Diffie-Hellman public key error with Tomcat 7

Bob picture Bob · Jun 19, 2015 · Viewed 33.3k times · Source

I successfully set up two Ubuntu machines with Tomcat and SSL certificates. I followed exactly the same procedure with Centos 6, but I'm getting this when I'm trying to connect to the Server (using Opera):

Server has a weak, ephemeral Diffie-Hellman public key

The connector is the following, and there are no errors in catalina.log:

<Connector port="some port number"  
           protocol="org.apache.coyote.http11.Http11Protocol" 
           SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS"
           keystoreFile="path to jks"
           keystoreType="JKS"
           keystorePass="mypass1"
           keyPass="mypass2"  /> 

With Firefox, I get the untrusted communication error.

Answer

centic picture centic · Jun 25, 2015

For me it worked after adding a list of allowed ciphers to the Tomcat configuration in conf/server.xml to disable the weak Diffie-Hellman ciphers:

    <Connector
        ...
        ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
        ...