"Server has a weak ephemeral Diffie-Hellman public key" error

Applies to: Denodo 7.0 , Denodo 5.0
Last modified on: 26 Mar 2018
Tags: Tomcat Error handling SSL Web Services

Download document

Content

The following error message can appear when the user attempts to access a Denodo published web service while SSL is enabled in the internal Tomcat.

 

Server has a weak ephemeral Diffie-Hellman public key

ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY

 

This issue occurs if a browser is expecting a different algorithm to encrypt the data than the one used by the Java version in the Denodo Platform. This can happen if the Denodo Platform is using Java 6, and It is most likely to appear after a browser update. As such, one potential solution would be to update the JVM for Tomcat. However, a simpler solution would be to configure Tomcat to use strong ciphers for SSL.

 

To configure Tomcat to use more secure ciphers replace the following Tomcat HTTPS connector in <DENODO_HOME>/resources/apache-tomcat/conf/server.xml:

 

    $OPENCOMMENT

    <Connector port="${com.denodo.tomcat.https.port}" maxHttpHeaderSize="8192"

               maxThreads="150" minSpareThreads="25"

               scheme="https" secure="true" SSLEnabled="true"

               protocols="TLSv1.2" honorCipherOrder="true"

               sendReasonPhrase="true"

               keystoreFile="${com.denodo.security.ssl.keyStore}"

               keystorePass ="${com.denodo.security.ssl.keyStorePassword}"/>

    $CLOSECOMMENT

         

with:

         

         $OPENCOMMENT        

 <Connector          port="${com.denodo.tomcat.https.port}"maxHttpHeaderSize="8192"

              maxThreads="150" minSpareThreads="25"

              scheme="https" secure="true" SSLEnabled="true"

              protocols="TLSv1.2" honorCipherOrder="true"

            sendReasonPhrase="true"ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA,TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDHE_ECDSA_WITH_NULL_SHA,TLS_ECDHE_RSA_WITH_NULL_SHA"

 clientAuth="false" sslProtocol="TLS" keystoreFile="${com.denodo.security.ssl.keyStore}"

               keystorePass ="${com.denodo.security.ssl.keyStorePassword}"/>

         $CLOSECOMMENT

                

After the change, Tomcat will need to be restarted. To restart Tomcat the following commands can be issued via the VQL Shell:

WEBCONTAINER STOP

WEBCONTAINER START

Questions

Ask a question
You must sign in to ask a question. If you do not have an account, you can register here

Featured content

DENODO TRAINING

Ready for more? Great! We offer a comprehensive set of training courses, taught by our technical instructors in small, private groups for getting a full, in-depth guided training in the usage of the Denodo Platform. Check out our training courses.

Training