VMWare vCenter vSphere Web Client + Chrome 45
Server has a weak ephemeral Diffie-Hellman public key
ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY
a.k.a Forward Secrecy
I patched this together rather quickly, but i think it's all here! Today we had issue with Chrome 45 failing to connect to VMWare 5.1 vCenter vSphere Web Server (vSphere Web Client). This is how I fixed it. (Also seems to work in Firefox.)
create new self-signed certificate (in linux):
openssl genrsa 2048 > rui.key
openssl req -new -key rui.key > rui.csr
#openssl x509 -in rui.cer -out rui.crt
openssl x509 -req -days 1825 -in rui.csr -signkey rui.key -out rui.crt
openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx
you must use
backup and replace files in
testpassword if you retain the default tomcat keystorePass setting in the xml mentioned below.backup and replace files in
C:\Program Files\VMware\Infrastructure\vSphereWebClient\DMServer\config\ssl\ with the files just created. *** my other vCenter did not have this folder. It was C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf\ instead. (upgrade vs. fresh install?)
edit
C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\config\tomcat-server.xml
was
<Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="500" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DH_RSA_WITH_AES_256_CBC_SHA, TLS_DH_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DH_RSA_WITH_AES_128_CBC_SHA, TLS_DH_DSS_WITH_AES_128_CBC_SHA" keystoreFile="C:\ProgramData\vmware\vSphere Web Client\ssl\rui.pfx" keystorePass="testpassword" keystoreType="PKCS12"></Connector>
changed to (removed RC4 and DHE-only ciphers)
<Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="500" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DH_RSA_WITH_AES_256_CBC_SHA, TLS_DH_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DH_RSA_WITH_AES_128_CBC_SHA, TLS_DH_DSS_WITH_AES_128_CBC_SHA" keystoreFile="C:\ProgramData\vmware\vSphere Web Client\ssl\rui.pfx" keystorePass="testpassword" keystoreType="PKCS12"></Connector>
restart both
vspherewebclientsvc and vctomcat services. Be patient, it will take a few minutes for the services to be ready to serve the web-pages correctly.
resources used:
http://www.vkernel.ro/blog/replacing-vmware-vcenter-server-default-self-signed-certificate
https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl
https://www.chromium.org/administrators/err_ssl_weak_server_ephemeral_dh_key
My other recent post (https SSL cipher remediation for webservers 2015) is also related due to Mozilla, Google and Microsoft weak SSL deprecation policies.
http://www.vkernel.ro/blog/replacing-vmware-vcenter-server-default-self-signed-certificate
https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl
https://www.chromium.org/administrators/err_ssl_weak_server_ephemeral_dh_key
My other recent post (https SSL cipher remediation for webservers 2015) is also related due to Mozilla, Google and Microsoft weak SSL deprecation policies.
---
As Always, Good Luck!
Please comment or tip me or use any/all of my affiliate links; Thank YOU!
If I saved your ass, you can thank me with bitcoin.