Intelligence Center gives "Server has a weak ephemeral Diffie-Hellman public key" response when accessed over SSL

book

Article ID: 168837

calendar_today

Updated On:

Products

PacketShaper S-Series IntelligenceCenter

Issue/Introduction

Some of the SSL Ciphers offered by the default configuration of Tomcat included as part of the Intelligence Center package are flagged as weak by modern browsers. This can be corrected with a small configuration change.

Resolution

Follow this procedure to update the configuration:
  1. Browse to your Intelligence Center installation directory, such as, C:\BlueCoat\IntelligenceCenter\apache-tomcat-6.0.33\webapps\ROOT\conf\ .
  2. Use your preferred text editor, and use the search function to find the following string: "ciphers=". This will take you to approximately line 164.
  3. The value between the quotation marks contains the complete list of the SSL ciphers offered to SSL clients. Delete everything between these quotes, so that you are left with the line ending: ciphers="" />
  4. Paste the following line between those quotation marks (note this is all one line; breaks appear here for clarity, there should be no breaks in the pasted text):
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
    TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
    TLS_RSA_WITH_AES_256_CBC_SHA
  5. Save and close server.xml.
  6. Click start, and type "services.msc", and open the services dialogue.
  7. Select "Blue Coat IntelligenceCenter 3.x.x.x" from the list, and restart the service.