Forum Discussion
NimbostratusERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY SSL error with Chrome 45
Hi,
The new Chrome browser version V45 seems to block access to ssl-sites using a public key smaller than 1024 bits. We offload the SSL for our websites to our LTM (V11.5.3) using a client SSL Profile :
ltm profile client-ssl /Common/our-profile { app-service none cert /Common/our-certificate.crt cert-key-chain { ourcertchain { cert /Common/xxx.crt chain /Common/xxx.crt key /Common/xxx.key passphrase xxxx } } chain /Common/xxxx.crt ciphers DEFAULT:!ADH:!EXPORT40:!EXP:!LOW:!SSLv3:!RC4 defaults-from /Common/clientssl inherit-certkeychain false key /Common/xxxx.key passphrase xxxx renegotiation disabled
Which settings do we have to change to solve this Chrome 45 issue?
Thanks four your help.
Ivo
10 Replies
Brad_ParkerCirrus
Are you sure of your cipher string and LTM version? That error is related to DHE ciphers. Your version and cipher string should not be using any DHE ciphers, https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13156.html. The link state DEFAULT doesn't contain DHE.
ITOPSNetwTeam_6I cross-checked the cipher string, and it is as mentioned above : DEFAULT:!ADH:!EXPORT40:!EXP:!LOW:!SSLv3:!RC4 Also the Version is 11.5.3- Brad_ParkerI don't have an 11.5.3 box any where, but can you check the ciphers from your string by typing "tmm --clientciphers 'DEFAULT:!ADH:!EXPORT40:!EXP:!LOW:!SSLv3:!RC4'" and ensure there are none using DHE/EDH?
- ITOPSNetwTeam_6Here's the output : tmm --clientciphers 'DEFAULT:!ADH:!EXPORT40:!EXP:!LOW:!SSLv3:!RC4' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 1: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 2: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 3: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 4: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 5: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 6: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 7: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 8: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 9: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 10: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA 11: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA 12: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA 13: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA 14: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 15: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 16: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 17: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 18: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 19: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 20: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 21: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 22: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA 23: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA 24: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA
Brad_Parker_139Nacreous
Are you sure of your cipher string and LTM version? That error is related to DHE ciphers. Your version and cipher string should not be using any DHE ciphers, https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13156.html. The link state DEFAULT doesn't contain DHE.
- ITOPSNetwTeam_6I cross-checked the cipher string, and it is as mentioned above : DEFAULT:!ADH:!EXPORT40:!EXP:!LOW:!SSLv3:!RC4 Also the Version is 11.5.3
- Brad_Parker_139I don't have an 11.5.3 box any where, but can you check the ciphers from your string by typing "tmm --clientciphers 'DEFAULT:!ADH:!EXPORT40:!EXP:!LOW:!SSLv3:!RC4'" and ensure there are none using DHE/EDH?
- ITOPSNetwTeam_6Here's the output : tmm --clientciphers 'DEFAULT:!ADH:!EXPORT40:!EXP:!LOW:!SSLv3:!RC4' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 1: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 2: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 3: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 4: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 5: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 6: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 7: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 8: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 9: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 10: 10 DES-CBC3-SHA 192 TLS1 Native DES SHA RSA 11: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA 12: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA 13: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA 14: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 15: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 16: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 17: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 18: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 19: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 20: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 21: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 22: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA 23: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA 24: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA
- ITOPSNetwTeam_6
The origin of the problem has been found: it turns out that the traffic from our test network for this site was erroneously routed to one of the member servers instead of the Virtual server, and this member server still uses DH. This (mis)configuration was introduced several years ago and functionally worked fine, so it remained unnoticed until now.
- Brad_ParkerThanks for the update. I thought I was going crazy. That version and cipher string shouldn't have been and isn't using DH. I'm glad you found it.
