ssl_error_weak_server_ephemeral_dh_key error is unwanted and intrusive
Since downloading Firefox v39, I now get the error "Secure Connection Failed" followed by a spiel about "An error occurred during a connection to p5q3a:6547. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key) "which supposedly is to protect me, but the rather arrogant assumption by whoever programmed this glitch in is that I am brain dead and cannot make decisions for myself. In my case, I get this error when trying to connect to my APC UPS Powerchute software to shut it all down when I am finished using my home computer. It's not some dodgy website, it's not even outside my home, and it's an address that is 100% safe for me! At the very least if this sort of block is to be added, at least give the user the ability to provide exclusions for intranets and other local devices that use a web interface such as my UPS. it is sad that if I want to shutdown all of my gear from the web interface that I have to resort to firing up clunky old Internet Exploder because unlike the latest variants of Firefox, it still works with my UPS. If you are going to leave this annoyance in, at least give me the user the choice to override it rather than some boffin decide what I should have. This bug seems to fly in the face of everything Mozilla has claimed to represent.
การตอบกลับทั้งหมด (3)
It feels good to vent, but the support volunteers reading your post are not the developers, and we often respond better to the simple question about how to make it work...
This error message indicates that the device is trying to use an obsolete encryption cipher which is vulnerable to the "Logjam" attack that was in the news earlier this year.
What does that mean?
Even though you trust the device, a "Logjam" attack compromises the security of your individual connection to the server, lowering the protection normally provided by SSL to a level that is easily cracked and read by others on the network. That is why Firefox protects you from making this connection.
Now... with an internal device, this may not seem like much of a concern but if your network does have an intruder, this attack would allow them to read your login for the device, which could lead to other problems.
Admittedly, it's a special case because an attack on a UPS seems pretty unlikely. APC says they are looking into it: http://forums.apc.com/spaces/7/ups-management-devices-powerchute-software/forums/general/11097/ssl-support-in-powerchute-agent#52418
What can you do now?
The very best solution is to update the device. However, if that is not an option, you can try disabling these old ciphers in your Firefox, which hopefully will force the device to try some more secure ciphers when connecting with you. (This also addresses the issue with most websites.) Here's how:
(1) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.
(2) In the search box above the list, type or paste dhe and pause while the list is filtered
(3) Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (disable Firefox from using this cipher)
(4) Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (disable Firefox from using this cipher)
Then try the device again; you might have to reload the page using Ctrl+Shift+r to bypass cached information.
Success?
That was not me venting - if I was to vent it'd probably get censored! Your answer is appreciated but it's a workaround addressing the symptom not fixing the cause. Everyday users should not have to be poking around in the about:config part of things to protect them from themselves. Stuff posted in here finds it's way back to developers especially if other end users find themselves in the same boat. I used to be able to log into Mozilla Bugzilla but that just sent me around in circles telling me I need to use a different browser - it seemed to not be able to recognize Firefox 39.0.3 (spot the irony there), so I gave this avenue a go. If one was to apply the changes you propose, as I have seen others suggest too, it means ALL sites / addresses that may be subject to this issue will be exempt which is not a wise idea, I only want my UPS to be immune from such isolation. Another punter in here has the same problem with an intranet server so they'd be looking for the same solution as me. In my submission it refers to "p5q3a:6547" which is port 6547 on p5q3a which is the model of my Asus motherboard! It's refusing to let me connect to my own local webserver on the very same machine running the Firefox that is blocking it, and I had the UPS before version 39 of Firefox. That said, thanks for your prompt response.
AussieSteve said
Everyday users should not have to be poking around in the about:config part of things to protect them from themselves.
Agreed. I think the workaround should be implemented as the default.
If one was to apply the changes you propose, as I have seen others suggest too, it means ALL sites / addresses that may be subject to this issue will be exempt which is not a wise idea, I only want my UPS to be immune from such isolation.
Do you think I would suggest lowering your security without warning you? Absolutely not. The workaround is not an exemption: it actually makes you safer by disabling those weak ciphers for all purposes. You can do a before and after test on https://weakdh.org/ to confirm that you are not exposing yourself to Logjam with the change.