CafeX Critical Issue Bulletin 002 - Chrome 45 and Firefox 39

Introduction

Firefox 39 (ETA 30th June) and Chrome 45 (ETA sometime in late August) introduce new security features which will prevent access to websites which use older encryption ciphers such as the default Diffie-Hellman. 

This can prevent access to the CaféX WBF (Web Plugin Framework) e.g. when you browse to https://your-server:8443/web_plugin_framework/webcontroller/ you get the error similar to:

Server has a weak, ephemeral Diffie-Hellman public key

ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY

Note: This will also affect service URLs that are not behind a reverse proxy, e.g. services hosted in AWS with no reverse proxy protecting them.

Solution

Remove the older cipher keys from the cipher suites used by FAS.

1. Make a back up of your fas.properties file

  • cd /opt/cafex/FAS-2.1*/domain/configuration
  • cp fas.properties fas.bak-<date>

2. Edit fas.properties and remove the weak encryption ciphers

  • vi  fas.properties and make the following changes to the  jsse cipher suites:

Before:

jsse.cipher.suites=SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA

After:

jsse.cipher.suites=SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA

3. Restart FAS from the command line

  • service fas restart
Have more questions? Submit a request

Comments

Powered by Zendesk