Clarity

Hi All,

When we are connecting to CA PPM using Firefox browser 39.0 version, the below SSL error is throwed by the browser and could not reach the PPM login page:

"An error occurred during a connection to clarity.global.ms.philips.com. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

    Please contact the website owners to inform them of this problem"

We have checked that this issue probably appears when a browser does not supports SSL encryotion and have seen other CA product users to implement some changes in server.xml file.

Did anyone has faced this issue? please suggest some solution.

Thanks,
Pragya Singh

this is a "feature" of FF39's enhanced vulnerability blocking (you will get info if you google that message).

the generic workaround (in Firefox)  that I know of is;

If you want to downgrade the security on your firefox to make it work (i.e. downgrade it to the same level as IE and Chrome), set this prefs in about:config to FALSE and the site will work:

security.ssl3.dhe_rsa_aes_128_sha

I don't know what the right "Clarity" solution for this is though, perhaps something to do with your certificate?

Hello David,

Thanks a lot for the workaround. This is working for FF39!

Can you suggest any fix from server side? any changes in server.xml file like adding cipher codes.

Thanks,

Pragya Singh

"I don't know what the right "Clarity" solution for this is though"

Hello David,

Thanks for the help. Will try to accomodate this workaround in the busines and see if we really need a fix for it.

Pragya Singh

Hi Pragya,

Are you facing this on other browser or only firefox?

Regards

Suman Pramanik

Looks like a bug in Mozilla

https://bugzilla.mozilla.org/show_bug.cgi?id=587407

Regards

Suman Pramanik

Hello Suman,

It happens for only Firefox 39.0. I have also checked on google and other sites, Firefox has implemented advanced security feature to prevent weak DHE keys.

Many other users are also facing this issue for other common websites.

Thanks,

Pragya Singh

Great, so no further fix required at the server side.

Regards

Suman Pramanik

Hi Suman,

But, I have seen for other CA product i.e. CA workload automation, fix has been provided from server side. Can we get something similar to that for CA PPM?

WCC: Disable Weak Ciphers in SSL Mode

This will resolve issue permanently and user can continue using Firefox 39 and above versions.

My colleague has also noticed the same issue for Opera but I could not confirm now.

Thanks,

Pragya Singh

Hi Pragya,

It depends on product to product if we can handle. So it would be worth raising a case and see if there is a feasibility we can take a look, However Only below browsers are supported with 14.2

■ Microsoft Internet Explorer 10.0 and 11.0 and higher patch level (Microsoft Windows 7 and 8.1)

■ Microsoft Internet Explorer 9.0 and higher patch level

■ Microsoft Internet Explorer 8.0 and higher patch level3)

■ Firefox 30.0 and higher release2)

■ Firefox ESR 24.2.0 and higher patch level2)

■ Google Chrome 35 or higher release2)

So opera is not supported.

Regards

Suman Pramanik

Hi Suman,

We are using unsupportted version of PPM i.e. 12.1.3. So, on the case got the reply that fix cannot be provided.

Can you try fix for above versions? we will try to use it for ours.

Thanks,

Pragya Singh

Hi Pragya,

I won't be able to commit anything on the fix as its End of Life product, so for the time being use the fix by Mozilla.

Regards

Suman Pramanik