VMWare vCenter vSphere Web Client Chrome 45 ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY

VMWare vCenter vSphere Web Client + Chrome 45
Server has a weak ephemeral Diffie-Hellman public key
ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY
a.k.a Forward Secrecy

I patched this together rather quickly, but i think it's all here!  Today we had issue with Chrome 45 failing to connect to VMWare 5.1 vCenter vSphere Web Server (vSphere Web Client).  This is how I fixed it. (Also seems to work in Firefox.)

create new self-signed certificate (in linux):

openssl genrsa 2048 > rui.key
openssl req -new -key rui.key > rui.csr
#openssl x509 -in rui.cer -out rui.crt
openssl x509 -req -days 1825 -in rui.csr -signkey rui.key -out rui.crt
openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx

you must use testpassword if you retain the default tomcat keystorePass setting in the xml mentioned below.

backup and replace files in C:\Program Files\VMware\Infrastructure\vSphereWebClient\DMServer\config\ssl\ with the files just created.  *** my other vCenter did not have this folder. It was C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf\ instead. (upgrade vs. fresh install?)

edit C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\config\tomcat-server.xml

was

        <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="500" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DH_RSA_WITH_AES_256_CBC_SHA, TLS_DH_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DH_RSA_WITH_AES_128_CBC_SHA, TLS_DH_DSS_WITH_AES_128_CBC_SHA" keystoreFile="C:\ProgramData\vmware\vSphere Web Client\ssl\rui.pfx" keystorePass="testpassword" keystoreType="PKCS12"></Connector>

changed to (removed RC4 and DHE-only ciphers)

        <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="500" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DH_RSA_WITH_AES_256_CBC_SHA, TLS_DH_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DH_RSA_WITH_AES_128_CBC_SHA, TLS_DH_DSS_WITH_AES_128_CBC_SHA" keystoreFile="C:\ProgramData\vmware\vSphere Web Client\ssl\rui.pfx" keystorePass="testpassword" keystoreType="PKCS12"></Connector>

restart both vspherewebclientsvc and vctomcat services. Be patient, it will take a few minutes for the services to be ready to serve the web-pages correctly.

resources used:
http://www.vkernel.ro/blog/replacing-vmware-vcenter-server-default-self-signed-certificate
https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl
https://www.chromium.org/administrators/err_ssl_weak_server_ephemeral_dh_key

My other recent post (https SSL cipher remediation for webservers 2015) is also related due to Mozilla, Google and Microsoft weak SSL deprecation policies.

---
As Always, Good Luck! 
Please comment or tip me or use any/all of my affiliate links; Thank YOU!
If I saved your ass, you can thank me with bitcoin.    

https SSL cipher remediation for webservers 2015

I don’t know jack! I am NOT a security professional by trade, but please at least be aware that simply installing an SSL certificate on your server does NOT make it secure.

Thanks to Qualys SSL Labs (https://www.ssllabs.com/ssltest/), testing your server for SSL security is dead simple. I recommend every public site you manage to be tested immediately!

Once you know your status, here are some invaluable information resources you will need for remediation:

Configuring Apache, Nginx, and OpenSSL for Forward Secrecy : https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy

Setup your [Windows] IIS for SSL Perfect Forward Secrecy and TLS 1.2 : https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12

Additionally I had one server that used stunnel (https://www.stunnel.org) on Windows. I found the following was good settings for C:\Program Files (x86)\stunnel\stunnel.conf:

sslVersion = all
options = NO_SSLv2
options = NO_SSLv3

ciphers = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4

Again, I am NOT a security expert, so please do not blindly reconfigure your settings without fully understanding what you are doing. I do not think my advice is wrong, but there absolutely might be better settings available.

Here is a good Mozilla resource for Server Side TLS (https://wiki.mozilla.org/Security/Server_Side_TLS) including a link to Mozilla SSL Configuration Generator (https://mozilla.github.io/server-side-tls/ssl-config-generator/)

As Always, Good Luck!

Please comment or tip me or use any/all of my affiliate links; Thank YOU!

You can thank me with bitcoin.    

---