Forum Discussion

D_Flood's avatar
D_Flood
Level 6
10 years ago

Firefox ver 39 is incompatible with OpsCenter - weak key reported

This morning I let Firefox update itself to version 39 and now it refuses to connect to OpsCenter 7.6.1.2 due to weak ciphers. 

Here's the error:

An error occurred during a connection to <servernameeditedout>. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

IE still worked (with complaints) so I know the webserver is there...

I tried all the rebuild keystore KBs to no effect so I went digging more.

Turns out the fault is in Program Files\Symantec\Opscenter\gui\webserver\conf in the file server.xml

I tried editing the line that specifies what types of encryption can be allowed during the secure connection and just messed it up further since I'm not a security expert...I did get things to complain that there wasn't a compatible level of encryption if I deleted all the references to 128 bit stuff so I think I was on the right track but...

I'm back on the reverted file and I guess I have to open a ticket with Support...

 

Backup and Recovery
Compatibility
Configuring
Error messages
OpsCenter
Windows Server (2003-2008)
  • RoundTower_JGL's avatar
    RoundTower_JGL
    10 years ago

    D,

    Type "about:config" in the FireFox address box.

    Click through the "promise to be careful" warning.

    In the Search box along the top of the config menu, enter "security.ssl3.dhe_rsa_aes_128_sha" and press Enter.

    It should find the entry config. The value will be "true". Double click it to change it to "false" (see attached screen cap).

    Repeat the same process with the "security.ssl3.dhe_rsa_aes_256_sha" key.

    Source: https://bugzilla.mozilla.org/show_bug.cgi?id=587407#c100

5 Replies

Sort By
  • KDob's avatar
    KDob
    Level 3
    9 years ago

    OpsCenter 7.7 is now much more secure!

    No key problem out of the box.  Not sure if the Audit Controls/FIPS Compliance was just NetBackup, or it also extends to OpsCenter.

    I was running 7.6 and could no longer access OpsCenter Web Page once we upgraded our FireFox, but once we upgraded to 7.7, it worked just fine.

    Something about 256 versus 1024, blah, blah, blah.  Not sure, but the upgrade was definitely easier than figuring out all the details.

  • D_Flood's avatar
    D_Flood
    Level 6
    9 years ago

    It still requires the above work-around but OpsCenter 7.7 does (finally) catch up with the Appliance change from http to https main pages...taking that into account that means they're about 1.5 major version numbers behind on all their "features"

     

  • SJ_Hollist's avatar
    SJ_Hollist
    Level 3
    9 years ago

    Perfect!  Now if Symantec/Veritas would just upgrade the security of OpsCenter.

  • D_Flood's avatar
    D_Flood
    Level 6
    10 years ago

    Thanks for the work-around.  I can confirm it works with 2.6.1.2.  In the meantime I still have my ticket open so Symantec can decide which option (upgrade their security, use another browser, or use a workaround that some might not be comfortable with) they want to recomend officially...

     

  • RoundTower_JGL's avatar
    RoundTower_JGL
    Level 3
    10 years ago

    D,

    Type "about:config" in the FireFox address box.

    Click through the "promise to be careful" warning.

    In the Search box along the top of the config menu, enter "security.ssl3.dhe_rsa_aes_128_sha" and press Enter.

    It should find the entry config. The value will be "true". Double click it to change it to "false" (see attached screen cap).

    Repeat the same process with the "security.ssl3.dhe_rsa_aes_256_sha" key.

    Source: https://bugzilla.mozilla.org/show_bug.cgi?id=587407#c100