Firefox ver 39 is incompatible with OpsCenter - weak key reported

This morning I let Firefox update itself to version 39 and now it refuses to connect to OpsCenter 7.6.1.2 due to weak ciphers. 

Here's the error:

An error occurred during a connection to <servernameeditedout>. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

IE still worked (with complaints) so I know the webserver is there...

I tried all the rebuild keystore KBs to no effect so I went digging more.

Turns out the fault is in Program Files\Symantec\Opscenter\gui\webserver\conf in the file server.xml

I tried editing the line that specifies what types of encryption can be allowed during the secure connection and just messed it up further since I'm not a security expert...I did get things to complain that there wasn't a compatible level of encryption if I deleted all the references to 128 bit stuff so I think I was on the right track but...

I'm back on the reverted file and I guess I have to open a ticket with Support...

 

1 Solution

Accepted Solutions
Accepted Solution!

D, Type "about:config" in the

D,

Type "about:config" in the FireFox address box.

Click through the "promise to be careful" warning.

In the Search box along the top of the config menu, enter "security.ssl3.dhe_rsa_aes_128_sha" and press Enter.

It should find the entry config. The value will be "true". Double click it to change it to "false" (see attached screen cap).

Repeat the same process with the "security.ssl3.dhe_rsa_aes_256_sha" key.

Source: https://bugzilla.mozilla.org/show_bug.cgi?id=587407#c100

View solution in original post

5 Replies
Accepted Solution!

D, Type "about:config" in the

D,

Type "about:config" in the FireFox address box.

Click through the "promise to be careful" warning.

In the Search box along the top of the config menu, enter "security.ssl3.dhe_rsa_aes_128_sha" and press Enter.

It should find the entry config. The value will be "true". Double click it to change it to "false" (see attached screen cap).

Repeat the same process with the "security.ssl3.dhe_rsa_aes_256_sha" key.

Source: https://bugzilla.mozilla.org/show_bug.cgi?id=587407#c100

View solution in original post

Thanks for the work-around. 

Thanks for the work-around.  I can confirm it works with 2.6.1.2.  In the meantime I still have my ticket open so Symantec can decide which option (upgrade their security, use another browser, or use a workaround that some might not be comfortable with) they want to recomend officially...

 

Perfect!  Now if

Perfect!  Now if Symantec/Veritas would just upgrade the security of OpsCenter.

It still requires the above

It still requires the above work-around but OpsCenter 7.7 does (finally) catch up with the Appliance change from http to https main pages...taking that into account that means they're about 1.5 major version numbers behind on all their "features"

 

Highlighted

OpsCenter 7.7 is now much

OpsCenter 7.7 is now much more secure!

No key problem out of the box.  Not sure if the Audit Controls/FIPS Compliance was just NetBackup, or it also extends to OpsCenter.

I was running 7.6 and could no longer access OpsCenter Web Page once we upgraded our FireFox, but once we upgraded to 7.7, it worked just fine.

Something about 256 versus 1024, blah, blah, blah.  Not sure, but the upgrade was definitely easier than figuring out all the details.