Java 如何修复 ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/31310526/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to fix ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY
提问by Kal
I have a website and recently chromestarted returning this error when trying to access it:
我有一个网站,最近chrome在尝试访问它时开始返回此错误:
ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY
ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY
It's a java+jsp website and it runs on apache tomacat. It also uses Verisign certification, but I've read that the error is not related to this certificate.
它是一个 java+jsp 网站,它在 apache tomacat 上运行。它还使用 Verisign 认证,但我读过该错误与此证书无关。
Thanks for any help.
谢谢你的帮助。
采纳答案by Kal
I fixed it following this: http://support.filecatalyst.com/index.php?/Knowledgebase/Article/View/277/0/workaround-for-tomcat-ssl-tls-logjam-vulnerability
我修复了它:http: //support.filecatalyst.com/index.php?/Knowledgebase/Article/View/277/0/workaround-for-tomcat-ssl-tls-logjam-vulnerability
To sum up, I edited server.xml.
综上所述,我编辑了server.xml。
On the connector protocol, I changed the property
在连接器协议上,我更改了属性
Protocol="TLS"
for
为了
sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"
and added the property
并添加了属性
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
回答by Steffen Ullrich
Your server is using weak Diffie-Hellman keys and might thus be affected by the Logjamattack. Because of this attack more and more browser and TLS stacks increase their minimum length of the DH key to 768 or 1024 bit. Probably the OpenSSL version you are using in your server uses a 512 bit DH key by default, which is too small. You need to fix this by explicitly setting a larger DH key in your server configuration. How this is done depends on the server, see Guide to Deploying Diffie-Hellman for TLSfor details.
您的服务器正在使用弱 Diffie-Hellman 密钥,因此可能会受到Logjam攻击的影响。由于这种攻击,越来越多的浏览器和 TLS 堆栈将其 DH 密钥的最小长度增加到 768 或 1024 位。您在服务器中使用的 OpenSSL 版本可能默认使用 512 位 DH 密钥,这太小了。您需要通过在服务器配置中显式设置更大的 DH 密钥来解决此问题。如何完成取决于服务器,有关详细信息,请参阅为 TLS 部署 Diffie-Hellman 指南。
回答by Yuhong Bao
If you have a support contract with Oracle, you can download the latest version of Java 6/7 which raises the DHE encryption to 1024-bit in JSSE.
如果您与 Oracle 签订了支持合同,则可以下载最新版本的 Java 6/7,它将 JSSE 中的 DHE 加密提高到 1024 位。
回答by Pawe? Pra?ak
There is a workaround (warning: this creates a security vulnerability!)
有一个解决方法(警告:这会造成安全漏洞!)
Use this parameter launching chrome:
使用此参数启动 chrome:
--cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013
Parameters explanation:
参数说明:
0x0088 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
0x0087 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
0x0039 TLS_DHE_RSA_WITH_AES_256_CBC_SHA
0x0038 TLS_DHE_DSS_WITH_AES_256_CBC_SHA
0x0044 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
0x0045 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
0x0066 TLS_DHE_DSS_WITH_RC4_128_SHA
0x0032 TLS_DHE_DSS_WITH_AES_128_CBC_SHA
0x0033 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
0x0016 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
0x0013 SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Sources:
资料来源:
回答by Tom Hennen
I was able to fix this problem by setting the system property jdk.tls.ephemeralDHKeySize to 1024 (or 2048).
我能够通过将系统属性 jdk.tls.ephemeralDHKeySize 设置为 1024(或 2048)来解决这个问题。
