Home » Posts tagged 'SSL'

Tag Archives: SSL

Firefox and weak ephemeral Diffie-Hellman key

You can work around the Firefox browser security warning “SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)” by referring to this Mozilla Q&A post:


The short version:

Workaround for Firefox 39 and above:

  1. In FireFox, enter “about:config” in the URL field and press enter
  2. Accept the “This might void your warranty!” warning
  3. In the search field at the top, enter “security.ssl3.dhe_rsa_aes
  4. Double click each result (128 and 256) to toggle the Value to “false

Now retry your site – it should work now. Remember to change these settings back when you’re done.

TLS Certificate for Windows 8/8.1 Remote Desktop Service

# —————————————
# Remote Desktop Service (RDS) certificate for Windows VERSION 6.2 and 6.3
# This works on Windows 7, 8, and 8.1 Professional and Enterprise Editions, for both 32-bit and x64 CPUs.
# —————————————

# All of this required Administrator level “elevated” privileges. If you don’t know what that means or how to get an “Administrator:Command Prompt” then stop and find a different guide.

# 1) Add SHA1RSA certificate to “Run” -> certlm.msc -> Certificates Local Computer -> Personal -> Certificates
# 1.1) Windows 7 does not have certlm.msc. Use mmc.exe and the Certificates snap-in for the “local computer” and then continue on to step 2).

# 2) Get the cert hash(sha1) “thumbprint”
# Example:
certutil.exe –store my example.com | findstr /r "Subject: Cert.Hash"
# Subject: CN=*.example.com, OU=Domain Control Validated
# Cert Hash(sha1): ff 65 98 ff d0 a9 ff f1 70 ff 53 2b ff dd 3d ff eb 22 ff 0a

# 3) Verify the subject line is the correct certificate and then cleanup the “thumbprint” hash by removing all space characters

# 4) The networkdriver has the right to read the sha1 thumbprint of the certificate from a BINARY registry key:
# HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SSLCertificateSHA1Hash = <thumbprint>
# Example reg hack
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "SSLCertificateSHA1Hash" /t REG_BINARY /d ff6598ffd0a9fff170ff532bffdd3dffeb22ff0a

# Only change this only as a last resort!
# 5) The revocation-list may need to be constrained to the local list with DWORD key if no CRL is available.
# HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors = 1
# Example reg hack
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Credssp" /v "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"/t REG_DWORD /d 1

CertMgr.exe Tool

The Microsoft CertMgr.exe tool is included in few SDKs like the Windows SDK, Drivers SDK, and with Visual Studios.  As of this writing it is a standalone executable and can simply be copied to other computers with requiring installation or other support files. (more…)