Wednesday, September 2, 2015

VMWare vCenter vSphere Web Client Chrome 45 ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY


VMWare vCenter vSphere Web Client + Chrome 45
Server has a weak ephemeral Diffie-Hellman public key
ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY
a.k.a Forward Secrecy

I patched this together rather quickly, but i think it's all here!  Today we had issue with Chrome 45 failing to connect to VMWare 5.1 vCenter vSphere Web Server (vSphere Web Client).  This is how I fixed it. (Also seems to work in Firefox.)

create new self-signed certificate (in linux):
openssl genrsa 2048 > rui.key
openssl req -new -key rui.key > rui.csr
#openssl x509 -in rui.cer -out rui.crt
openssl x509 -req -days 1825 -in rui.csr -signkey rui.key -out rui.crt
openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx
you must use testpassword if you retain the default tomcat keystorePass setting in the xml mentioned below.

backup and replace files in C:\Program Files\VMware\Infrastructure\vSphereWebClient\DMServer\config\ssl\ with the files just created.  *** my other vCenter did not have this folder. It was C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf\ instead. (upgrade vs. fresh install?)

edit C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\config\tomcat-server.xml
was
        <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="500" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DH_RSA_WITH_AES_256_CBC_SHA, TLS_DH_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DH_RSA_WITH_AES_128_CBC_SHA, TLS_DH_DSS_WITH_AES_128_CBC_SHA" keystoreFile="C:\ProgramData\vmware\vSphere Web Client\ssl\rui.pfx" keystorePass="testpassword" keystoreType="PKCS12"></Connector>
changed to (removed RC4 and DHE-only ciphers)
        <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="500" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DH_RSA_WITH_AES_256_CBC_SHA, TLS_DH_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DH_RSA_WITH_AES_128_CBC_SHA, TLS_DH_DSS_WITH_AES_128_CBC_SHA" keystoreFile="C:\ProgramData\vmware\vSphere Web Client\ssl\rui.pfx" keystorePass="testpassword" keystoreType="PKCS12"></Connector>
restart both vspherewebclientsvc and vctomcat services. Be patient, it will take a few minutes for the services to be ready to serve the web-pages correctly.


---
As Always, Good Luck! If I saved your ass, you can thank me with bitcoin.    


No comments:

Post a Comment

Comments, Suggestions or "Thank you's" Invited!