Secure Connection Failed
I have a number of HP iLO connections within my corporate network which I use FF to access so that I can control my servers. These are all HTTPS connections and firmware-based and since the servers are now around 5 years old, HP no longer is releasing updates for the iLO.
For most of the iLO connections I'm getting the following error in FF:
Secure Connection Failed
An error occurred during a connection to bkp4.systems.aims.my. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.
I then have to open up IE to get to the site to do my work and this is very frustrating that I cannot bypass this bug.
I also have supplier portals which we use for our backups and other stuff and I get the same error there and have to use IE to get into those sites.
Is there a fix to this problem or do I have to ditch FF for IE just to get my daily work done??
Soluzione scelta
I found the solution, at least for me. I deleted the file "cert8.db" in the profile folder and it seems to have fixed the issue.
Previous suggestions were really helpful for me to understand certs and stuff so thanks for those links.
Leggere questa risposta nel contesto 👍 0Tutte le risposte (5)
You can inspect these prefs on the about:config page about cipher suites that are involved with the Logjam vulnerability.
- security.ssl3.dhe_rsa_aes_128_sha
- security.ssl3.dhe_rsa_aes_256_sha
Note that setting these prefs to true will make you vulnerable, so proceed with caution.
The DHE cipher suites were disabled for a reason and re-enabling them will make you vulnerable for the Logjam attack. You can consider to use a separate profile with the two involved cipher suites enabled and use that profile for accessing blocked websites.
Set those two preferences listed by cor-el to false to try to force the device to upgrade to different ciphers. Since you don't want Firefox to use them, it's okay to leave them false even if it doesn't help with this particular connection.
Also, it appears there were some firmware updates released for iLO this past week: http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04949778
I tried those Config options and they allowed me to access one of my supplier sites now, but the iLO access is still denied. I'm getting this error:
"Secure Connection Failed
An error occurred during a connection to 10.125.106.48. You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information: Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. (Error code: sec_error_reused_issuer_and_serial) "
The iLO updates did not do anything to my test server.
JDMils said
Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. (Error code: sec_error_reused_issuer_and_serial)"
I suspect you previously saved an "exception" which matches the current certificate, otherwise Firefox probably wouldn't detect this one as a duplicate. Check out this article for more information and a possible workaround: Certificate contains the same serial number as another certificate.
Soluzione scelta
I found the solution, at least for me. I deleted the file "cert8.db" in the profile folder and it seems to have fixed the issue.
Previous suggestions were really helpful for me to understand certs and stuff so thanks for those links.