Workaround Firefox Blocking Weak DHE Cipher Suites

Share This:


If you have Firefox version 39 or newer, then you may have run into the error message below:

“SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.”

As a security measure, Firefox started blocking specific weak cipher suites, especially if they’re prone to known vulnerabilities. Unfortunately, if you’re an IT admin, there are some Cisco products and other apps that still use these vulnerable cipher suites. You can use the workaround below to re-gain access to these sites, but I wouldn’t recommend leaving them enabled because it’ll leave you vulnerable to a LogJam attack.

The better permanent solution is to contact the company that developed the web application you’re trying to access and suggest they release an update to use better cipher suites. Also, always check for an update if it is software you’re hosting locally.

What is a Logjam attack?

Logjam attack against the TLS protocol. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. The attack is reminiscent of the FREAK attack, but is due to a flaw in the TLS protocol rather than an implementation vulnerability, and attacks a Diffie-Hellman key exchange rather than an RSA key exchange. The attack affects any server that supports DHE_EXPORT ciphers, and affects all modern web browsers. 8.4% of the Top 1 Million domains were initially vulnerable.

The Workaround

1) In FireFox, enter “about:config” in the URL field and press enter.
2) Accept the “This might void your warranty!” warning.
3) In the search field at the top, enter “security.ssl3.dhe_rsa_aes“.
4) Double click each result (128 and 256) to toggle the Value to “false”.
5) Restart Firefox and reload the website.

Share This:


One Response

  1. Matthew October 31, 2016

Leave a Reply