我正在使用weblogic 10.3.6并配置了一个管理服务器和4个管理服务器。在一个监听SSL端口7299的受管服务器上,有一种方法是使用密钥大小为2048的证书启用了SSL。 当我尝试使用Internet Explorer 9访问部署在启用SSL的受管服务器上的应用程序时,我能够打开SSL端口上的应用程序的主页,但只要按下应用程序的GUI上的任何按钮,它就会将我注销。使用weblogic临时Diffie-Hellman公钥错误
If I access same application on SSL port using Firefox 38.3.0, It shows the following error on browser
Server has a weak ephemeral Diffie-Hellman public key" or ERR_SSL_WEAK_EPHEMERAL_DH_KEY
If you see this error, it means that a secure connection can't be established because of outdated security code on the website. Chrome protects your privacy by preventing you from connecting to these sites. You won't be able to visit this page using Chrome.
If you're a website administrator, we recommend you update your server to support ECDHE and disable DHE. If ECDHE is unavailable, you can instead disable all DHE cipher suites and rely on plain RSA.
Later I got some options that weakens the mozilla firefox security as below.
security.ssl3.dhe_rsa_aes_128_sha
security.ssl3.dhe_rsa_aes_256_sha
But after setting these variables false in firefox, my applications navigations are fine and works well.
I would add that when the https logs were captured using fiddler, I got to know the below
Client side ciphers available
Ciphers:
[C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
[C02F] TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[C00A] TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
[C009] TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
[C013] TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA
[C014] TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA
[C007] TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
[C011] TLS_ECDHE_RSA_WITH_RC4_128_SHA
[002F] TLS_RSA_AES_128_SHA
[0035] TLS_RSA_AES_256_SHA
[000A] SSL_RSA_WITH_3DES_EDE_SHA
[0005] SSL_RSA_WITH_RC4_128_SHA
[0004] SSL_RSA_WITH_RC4_128_MD5
and the below are the server side ciphers
server side ciphers available
<DynamicJSSEListenThread[DefaultSecure] 28 cipher suites enabled:>
SSL_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_MD5>
SSL_RSA_WITH_RC4_128_SHA>
TLS_RSA_WITH_RC4_128_SHA>
TLS_RSA_WITH_AES_128_CBC_SHA>
TLS_DHE_RSA_WITH_AES_128_CBC_SHA>
TLS_DHE_DSS_WITH_AES_128_CBC_SHA>
SSL_RSA_WITH_3DES_EDE_CBC_SHA>
TLS_RSA_WITH_3DES_EDE_CBC_SHA>
<SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA>
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA>
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA>
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA>
SSL_RSA_WITH_DES_CBC_SHA>
TLS_RSA_WITH_DES_CBC_SHA>
SSL_DHE_RSA_WITH_DES_CBC_SHA>
TLS_DHE_RSA_WITH_DES_CBC_SHA>
SSL_DHE_DSS_WITH_DES_CBC_SHA>
TLS_DHE_DSS_WITH_DES_CBC_SHA>
SSL_RSA_EXPORT_WITH_RC4_40_MD5>
TLS_RSA_EXPORT_WITH_RC4_40_MD5>
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA>
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA>
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA>
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA>
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA>
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA>
TLS_EMPTY_RENEGOTIATION_INFO_SCSV>
There was one solution available on google, to replace the localPolicy.jar and US_export_Policy.jar in JDK with the unlimited encryption version. Although I tried the same, but still the same error persist.
Could you please suggest any fix on weblogic10.3.6 server for the same issue or any setting in IE 9.
I got the following solutions in the above post.
•Deploy ECDHE Cipher Suites
•Disable Export Cipher Suites
I am not sure how to do this in weblogic, can you please suggest.
Early response is highly appreciated.
嗨Ameeks,在使用weblogic10.3.6升级到jdk 8之后,Google Chrome和Firefox也解决了短暂Diffie-Hellman公钥错误的问题。感谢那 。但在IE 8.0.7601.17514以下版本中 9.0.8112 9.0.8112 11.0.9600 此修补程序不起作用,应用程序仍在注销。我尝试在Internet Explorer设置--->高级 - >安全部分中将SSL版本更改为TLS1.0,TLS1.1和TLS1.2。你可以请建议在IE中的任何修复或设置,我会错过。 – Chandra
嗨Ameeks,在使用weblogic10.3.6升级到jdk 8之后,Google Chrome和Firefox也解决了短暂的Diffie-Hellman公钥错误问题。感谢那 。但在IE 8.0.7601.17514以下版本中 9.0.8112 9.0.8112 11.0.9600 此修补程序不起作用,应用程序仍在注销。我尝试在Internet Explorer设置--->高级 - >安全部分中将SSL版本更改为TLS1.0,TLS1.1和TLS1.2。你可以请建议在IE中的任何修复或设置,我会错过。 – Chandra