SAP HANA Cloud Connector and ERR_SSL_WEAK_SERVER_E...

MarkusTolksdorf · ‎09-09-2015

With the update to version 45.0.2454.85, Chrome is more restrictive on the use of certain ciphers that are used for HTTPS connections, when using cipher suites with DHE. It will block the connection and instead of seeing the web page you'd like to access, you will see an error document instead containing a sentence fitting to the used default locale and in addition also the error code ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY. Exactly this message can be seen now often, when trying to access the Cloud Connector administration UI with Chrome. The root cause is the cipher chosen by the Cloud Connector during SSL handshake. The one to use is chosen by the JCE implementation, which is depending on the Java Virtual Machine in use by your Cloud Connector. Unfortunately, JCE implementations contained in older versions of the JVMs prefer DHE ciphers to other ones, the used public key is a compromised one and as the server decides, we end up in the situation with the unrecoverable error message in Chrome. So what can be done now? See suggestions below for workarounds and the true solutions.

Workarounds:

Use Firefox instead. With version 40 and higher It shows a similar message (ssl_error_weak_server_ephemeral_dh_key), however it is possible in about:config to allow it again by setting security.ssl3.dhe_rsa_aes_128_sha to false. This should be reverted after having applied one of the solutions mentioned below.

Limit the cipher suites supported by the Cloud Connector to one that is still allowed by Chrome. This requires manual changes in <sccroot>/config_master/org.eclipse.gemini.web.tomcat/default-server.xml: Search the Connector for port 8443. Add an attribute for the allowed ciphers: ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256". This very limited set will make it work again for both SAP JVM 6 and 7.

Use Internet Explorer

Solutions:

Use the latest SAP JVM 7 - at least 7.1.032 downloadable from Support Portal (download authorization required). Download the fitting archive for your platform from there until it is also available from the Cloud Tools page.

If you still need to stick to SAP JVM 6, use the latest one - at least 6.1.081 downloadable from Support Portal (download authorization required). Download the fitting archive for your platform from there until it is also available from the Cloud Tools page.

Former Member · ‎09-09-2015

Question, is just upgrading SAP JVM enough? When you use SAP HANA Cloud Connector Settings -> UI Certificate to generate a CSR, will it not use <sccroot>/config_master/org.eclipse.gemini.web.tomcat/default-server.xml?

MarkusTolksdorf · ‎09-09-2015

Hi David,

it will be sufficient. The error message is not about the server UI certificate, but about the cipher that is used.

Best regards,

Markus

nageshcaparthy · ‎09-09-2015

Hi markus.tolksdorf

Thanks for this update. I see this error with on-prem installation for SMP 2.3 SP06 and SMP 3.0 SP08 version also. Will the SAP JVM 7.0 solve the issue?

Regards,

Nagesh

Jitendra_Kansal · ‎09-09-2015

nagesh.caparthy2

For SMP 3.0.x , check this one. Not sure for SMP 2.3.x

Former Member · ‎09-09-2015

OK, thanks!

nageshcaparthy · ‎09-09-2015

Hi jitendrakumar.kansal,

I don't see the fix on 2.3 on that link, so wondering if JVM 7 will be a fix for this.

Regards,

Nagesh

MarkusTolksdorf · ‎09-09-2015

Hi Nagesh,

I can't tell whether it helps as I don't know the architecture of SMP 2.3 well enough. But if it uses a tomcat internally plus the JVM JCE, I would give it a try ...

Best regards,

Markus

nageshcaparthy · ‎09-09-2015

Thanks Markus.

I was looking at it and I do not think JVM will fix it.

Regards,

Nagesh

Kevin_SAP · ‎09-10-2015

I don't think this is a JVM issue. The listeners have a security setup on what cipher suites to support. We expose the SMP cipher suites for editing, but I don't see where we expose the SCC setup yet. It runs with a different Jetty server.

I'm still looking, but may need to get an SCC engineer.

Regards,

Kevin

andreas_wegmann · ‎09-14-2015

Hi all,

there is a workaround avilable for Chrome and SMP 3.0.x (I didn't test with SMP 2.3, but that might also apply).

You need to modify the "ciphers" parameter in the "default-server.xml" and "tomcat-server.xml" (there exists three of them inside each file) under ..\MobilePlatform3\Server\... as follows: ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_EC DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" Afterwards you need to restart the SMP server.

Please also take a backup of these two files BEFORE modifying.

KR Andreas

andreas_wegmann · ‎09-14-2015

Hi Nagesh,
for SMP 2.3.x (in SCC) that's actually not possible with standard config files or UI.
I think it's defined in a class(SslSocketConnector.class; setIncludeCipherSuites) of the Jetty server which can't be modified easily.

Waiting for some feedback from development.
KR

Andreas

nageshcaparthy · ‎09-15-2015

Thank you Andreas. Shall wait for feedback from your team.

Regards,

Nagesh

SAP HANA Cloud Connector and ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY with Chrome

Get Your SAP HANA Idea Incubator Badge Today!

SCN Mission - SAP HANA Quiz Challenge is now retired

Share your #HANAStory and Win