WLS and EM 12c: Accessing EM and Weblogic Console URL in Browser Gives Error "ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY"

WLS and EM 12c: Accessing EM and Weblogic Console URL in Browser Gives Error "ERR_SSL_WEAK_SERVER_EP

WLS and EM 12c: Accessing EM and Weblogic Console URL in Browser Gives Error "ERR_SSL_WEAK_SERVER_EP

Titleimage

Posted by Patrick Hamou on 2017:09:14 14:23:30

APPLIES TO:

Oracle WebLogic Server - Version 10.3 and later
Enterprise Manager Base Platform - Version 12.1.0.1.0 and later
Information in this document applies to any platform.

SYMPTOMS

Accessing Oracle Weblogic console URL (https://<hostname>:port/console) in browser gives the following error:

In Chrome Browser:
Server has a weak, ephemeral Diffie-Hellman public key
ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY

In Firefox Browser:
SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. 
(Error code: sl_error_weak_server_ephemeral_dh_key)

Similar error are shown when accessing the EM console URL using the managed server port as below:

https://<hostname>:<port>/em

Enterprise Manager (EM) 12c Cloud Control uses Oracle WebLogic Server 10.3.6 and this also occurs in these environments.

 

CHANGES

Recently updated to a new client browser version.

CAUSE

SSL industry standards are changing.

SOLUTION

Oracle Fusion Middleware products including Oracle WebLogic Server

The following which outlines a list of steps to take to adjust to the new SSL standards across various FMW products and components:

Note 1955915.1 SSL Handshake Fails with ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION, SSL_ERROR_NO_CYPHER_OVERLAP, ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY Errors

In this case, (accessing /em as deployed to WebLogic Server) - 


Follow the Critical Patch Update program and apply security patches for your Oracle products including the WLS PSU and JDK in order to update default ciphers used in SSL processing. For the latest, see Note 551453.1, "How to Find the Correct Critical Patch Update Patches for Oracle Fusion Middleware Products". Below are the target releases for this issue:

1) A new JDK version is required to be compatible with the new client browser to remove the DHE_EXPORT cipher enabled on a server and rejected by the client. See Note 1492980.1, "How to Install and Maintain the Java SE Installed or Used with FMW 11g/12c Products"

Note: Since the ciphers available to Oracle WebLogic Server are controlled by the JDK in use, JDK 1.7.0_40 and JDK 1.6.0_101 or higher provides the fix for this when accessing /em. The new JDK was released as part of Critical Patch Update October 2015. If you are currently using JDK 6, it is recommended to stay on JDK 6 (and update to JDK 1.6.0_101 or higher) until you have confirmed certification and tested your applications with JDK 7. Depending on further errors, you may need to convert your certificates to use a key size greater than 1024.

2) Apply the latest PSU for WLS 10.3.6. It has been shown that applying 10.3.6.0.13 (Patch 21984589) or higher will also resolve this issue.

 

Enterprise Manager (EM) 12c Cloud and Grid Control Environments

Update June 27, 2016:

Updating the JDK is the primary solution to this problem to allow newer defaults when processing https requests on Oracle WebLogic Server.  The latest PSU for WLS should also be applied for compatibility and to cover all known, fixed and applicable vulnerabilities. The below document provides instructions to update the JDK and other required updates between integrated components. This is now certified by the EM QA/Development team:

Note 2105187.1 Instructions to use JDK 1.6 update 111 with EM 12.1.0.5

The following is an issue irrespective of the JDK update where you will get the same error from the browser:

Note 1510058.1 Regenerating OEM-WLS Demo Identity Certificate with 1024 bit Key strength (For example to fix the error "ssl_error_weak_server_cert_key")

Return to Blog