This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Can't access Netsight in Firefox 39 due to weak ephemeral Diffie-Hellman key

Can't access Netsight in Firefox 39 due to weak ephemeral Diffie-Hellman key

James_A
Valued Contributor

‎07-16-2015 12:57 PM

Firefox 39 has deprecated some older and weaker SSL/TLS options for security reasons. I know how to work around this error with about:config options, but how do I fix the config on the NetSight server for everyone? I'm currently running 6.2.0.211. Poking around it seems to be running JBoss, which I'm not familiar with at all.

Full error:

An error occurred during a connection to netsight.xxx:8443. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)
14 REPLIES 14

Ryan_Yacobucci
Extreme Employee
In response to Jason1

‎07-16-2015 01:09 PM

Hello,

The fix for this issue should be in 6.2.0.221. Have you performed a workaround on the 2 NAC appliance that you are not having problems with?

Please upgrade to at least 6.2.0.221 or higher to fix the WEAK_SERVER_EPHEMERAL_DH_KEY issue.

Thanks
-Ryan
0 Kudos

Rajesh_Chaubey
New Contributor
In response to Jason1

‎07-16-2015 01:09 PM

Hello Everyone,

We have three NAC's with 6.2.0.211 and when we are trying to access Netsight NAC Manager>Tools>Registration Administration. The "Registration System Administration" page loads successfully for the two NAC's but not for one 3rd one. We are seeing an error "An error occurred during a connection to . SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. Error code: SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY
0 Kudos

John_Moore
Extreme Employee
In response to Jason1

‎07-16-2015 01:09 PM

Hi all, this has been added to the Known Issues Addressed section of the release notes for both NetSight 6.2 and 6.3. It's included in 6.2 in build 211 and in 6.3 in build 142.

Thanks!
0 Kudos

mp2014
New Contributor II
In response to Jason1

‎07-16-2015 01:09 PM

workaround without updateing NMS is to edit
NetSight/appdata/NSJBoss.properties
remove all DHE ciphers under "enterasys.tomcat.ciphers="

0 Kudos

James_A
Valued Contributor
In response to Jason1

‎07-16-2015 01:09 PM

Perfect, that did the trick. I had a quick look in the release notes and didn't see any mention of it though.
0 Kudos
GTM-P2G8KFN