Diffie-Hellman public key error with Tomcat 7
I successfully set up two Ubuntu machines with Tomcat and SSL certificates. I followed exactly the same procedure with Centos 6, but I'm getting this when I'm trying to connect to the Server (using Opera):
Server has a weak, ephemeral Diffie-Hellman public key
The connector is the following, and there are no errors in catalina.log:
<Connector port="some port number"
protocol="org.apache.coyote.http11.Http11Protocol"
SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="path to jks"
keystoreType="JKS"
keystorePass="mypass1"
keyPass="mypass2" />
With Firefox, I get the untrusted communication error.
Answer
For me it worked after adding a list of allowed ciphers to the Tomcat configuration in conf/server.xml to disable the weak Diffie-Hellman ciphers:
<Connector
...
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
...