In the company that I work we have a server GF 3.1.1 (JDK 6) with CAS which does the authentication of the users in another system. After the last update of Firefox (v. 39x) we are getting the follow information from the browser:
mydomain.com SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.
And it is not possible to access the site without this workaround or using another browser. In chrome I can access normally but if I look at the connection properties it says:
Your connection is encrypted with obsolete cryptography.
The connection uses TLS 1.0.
The connection is encrypted using AES_128_CBC, with SHA1 for message authentication an DHE_RSA as the key exchange mechanism.
I can't configure all the browsers of our customers or say them only use chrome. Maybe in future chrome can do the same. So my solution is configure the server properly. The problem is that I don't know how can I do that.
I found in GF where I can do the configuration in Configurations > server-config > Network Config > Protocols > http-listner-2 > SSL
Then I found here a blacklist and a whitelist of some ciphers that are recommended to use. I tried to remove all in black and put all those in white. But I still have the issue. I think this list may be out of date.
I appreciate any help.
Finally. I found a solution. I search a lot and I could find a solution, so I tried to test one by one of the ciphers. So, to work ( I am not saying that is the right way). I had to do this:
At:
Configurations > server-config > Network Config > Protocols > http-listner-2 > SSL
After that our application can be opened at any browser again. I hope it may help someone.
For admin:
Configurations > server-config > Service HTTP > Listeners HTTP > admin-listner > SSL
Edit: Comparing with the whitelist here the remaining ciphers that would be part of a new whitelist are:
Whitelist