Introduction I've noticed very little information on the above error on here, so thought I'd add to our collective k...
Introduction
I've noticed very little information on the above error on here, so thought I'd add to our collective knowledge a bit. Recently, Google decided to enact some new security in chrome with the update on Sept 1. Technically the fix was in chrome before this, but it went fully active with the Sept 1 update.
This fix is intended to deal with the logjam attack detailed at https://weakdh.org/
The problem is, the fix that google has implemented makes it so that you can't use chrome to go to any website that would otherwise be a problem due to this exploit, this includes the internal browser pages for devices such as the cisco rv42 router, or anything by nimble (our personal experience here). When you try to go to these pages, you simply get the error
Server has a weak ephemeral Diffie-Hellman public key
and can't go beyond that point. We do already have some direction on here for firefox, because they were smart enough to give us the ability to work-around the block
http://community.spiceworks.com/how_to/121234-firefox-ver-39-can-t-access-webadmin-pages-for-cisco-u...
Google however, in their infinite wisdom has not implemented a similar workaround for their browser, however all is not lost.
You can do one of 3 things to gain access to websites that are effected on windows based machines;
Steps (4 total)
1. start / run / cmd
2. change directory to C:\Program Files (x86)\Google\Chrome\Application\
3. run chrome with the command-line option --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013
2. change directory to C:\Program Files (x86)\Google\Chrome\Application\
3. run chrome with the command-line option --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013
1. Add the command line option from above --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013 directly to your chrome shortcut. This will fix the error, but it's not recommended as it'll basically disable a lot of security for website that don't actually need it disabled
1. Similar to the first option, which could also be accomplished with a small batch file, create a new PS1 file and enter the following into it.
2. & 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013
3. optionally use the set-alias command to create an alias that points at your powershell script with a command like the following
2. & 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013
3. optionally use the set-alias command to create an alias that points at your powershell script with a command like the following
set-alias -name cwa -value chrome-workaround.ps1
This is the ideal fix, but in most cases won't be achievable for many possible different reasons.
The server side issue would be to do what needs to be done to fix the ssl bug;
From https://weakdh.org/
If you run a server…
If you have a web or mail server, you should disable support for export cipher suites and use a 2048-bit Diffie-Hellman group. We have published a Guide to Deploying Diffie-Hellman for TLS with step-by-step instructions. If you use SSH, you should upgrade both your server and client installations to the most recent version of OpenSSH, which prefers Elliptic-Curve Diffie-Hellman Key Exchange.
If you use a browser…
Make sure you have the most recent version of your browser installed, and check for updates frequently. Google Chrome (including Android Browser), Mozilla Firefox, Microsoft Internet Explorer, and Apple Safari are all deploying fixes for the Logjam attack.
If you’re a sysadmin or developer …
Make sure any TLS libraries you use are up-to-date, that servers you maintain use 2048-bit or larger primes, and that clients you maintain reject Diffie-Hellman primes smaller than 1024-bit.
Conclusion
Hopefully Google will take their head out of their rear and make their fix something that can be temporarily disabled in an upcoming release, but until then, one of the above options should help out chrome users. Ideally if it's an internal site, fix it by updating OpenSSH, etc, otherwise I recommend options 1 or 3, and only use it for the special cases that actually need it. Please note, this fix will not work if you have no control over opening the browser, as anything that is just sending you to a page via the default browser, for example a button in a program, will not have the command line option enabled and you might have to get a bit creative to overcome this.
1 comment
This is really interesting, You are a very skilled blogger.
I've joined your feed and look forward to seeking more of your magnificent post.
Also, I have shared your site in my social networks!
My web page led tv
Post a Comment