Diffie-Hellman Key error???

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Diffie-Hellman Key error???

ArturoBelano
Hey Guys,

I've been trying to set up activemq to use ssl over websockets with stomp, but I keep getting this error when I check the websocket connection over any browser:

SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

I assumed that this had to do with the cipher suite and have tried every combination following these guidelines: http://activemq.apache.org/ssl-transport-reference.html

Any ideas??
Reply | Threaded
Open this post in threaded view
|

Re: Diffie-Hellman Key error???

ArturoBelano
Let me expand on this issue a bit

I believe this is related to the cipher suite, but I'm A) not finding using the right cipher suite or B) configuring it in the wrong area of Apache Activemq. Currently, I've been adjusting the configuration of ssl in transport connector in activemq.xml( http://activemq.apache.org/ssl-transport-reference.html). However, I know that activemq uses a jetty server and i'm wondering if I should be configuring the suite in jetty.xml a la How to config local Jetty ssl to avoid weak phermeral DH key error?. So, my questions are, is this the right approach? If so, what's the correct cipher suite for activemq?
Reply | Threaded
Open this post in threaded view
|

Re: Diffie-Hellman Key error???

christopher.l.shannon
http://activemq.apache.org/websockets.html

Scroll down to the Secure web socket part and you should be able to
configure your Ssl context using those instructions, including specifying
the ciphers you want to use.  I think the available cipher suite depends on
the version of the JDK you are using.

On Tue, Sep 15, 2015 at 2:35 PM, ArturoBelano <[hidden email]>
wrote:

> Let me expand on this issue a bit
>
> I believe this is related to the cipher suite, but I'm A) not finding using
> the right cipher suite or B) configuring it in the wrong area of Apache
> Activemq. Currently, I've been adjusting the configuration of ssl in
> transport connector in activemq.xml(
> http://activemq.apache.org/ssl-transport-reference.html). However, I know
> that activemq uses a jetty server and i'm wondering if I should be
> configuring the suite in jetty.xml a la How to config local Jetty ssl to
> avoid weak phermeral DH key error?. So, my questions are, is this the right
> approach? If so, what's the correct cipher suite for activemq?
>
>
>
> --
> View this message in context:
> http://activemq.2283324.n4.nabble.com/Diffie-Hellman-Key-error-tp4701997p4702019.html
> Sent from the ActiveMQ - Dev mailing list archive at Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|

Re: Diffie-Hellman Key error???

ArturoBelano
We're running Java 1.7.0_79.  How do you set the cipher suite in sslContext?  I haven't really seen that documented anywhere so i've been trying to use the transport connector even though I think that's wrong.
Reply | Threaded
Open this post in threaded view
|

Re: Diffie-Hellman Key error???

jgoodyear
I found this thread:
http://activemq.2283324.n4.nabble.com/How-to-specify-SSL-Ciphers-td2362984.html

Doesn't provide a definitive answer for setting the cipher, but may
get you closer to a solution.

On Tue, Sep 15, 2015 at 7:06 PM, ArturoBelano <[hidden email]> wrote:
> We're running Java 1.7.0_79.  How do you set the cipher suite in sslContext?
> I haven't really seen that documented anywhere so i've been trying to use
> the transport connector even though I think that's wrong.
>
>
>
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/Diffie-Hellman-Key-error-tp4701997p4702022.html
> Sent from the ActiveMQ - Dev mailing list archive at Nabble.com.
Reply | Threaded
Open this post in threaded view
|

Re: Diffie-Hellman Key error???

ArturoBelano
Yeah, actually that thread prompted me to post again because it was unresolved and from 2009.
Reply | Threaded
Open this post in threaded view
|

Re: Diffie-Hellman Key error???

ArturoBelano
This post has NOT been accepted by the mailing list yet.
In reply to this post by jgoodyear
Yeah, actually that thread prompted me to post again because it was unresolved and from 2009.

On Tue, Sep 15, 2015 at 2:49 PM, jgoodyear [via ActiveMQ] <[hidden email]> wrote:
I found this thread:
http://activemq.2283324.n4.nabble.com/How-to-specify-SSL-Ciphers-td2362984.html

Doesn't provide a definitive answer for setting the cipher, but may
get you closer to a solution.

On Tue, Sep 15, 2015 at 7:06 PM, ArturoBelano <[hidden email]> wrote:
> We're running Java 1.7.0_79.  How do you set the cipher suite in sslContext?
> I haven't really seen that documented anywhere so i've been trying to use
> the transport connector even though I think that's wrong.
>
>
>
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/Diffie-Hellman-Key-error-tp4701997p4702022.html
> Sent from the ActiveMQ - Dev mailing list archive at Nabble.com.



If you reply to this email, your message will be added to the discussion below:
http://activemq.2283324.n4.nabble.com/Diffie-Hellman-Key-error-tp4701997p4702023.html
To unsubscribe from Diffie-Hellman Key error???, click here.
NAML

Reply | Threaded
Open this post in threaded view
|

Re: Diffie-Hellman Key error???

ArturoBelano
I'm going to add the suggestions from Chrome in the hopes of reaching someone that might understand this issue:
You have a few options to fix this error on the website server:

Enable ECDHE and disable DHE (preferable)
Use a 1024-bit (or larger) Diffie-Hellman group for the DHE_RSA SSL cipher suites
Disable all DHE SSL cipher suites

The second option seems like the winner, but again there doesn't seem to be a way to configure this in activemq.
Reply | Threaded
Open this post in threaded view
|

Re: Diffie-Hellman Key error???

ArturoBelano
Alright I found a solution:

The problem is related to Java 7, by reading these two guides I was able to correctly configure activemq:
http://activemq.apache.org/apollo/documentation/user-manual.html#Working_Around_Java_7_SSL_Bugs
https://issues.apache.org/jira/browse/AMQ-4520
Reply | Threaded
Open this post in threaded view
|

Re: Diffie-Hellman Key error???

jgoodyear
Awesome!

Cheers,
Jamie

On Wed, Sep 16, 2015 at 7:36 PM, ArturoBelano <[hidden email]> wrote:

> Alright I found a solution:
>
> The problem is related to Java 7, by reading these two guides I was able to
> correctly configure activemq:
> http://activemq.apache.org/apollo/documentation/user-manual.html#Working_Around_Java_7_SSL_Bugs
> https://issues.apache.org/jira/browse/AMQ-4520
>
>
>
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/Diffie-Hellman-Key-error-tp4701997p4702046.html
> Sent from the ActiveMQ - Dev mailing list archive at Nabble.com.