Can't access Netsight in Firefox 39 due to weak ephemeral Diffie-Hellman key


Firefox 39 has deprecated some older and weaker SSL/TLS options for security reasons. I know how to work around this error with about:config options, but how do I fix the config on the NetSight server for everyone? I'm currently running 6.2.0.211. Poking around it seems to be running JBoss, which I'm not familiar with at all.

Full error:

An error occurred during a connection to netsight.xxx:8443. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

15 replies

Userlevel 5
James,

This is an issue that was fixed in 6.2.0.221. An upgrade will resolve that.

https://gtacknowledge.extremenetworks.com/articles/Solution/Server-has-a-weak-ephemeral-Diffie-Hellm...

Thanks,
Jason
Jason wrote:

James,

This is an issue that was fixed in 6.2.0.221. An upgrade will resolve that.

https://gtacknowledge.extremenetworks.com/articles/Solution/Server-has-a-weak-ephemeral-Diffie-Hellm...

Thanks,
Jason

Perfect, that did the trick. I had a quick look in the release notes and didn't see any mention of it though.
Userlevel 2
Jason wrote:

James,

This is an issue that was fixed in 6.2.0.221. An upgrade will resolve that.

https://gtacknowledge.extremenetworks.com/articles/Solution/Server-has-a-weak-ephemeral-Diffie-Hellm...

Thanks,
Jason

workaround without updateing NMS is to edit
NetSight/appdata/NSJBoss.properties
remove all DHE ciphers under "enterasys.tomcat.ciphers="
Userlevel 2
Jason wrote:

James,

This is an issue that was fixed in 6.2.0.221. An upgrade will resolve that.

https://gtacknowledge.extremenetworks.com/articles/Solution/Server-has-a-weak-ephemeral-Diffie-Hellm...

Thanks,
Jason

Hi all, this has been added to the Known Issues Addressed section of the release notes for both NetSight 6.2 and 6.3. It's included in 6.2 in build 211 and in 6.3 in build 142.

Thanks!
Jason wrote:

James,

This is an issue that was fixed in 6.2.0.221. An upgrade will resolve that.

https://gtacknowledge.extremenetworks.com/articles/Solution/Server-has-a-weak-ephemeral-Diffie-Hellm...

Thanks,
Jason

Hi, we have 6.2.0.211 and still facing the same issue with one of the NAC while others working fine.
Jason wrote:

James,

This is an issue that was fixed in 6.2.0.221. An upgrade will resolve that.

https://gtacknowledge.extremenetworks.com/articles/Solution/Server-has-a-weak-ephemeral-Diffie-Hellm...

Thanks,
Jason

Hello Everyone,

We have three NAC's with 6.2.0.211 and when we are trying to access Netsight NAC Manager>Tools>Registration Administration. The "Registration System Administration" page loads successfully for the two NAC's but not for one 3rd one. We are seeing an error "An error occurred during a connection to [i]. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. Error code: SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY
Userlevel 6
Jason wrote:

James,

This is an issue that was fixed in 6.2.0.221. An upgrade will resolve that.

https://gtacknowledge.extremenetworks.com/articles/Solution/Server-has-a-weak-ephemeral-Diffie-Hellm...

Thanks,
Jason

Hello,

The fix for this issue should be in 6.2.0.221. Have you performed a workaround on the 2 NAC appliance that you are not having problems with?

Please upgrade to at least 6.2.0.221 or higher to fix the WEAK_SERVER_EPHEMERAL_DH_KEY issue.

Thanks
-Ryan
The NAC captive portal is suffering from the same. Will that be fixed in 6.2.0.221 as well?
Andre K. wrote:

The NAC captive portal is suffering from the same. Will that be fixed in 6.2.0.221 as well?

I've just upgraded my secondary NAC server to 6.2.0.221, and it has fixed the problem there too.
Andre K. wrote:

The NAC captive portal is suffering from the same. Will that be fixed in 6.2.0.221 as well?

Great news. Thanks for investigating!
I am running 6.2.0.221 and this did not fix the issue. I didnt notice the problem until Chrome v45 was released though.
Userlevel 5
Rob,

We are looking into this further with Chrome v45. Are you seeing this on the NetSight Server, NAC page or the NAC portal?

Thanks,
Jason
Yes, all of the above. With Firefox as well.

-Rob
Also, the fix mentioned in my case (1149931) takes care of the issue.
Userlevel 5
Rob Yamry wrote:

Also, the fix mentioned in my case (1149931) takes care of the issue.

Thanks Rob. I took at look at the case and discussed with some others as well. A few of us have re-tested with 6.2.0.221 and Chrome v45 but did not see the issue. Let us know if you have issues after the upgrade and we can dig into it again.

Regards,
Jason

Reply