cancel
Showing results for 
Search instead for 
Did you mean: 

Can't access Netsight in Firefox 39 due to weak ephemeral Diffie-Hellman key

Can't access Netsight in Firefox 39 due to weak ephemeral Diffie-Hellman key

James_A
Valued Contributor
Firefox 39 has deprecated some older and weaker SSL/TLS options for security reasons. I know how to work around this error with about:config options, but how do I fix the config on the NetSight server for everyone? I'm currently running 6.2.0.211. Poking around it seems to be running JBoss, which I'm not familiar with at all.

Full error:

An error occurred during a connection to netsight.xxx:8443. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)
14 REPLIES 14

Hello,

The fix for this issue should be in 6.2.0.221. Have you performed a workaround on the 2 NAC appliance that you are not having problems with?

Please upgrade to at least 6.2.0.221 or higher to fix the WEAK_SERVER_EPHEMERAL_DH_KEY issue.

Thanks
-Ryan

Hello Everyone,

We have three NAC's with 6.2.0.211 and when we are trying to access Netsight NAC Manager>Tools>Registration Administration. The "Registration System Administration" page loads successfully for the two NAC's but not for one 3rd one. We are seeing an error "An error occurred during a connection to . SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. Error code: SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY

Hi all, this has been added to the Known Issues Addressed section of the release notes for both NetSight 6.2 and 6.3. It's included in 6.2 in build 211 and in 6.3 in build 142.

Thanks!

mp2014
New Contributor II
workaround without updateing NMS is to edit
NetSight/appdata/NSJBoss.properties
remove all DHE ciphers under "enterasys.tomcat.ciphers="

James_A
Valued Contributor
Perfect, that did the trick. I had a quick look in the release notes and didn't see any mention of it though.
GTM-P2G8KFN