Home » Posts tagged 'TLS'
Tag Archives: TLS
You can work around the Firefox browser security warning “SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)” by referring to this Mozilla Q&A post:
The short version:
Workaround for Firefox 39 and above:
- In FireFox, enter “about:config” in the URL field and press enter
- Accept the “This might void your warranty!” warning
- In the search field at the top, enter “security.ssl3.dhe_rsa_aes“
- Double click each result (128 and 256) to toggle the Value to “false“
Now retry your site – it should work now. Remember to change these settings back when you’re done.
# Remote Desktop Service (RDS) certificate for Windows VERSION 6.2 and 6.3
# This works on Windows 7, 8, and 8.1 Professional and Enterprise Editions, for both 32-bit and x64 CPUs.
# All of this required Administrator level “elevated” privileges. If you don’t know what that means or how to get an “Administrator:Command Prompt” then stop and find a different guide.
# 1) Add SHA1RSA certificate to “Run”
-> certlm.msc -> Certificates Local Computer -> Personal -> Certificates
# 1.1) Windows 7 does not have
certlm.msc. Use mmc.exe and the Certificates snap-in for the “local computer” and then continue on to step 2).
# 2) Get the cert hash(sha1) “thumbprint”
certutil.exe –store my example.com | findstr /r "Subject: Cert.Hash"
# Subject: CN=*.example.com, OU=Domain Control Validated
# Cert Hash(sha1): ff 65 98 ff d0 a9 ff f1 70 ff 53 2b ff dd 3d ff eb 22 ff 0a
# 3) Verify the subject line is the correct certificate and then cleanup the “thumbprint” hash by removing all space characters
# 4) The networkdriver has the right to read the sha1 thumbprint of the certificate from a BINARY registry key:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SSLCertificateSHA1Hash = <thumbprint>
# Example reg hack
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "SSLCertificateSHA1Hash" /t REG_BINARY /d ff6598ffd0a9fff170ff532bffdd3dffeb22ff0a
# Only change this only as a last resort!
# 5) The revocation-list may need to be constrained to the local list with DWORD key if no CRL is available.
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors = 1
# Example reg hack
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Credssp" /v "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"/t REG_DWORD /d 1