Chrome error https connection on web console: ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY

[Giorgio Catena]

Hi,

with the last updated version of chrome trying to connect to the admin console i receive back this error: ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY.

On firefox I was able to identify the settings and disable the check but not on chrome.

there should be the possibility to specify the ciphers from the tomcat config file (server side) modifying the server.xml but where can I put those settings on nxfilter?
Regards

[Jinhee]

Hi Giorgio,

Do you use your own SSL certificate or the default one? I don't see that error on my Chrome though I get the other kind of warnig saying it's not safe.

Jinhee

[Giorgio Catena]

Hi JInhee the default one ....

[Jinhee]

I tried 3 Chrome installations including a new install and one on my smartphone. I don't get that error. I only get this one,
  NET::ERR_CERT_AUTHORITY_INVALID

And I can bypass it. Send me your '/conf' directory. Or overwrite it from the newest version. You might be using a different
key file.

[Victor Fisher]

Please excuse me for chiming in on this one, but we've been dealing with exactly this for a year.  This has to do with the fact that SHA-1 hashing algorithm is no longer allowed in Chrome.  If your certificate was created with this, any of the newest browsers will complain about it.  Especially with Chrome, there is NO setting to disable it.  You must use a certificate with SHA-256 hash in order to avoid the error.

Starting with Chrome 39, you will get the error message no matter what you do.  Here is one blog about it, but just Google "Chrome sha256" or "sunset sha-1" or the like.  There is plenty of information on it.  

http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html

[Jinhee]

You're welcome to this thread. But I don't get 'ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY' with my Chrome. My Chrome is updated
to the newest version and I even installed a fresh NxFilter. I changed nothing and just set it to use SSL. There must be something different between
us.

[Victor Fisher]

It has to do with the certificate itself.  If the hash algorithm used when CREATING the certificate is SHA-1, Chrome will complain.

Look at the properties of the certificate.  I don't have Chrome on this PC, but I've attached screen shots of what the certificates look like from Firefox's point of view between SHA-1 and SHA-256 (also called SHA-2).

[Jinhee]

I still don't know what's the difference between yours and mine. But if It tried to get some info on my certificate it's SHA-256. See the attached file. Am I missing something?

[Giorgio Catena]

It would be true if the failure started to be displayed since chrome 39 but it's not like that. Onlysince last upgrade i received the failure.

Regards

[Jinhee]

My Chrome version is '45.0.2454.85' which is the newest.

[Giorgio Catena]

Mine is Version 45.0.2454.85 m and i confirm that thi s behaviour cover all the pcs i tested.
Is there any way to add a trusted wildcard pfx certificate on the store?

[Jinhee]

I don't remember that I did something with SSL certificate and Chrome. But actually I think I saw that error before. Maybe several months ago. But I don't see it anymore. Send me your /conf directory to my email address. I want to see if we use the same keystore file.

[Jinhee]

Whatever I do I don't get that error. I only get NET::ERR_CERT_AUTHORITY_INVALID. I can bypass it.
I even tried to use v2.4.5 of NxFilter and tried Chrome on my Chromebook and Macbook. All I have was
the same result. Maybe we don't have that problem with Korean version browser.

I will try to get you a special version next week. As we don't have a separated server.xml and we use
an embedded Tomcat I need to compile it. But I can't test it so you'd need to test it. Means it's not
so easy.

[Jinhee]

I tried to install an English version Windows and English version browsers but still I don't get the problem. So we go with that cipher setting anyway. I added this one to the embedded Tomcat we are using.

  ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"

Test it and tell me your Java version. I need to confirm it's working with Java 1.7 and Java 1.8. Mine is Java 1.8.

[Giorgio Catena]

Ok thanks i'll try it asap i can, do I have to update both nodes or only the master.
Giorgio

[Jinhee]

Replace nxd.jar from both of it.

[Giorgio Catena]

Hi Jinhee, I've done it and now I can open it correctly even on chrome.
Do you think to put these settings in the next release?
Regards

[Jinhee]

Yeah, if it works on both Java 1.7 and 1.8. The next version will be v3.0.1 having an integrated auto-classification engine. And the default blacklist option will be change to so called Jahaslist. NxClassifier is building its baselist at the moment.

[Giorgio Catena]

Just guessing, is the autoclassifier feature based on an existing db or use a different method?

[Jinhee]

It's based on keyword matching and scoring system.

  porn : 1000 -> Porn
  baseball : 200 -> Sports

But in reality it's bit more complicated. You can use regular expression. And you can defien target.
Means you can apply your keyword against domain or title, description of an HTML.

Once your users visited an unclassified website. NxClassifier visit the website and parse its main
page. And then making score tables on the document. Highest points decides its category.

I will ship only English version of default ruleset. You can define your own Italian ruleset. And
the other people with the other languages can do the same. If there's a false positive? Then
you can modify it on your site.

Once you grow a big enough your Italian friendly blacklist, you can share it with your Italian
friend or many making some money out of it.
 

[Giorgio Catena]

Uhm nice, i'm curious to test it.
Regards