Opening the vdp-configure URL in Chrome or Firefox fails with the error : ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY
search cancel

Opening the vdp-configure URL in Chrome or Firefox fails with the error : ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY

book

Article ID: 327057

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Symptoms:

When accessing the vdp_configure page on your VMware vSphere Data Protection appliance, you experience these symptoms:

  • You are unable to open the URL using either Chrome version 45 or later or Firefox version 39 or later
     
  • You see the error:

    ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY


Environment

VMware vSphere Data Protection 5.5.x
VMware vSphere Data Protection 5.8.x
VMware vSphere Data Protection 6.0.x
VMware vSphere Data Protection 5.1.x

Cause

Firefox version 39 and later and Chrome version 45 and later disable Diffie-Hellman encryption schemes with weak keys to prevent the logjam vulnerability. Because of this, the browser rejects encryption negotiations using those keys and the connection to the vdp_configure URL fails.

Resolution

This is a known issue affecting VMware vSphere Data Protection (VDP) versions 5.1, 5.5, 5.8, and 6.0.

This issue is resolved in:

To work around this issue, apply the hotfix attached to this Knowledge Base article.

To apply the attached hotfix file 2134491_VDP_dhe_hotfix.tar.gz:
  1. Copy the 2134491_VDP_dhe_hotfix.tar.gz file in the VDP appliance, which is due for upgrade, to any suitable directory, such as /root or /tmp.
     
  2. Extract the 2134491_VDP_dhe_hotfix.tar.gz file by running this command:

    tar -zxvf VDP_dhe_Hotfix.tar.gz
     
  3. Navigate to the 2134491_VDP_dhe_hotfix directory by running this command:

    cd 2134491_VDP_dhe_hotfix
     
  4. Add execute permissions to the 2134491_VDP_dhe_hotfix.sh file by running this command:

    chmod a+x 2134491_VDP_dhe_hotfix.sh
     
  5. Run the 2134491_VDP_dhe_hotfix.sh command:

    ./2134491_VDP_dhe_hotfix.sh

Warning: This warning says the Diffie-Hellman cipher suit is not secure

Notes:
  • The hotfix removes obsolete and vulnerable ciphers from Tomcat configuration which are prone to logjam attack.
  • Installing this hotfix is mandatory to upgrade VDP using an affected browser, because the upgrade requires the user to connect with the vdp_configure URL.

 

 


Additional Information

To be alerted when this document is updated, click the Subscribe to Article link in the Actions box.

在 Chrome 或 Firefox 中打开 vdp-configure URL 失败并显示错误 ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY

Attachments

2134491_ VDP_dhe_hotfix.tar.gz get_app