgdg/proxy/etc/keystore.client" password="/opt/SUNWsgdg/etc/password">/
<xi:include href="ciphersuites.xml" parse="xml"/>; ##here you see the refer
</service>
...
<service id="http-ssl-service" class="SSL">
...
<keystore file="/opt/SUNWsgdg/proxy/etc/keystore.client" password="/opt/SUNWsgdg/etc/password"/>
<xi:include href="ciphersuites.xml" parse="xml"/>; ##here you see the refer
</service>

 

4. Restart the OSGD Gateway
/opt/SUNWsgdg/bin/gateway restart

 

Copyright © VISULOX