Self-Solve Knowledge Search

Minimize Maximize
Mozilla Firefox ESR 31.8.0, ESR 38.1 and 39 (non ESR) updates causing NA User In...
Title :
Mozilla Firefox ESR 31.8.0, ESR 38.1 and 39 (non ESR) updates causing NA User Interface failing to launch
Document ID :
KM01733196
Product - Version:
network automation ;
OS :
Updated :
Thu Jul 23 18:21:44 GMT 2015
Summary :
When launching Network Automation, Mozilla Firefox may reject the connection with a "Secure Connection Failed" error message

Mozilla Firefox in the versions mentioned above only accept 1024-bit Diffie-Hellman (DH) keys. When an application or user tries to connect using the DH cipher with a smaller key, Mozilla Firefox blocks the connection without attempting to use another cipher.

The error message may be similar to:

Secure Connection Failed. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephermeral_dh_key)

Solution

There are two methods to solve this problem. Only one of the methods is immediately required but both can be implemented at the same time.


Method 1. Change the Mozilla Firefox client browser configuration to disable the Diffie-Hellman cypher.

*This method may prevent other applications that only support the Diffie-Hellman cipher from working properly.

  1. Open the Mozilla Firefox browser.
  2. Enter “about:config” in the URL box.
  3. Enter “ssl3” in the search box and hit Enter.
  4. Locate the following properties:

          a.  Firefox ESR 31.8, ESR 38.1 and 39 (non ESR)

                      1.    security.ssl3.dhe_rsa_aes_128_sha

                      2.    security.ssl3.dhe_rsa_aes_256_sha

                b.    Firefox ESR 31.8

                      1.    There are more ssl3.dhe_* entries

                      2.    Do step 5 and 6 for all of the ssl3.dhe_* entries

              

          5.   Review the “Value” column for the properties.

          6.    If the property value is “true”, double click on the property row to set the value to “false”



Method 2. Change Network Automation web server configuration to disable the Diffie-Hellman cypher.

*This method requires application downtime as NA needs to be restarted if running.

NOTE: Network Automation has to be upgraded to the latest patch level before doing the following configuration change. If you have installed NA 9.20.00 you will need to install patch 9.22.02. If you have installed NA 10.00, you don't need to install the latest patch to solve this issue but we strongly recommend to install patch 10.00.01. Both patched contain other security fixes of importance. The mentioned patches are the latest patches when this document was written.


To configure the NA web server to disable the Diffie-Hellman cypher, follow the instructions below to configure the java.security file

Configure the java.security file to disable the Diffie-Hellman (DH) algorithm

File location on UX based O.S:

$NAInstallDir/jre/lib/security/

Example: /opt/NA/jre/lib/security/

 
File location on Windows O.S:

%NAInstallDir%\jre\lib\security\

Example: C:\NA\jre\lib\security



1. Within the java.security file, find the following property
 

       jdk.tls.disabledAlgorithms

  
2. If the property is commented, add a new line using the example mentioned in the next lines.

3. Add the following algorithms to the "disabledAlgorithms" list:

       SSLv3

       RC4
       DH


     Example. The following is how it should look:

 
        jdk.tls.disabledAlgorithms=SSLv3, RC4, DH

        *This setting disables SSLv3, RC4 and DH
        *If the property existed and was uncommented, simply add SSLv3, RC4 and DH to the existing list.
 

4. Restart NA services.

 

Note about the jdk.tls.disabledAlgorithms property

 

As the name suggests, this property controls which algorithms will be disabled to be used by this product during secure (TLS) communications. This means that any algorithm (also known as cipher) found in this list (when uncommented) will no longer be accepted or used for secure communications. Example of secure communications used by this product can be:

  • HTTPs (Secure HTTP)
  • LDAPs (Secure LDAP)

Care should be taken when configuring this property as other applications that need to communicate securely with this product can be dependant on the algorithm being disabled. Although highly unlikely, applications with support for a single cipher that is being disabled by this property will no longer be able to communicate securely with this product causing communication failure.

 

By default, the java.security file comes with the property commented and with a few algorithms in the list. The following is an example for a default configuration in an JDK7 installation
          #   jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048

 

If during the configuration suggested in this article, the disabledAlgorithms property ends up configured as the following example, a large number of highly known and well supported algorithms will be disabled, and the chances that certain applications that only support such algorithms fail will increase.

 

Should you encounter this scenario, or any other scenario where secure communication are broken following this configuration change, the following approach is suggested:

 

1. Leave the default property commented out.
2. Start with a new property with the minimun required values as follows:
     jdk.tls.disabledAlgorithms=SSLv3, RC4, DH
3. Add algorithms one at a time to the list.
4. Restart NA and test all secure communications.
5. Repeat steps 3-4 untill all algorithms have been added.

If you encounter that disabling a specific algorithm breaks your secure communications with a third product:

 

1. Review the other product's documentation to find out if support for other algorithms can be added so that it does not depend on the specific algorithm being blocked.

2. If no good results, open up a support case to have this validated by HP