Layer7 API Management

  • 1.  Chrome browser throwing the err_ssl_weak_server_ephemeral_dh_key when trying to access the oauth manager version 8.2

    Posted Feb 22, 2016 01:17 PM

    I have a requirement to use Chrome browser and test api's with postman client.The current version of Chrome 48 is throwing the err_ssl_weak_server_ephemeral_dh_key when trying to access the oauth manager version 8.2. I have the self signed CA certificate added to the Trusted certificates in Chrome. Is there anything else which I am missing?



  • 2.  Re: Chrome browser throwing the err_ssl_weak_server_ephemeral_dh_key when trying to access the oauth manager version 8.2

    Broadcom Employee
    Posted Feb 22, 2016 02:26 PM

    The following Knowledge Base Article addresses the issue you are seeing, the solution is to remove the weak cipher suites from the API Gateway's listen ports:

    https://na32.salesforce.com/kA050000000LSAz?srPos=0&srKp=ka0&lang=en_US

     

    You will need to login with your Layer 7 Support Portal credentials in order to view the knowledge base article.

     

    --Azad



  • 3.  Re: Chrome browser throwing the err_ssl_weak_server_ephemeral_dh_key when trying to access the oauth manager version 8.2

    Broadcom Employee
    Posted Feb 24, 2016 02:29 PM

    How to do this?  There is some helpful information on a previous thread here:

    How to change the Cipher Suites to the 8443 Listen Port?

    From the support article:

    The TLS providers used by the API Gateway do not provide a sufficiently strong public key component when using ephemeral Diffie-Hellman key exchange. This results in some browsers blocking requests to API Gateways. This behavior can be addressed by disabling all cipher suites that are using plain Diffie-Hellman (DH) or ephemeral Diffie-Hellman (DHE) without elliptic curve cryptography (ECDH or ECDHE). Cipher suites can be adjusted via the SSL/TLS Settings tab of the Listen Port Properties dialog. The procedure for selecting suites is documented here:

    Selecting Cipher Suites - CA API Gateway - 8.4 - CA Technologies Documentation  This also applies to previous versions.



  • 4.  Re: Chrome browser throwing the err_ssl_weak_server_ephemeral_dh_key when trying to access the oauth manager version 8.2

    Posted Feb 25, 2016 03:38 PM

    Thanks Simon for pointing out the exact reason.



  • 5.  Re: Chrome browser throwing the err_ssl_weak_server_ephemeral_dh_key when trying to access the oauth manager version 8.2
    Best Answer

    Posted Feb 25, 2016 10:38 AM

    Siva,

    If you are unable to open or login the support knowledge base, do the below, it should go away:

    //Disable weak ciphers

    a. Open Policy Manager and connect to gateway on port 9443

    b. Tasks -> Manage Listen Ports -> Default HTTS (8443) -> SSL/TLS Settings -> Uncheck any checked ciphers with _DE_ or _DHE_ algorithm  -> Ok -> Close

    Please be careful that you do not want to un-check ECDHE or ECDH which are absolutely valid ciphers.

     

    Alternate option can be, move the checked _DH_ and _DHE_ ciphers lower down in the list.

     

    Both of them do the trick. Let me know how it goes.

     

    Regards,

    Trinath



  • 6.  Re: Chrome browser throwing the err_ssl_weak_server_ephemeral_dh_key when trying to access the oauth manager version 8.2

    Posted Feb 25, 2016 03:39 PM

    Thanks Trinath, those suggested changes worked.



  • 7.  Re: Chrome browser throwing the err_ssl_weak_server_ephemeral_dh_key when trying to access the oauth manager version 8.2

    Posted Feb 26, 2016 12:37 AM

    Hi Siva,

    Glad to know that :-)

    Regards,

    Trinath



  • 8.  Re: Chrome browser throwing the err_ssl_weak_server_ephemeral_dh_key when trying to access the oauth manager version 8.2

    Posted Feb 25, 2016 04:00 PM

    Hi Trinath,

     

    Did you mean to "Uncheck any checked ciphers with _DH_ or _DHE_ algorithm"? Because there are no ciphers with _DE_ algorithm in the list.

     

    Thanks,

    Atul Raut



  • 9.  Re: Chrome browser throwing the err_ssl_weak_server_ephemeral_dh_key when trying to access the oauth manager version 8.2

    Posted Feb 26, 2016 12:36 AM

    Hi Atul,

      If there are no _DH_ ciphers in the list then that's fine. The suggestion is, if they exist, take them off.

     

    Regards,

    Trinath



  • 10.  Re: Chrome browser throwing the err_ssl_weak_server_ephemeral_dh_key when trying to access the oauth manager version 8.2

    Posted Feb 26, 2016 01:21 PM

    Hi Trinath,

     

    I meant there was a typo in your original reply. I think you meant "_DH_" and not "_DE_". There are ciphers with "_DH_" in the list which are by default unselected.

     

    Thanks,

    Atul Raut