SSL Deployment Problem | Search |
NowSMS Support Forums ⬆ NowSMS Support - SMS Issues ⬆ Archive through May 19, 2016 ⬆ |
◄ ► |
Author | Message | |||
Sherif Amir New member Username: Sherifamir Post Number: 1 Registered: 11-2015 |
Hello, We have been deploying an SSL Cert over a 2012 Edition and we have applied the SSL DLL that is required to upgrade to 2048 encryption. We have tested that the Cert and CSR are both valid and fine yet all browsers to receive an error : Server has a weak ephemeral Diffie-Hellman public key We did run a site check through an external service and it did indicate that the web server may be accepting low encryption cipher suites and this is probably why browsers dont accept the request. Any idea on how to fix ? | |||
Des - NowSMS Support Board Administrator Username: Desosms Post Number: 5496 Registered: 08-2008 |
Hi, It is most likely an issue related to SHA-1 deprecation. See http://www.nowsms.com/ssl-sha1-deprecation-and-sha256-support Officially, we only support this update with 2014 and 2015 versions, but it will probably work with 2012. (Backup the replaced files in case it does not.) -- Des NowSMS Support | |||
Sherif Amir New member Username: Sherifamir Post Number: 2 Registered: 11-2015 |
It didnt work! Do we need to re-issue our Certs ? though they were 2048 bit already ? A quick online check https://www.sslshopper.com/ssl-checker.html#hostname=securesms.extremesolution.c om resulted this.. is there a way to install chained certificate not knowing the type of web server?? | |||
Sherif Amir New member Username: Sherifamir Post Number: 3 Registered: 11-2015 |
Everything looks fine ,yet it still spits the same error https://securesms.extremesolution.com | |||
Sherif Amir New member Username: Sherifamir Post Number: 4 Registered: 11-2015 |
Needless to mention, the only browser that did work was Safari for some reason... nothing else works not on any platform! | |||
Des - NowSMS Support Board Administrator Username: Desosms Post Number: 5497 Registered: 08-2008 |
Which SHA algorithm is used is decided by the certificate signing request (CSR). My understanding is that this algorithm choice then becomes part of the certificate. So, yes, I do believe the certs need to be reissued. -- Des NowSMS Support | |||
Sherif Amir New member Username: Sherifamir Post Number: 5 Registered: 11-2015 |
we have re-generated Certs and still same problem, while HTTPS is only working through Safari browsers any help ? | |||
Bryce Norwood - NowSMS Support Board Administrator Username: Bryce Post Number: 8128 Registered: 10-2002 |
Hi, I can see that the certificate is updated for SHA-256, but there is yet another issue that can affect some certificates. Try the updated SMSSSL.DLL at http://www.nowsms.com/download/smsssl-logjam.zip It is not necessary to update the cert again. If there is still a problem, this version has support for more configurable parameters...but I think this will resolve the issue. -bn | |||
Sherif Amir New member Username: Sherifamir Post Number: 6 Registered: 11-2015 |
Hello Bryce, Same error for all non Safari browsers : Server has a weak ephemeral Diffie-Hellman public key - ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY What parameters you think we should try? All Certs are valid and tested through external parties. | |||
Bryce Norwood - NowSMS Support Board Administrator Username: Bryce Post Number: 8129 Registered: 10-2002 |
Hi Sherif, This may be more difficult to resolve than I thought. But at least the error is different. Try another updated SMSSSL.DLL at http://www.nowsms.com/download/smsssl-logjam2.zip -bn | |||
Sherif Amir New member Username: Sherifamir Post Number: 7 Registered: 11-2015 |
Hello, This is the same Error we had all along even with that dll update : Server has a weak ephemeral Diffie-Hellman public key - ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY one of the Public SSL checking websites reports the following : Accepting low encryption cipher suites This site accepts connections with a weak cipher suite! Cipher suites with an encryption lower than 128 bit are not safe and should not be accepted. Normally modern browsers dont use weak ciphers by default, but on this site hackers could force a lower encryption session. Thanks | |||
Bryce Norwood - NowSMS Support Board Administrator Username: Bryce Post Number: 8130 Registered: 10-2002 |
Hi again, This has me extremely confused as your system seems to be accepting SSL ciphers that we do not enable. (I can see by making test connections.) Is there any chance that you are not using the SSL/TLS functionality in NowSMS, but instead using some sort of external SSL wrapper like STUNNEL? -bn Bryce Norwood Now SMS/MMS Support | |||
Sherif Amir New member Username: Sherifamir Post Number: 8 Registered: 11-2015 |
This is a RackSpace Cloud Server so there shouldnt be any tunnels. I have switched NOWSMS Port to 8801 to ensure we arent conflicting with any other service and its the same error I will create a support ticket in parallel just in case but let me confirm this : The Host works fine over SSL through Safari browsers and now sms interface works fine! | |||
Bryce Norwood - NowSMS Support Board Administrator Username: Bryce Post Number: 8131 Registered: 10-2002 |
I wouldn't expect that to be a problem with a Rackspace cloud server. I assume you have a dedicated IP? In the same directory as the SSL certs, try creating CIPHER.INI with the following content: [Cipher] Cipher=HIGH:!DH:!aNULL:!EXPORT Restart the NowSMS SMS service after making this change. If this doesn't resolve the problem, I'm wondering if there is still an old version of SMSSSL.DLL somewhere on the server which is getting loaded instead of the newer version. Another idea, which is a security no-no, would be to arrange for me to download your SSL files and try to recreate the problem. We obviously don't want the files to leak, but maybe we can arrange a way for me to get them...to discus via private email, send a message to nowsms@nowsms.com with Attention: Bryce in the subject line. One other idea...can you load a trial NowSMS on your network and configure it with the same SSL files (including the updated SMSSSL.DLL). Then use a HOSTS file entry to redirect local requests for your server to that IP and see if the security warning remains. -bn Bryce Norwood Now SMS/MMS Support | |||
Sherif Amir New member Username: Sherifamir Post Number: 9 Registered: 11-2015 |
Here is an update... Rebooted Server , added CIPHER.INI resulted that http://securesms.extremesolution.com refuses any connection and removing the INI file results the previous error. I will arrange a copy of the Certs to be sent over, once its resolved we can revoke them and create new ones. thanks | |||
Sherif Amir New member Username: Sherifamir Post Number: 10 Registered: 11-2015 |
The CIPHER.INI posted behavior may have been in-accurate Certs are already shared. | |||
Bryce Norwood - NowSMS Support Board Administrator Username: Bryce Post Number: 8132 Registered: 10-2002 |
Hi Sherif, I tried your cert files on a NowSMS server on a local LAN. I modified HOSTS files on a PC and a Mac to redirect your host name to the local LAN IP of this server. No errors are reported connecting to this server by Internet Explorer, Chrome, Firefox or Safari. All are happy with the certificate and encryption protocols. This is with no CIPHER.INI, and the most recent SMSSSL.DLL. If I remove the HOSTS entry, I see errors in all but Safari when connecting to your actual server. I then reverted to the SHA256 version of SMSSSL.DLL...and still I see no errors. This tells me that there was no need for the two updated versions that I posted, as the SHA256 version already addressed the problem. The ability to modify cipher selection in the update is nice, but appears irrelevant to whatever problem you are facing. When I manually try the OpenSSL tests on this page: https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ I can clearly see that your server supports export ciphers, and I do not see how that is possible. Please confirm that the updated SMSSSL.DLL is in \Program Files (x86)\NowSMS or (\Program Files\NowSMS) in the same directory as smsgws.exe. The only other idea I have is to send you an updated NowSMS that reports the cipher used to accept a connection. I can run tests that use the export cipher, and we can see what NowSMS reports as the cipher...if the ciphers are different, then that would show that there is some sort of SSL tunnel at the provider. -bn Bryce Norwood Now SMS/MMS Support |