Seems Chrome 45 and Firefox 40 are blocking DHE ciphers
We now get the following errors when browsing to the vRO Web Interface (and Configuration interface)
Tested this with the appliance versions of both vRO 6.0.1 and 6.0.2
Has anyone else experienced this? And are there any better workaround than using the "--cipher-suite-blacklist=" parameter in Chrome?
I've raised a support ticket with VMware, but thought it would be an idea to post here as well.
Chrome:
Server has a weak, ephemeral Diffie-Hellman public key
ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY
Hide details
This error can occur when connecting to a secure (HTTPS) server. It means that the server is trying to set up a secure connection but, due to a disastrous misconfiguration, the connection wouldn't be secure at all!
In this case, the server needs to be fixed. Google Chrome won't use insecure connections in order to protect your privacy.
Learn more about this problem.
Firefox:
Secure Connection Failed
An error occurred during a connection to vro-appliance-hostname:8283. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the web site owners to inform them of this problem.
You can try editing both server.xml in: /etc/vco/app-server and /etc/vco/configuration In server.xml update 'ciphers ' attribute by removing TLS_DHE_... ciphers. After that, restart vco-server and vco-configuration services vco-server and vco-configuration services
You can try editing both server.xml in: /etc/vco/app-server and /etc/vco/configuration In server.xml update 'ciphers ' attribute by removing TLS_DHE_... ciphers. After that, restart vco-server and vco-configuration services vco-server and vco-configuration services
Thanks, now resolved. In case it helps anyone else here is what I changed:
/etc/vco/app-server/server.xml
<Connector protocol="HTTP/1.1" SSLEnabled="true" clientAuth="false" emptySessionPath="true" keystoreFile="${catalina.base}/conf/security/jssecacerts" keystorePass="dunesdunes" URIEncoding="UTF-8"
maxHttpHeaderSize="163840" maxThreads="100" port="${ch.dunes.https-server.port}" address="${server.bind.address}" scheme="https" secure="true" sslProtocol="TLS" strategy="ms"
ciphers="TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA" />
/etc/vco/configuration/server.xml
<Connector protocol="HTTP/1.1" SSLEnabled="true" clientAuth="false" emptySessionPath="true" URIEncoding="UTF-8"
keystoreFile="${catalina.base}/../app-server/conf/security/jssecacerts" keystorePass="dunesdunes"
maxHttpHeaderSize="16384" maxThreads="100" port="8283"
scheme="https" secure="true" sslProtocol="TLS" strategy="ms"
ciphers="TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"/>
Weak, ephemeral Diffie-Hellman algorithms are removed and the this change will be available with next vRO update releases (5.5.3 and 6.0.3)
I had the same issue. Thanks for your help!
The problem still exists in 6.0.3
Exactly where do you edit this, forgive my noobness, not a linux guru. thanks.
bbcconsults,
This solution is for the vRealize Orchestrator appliance.
What I do is I open putty and connect to the vRealize Orchestrator IP address of FQDN
Login using root (and the matching password)
Next I browse to the folder using : cd /etc/vco/app-server/
Then I open VI to edit the server .xml file : vi server.xml
Type 'i' to insert text : i
Move your cursor to the text you want to delete and delete the keys we don't want
Press ESC to initiate exit fron editing the file
type : ' :wq ' to quite editing and save the changes
Do the same for the other file
Next I browse to the folder using : cd /etc/vco/configuration/
Then I open VI to edit the server .xml file : vi server.xml
Type 'i' to insert text : i
Move your cursor to the text you want to delete and delete the keys we don't want
Press ESC to initiate exit fron editing the file
type : ' :wq ' to quite editing and save the changes
reboot your server
done
kim