SSL Deployment Problem

SSL Deployment Problem SearchSearch
Author Message
Sherif Amir
New member
Username: Sherifamir

Post Number: 1
Registered: 11-2015
Posted on Tuesday, November 10, 2015 - 07:36 pm:   

Hello,

We have been deploying an SSL Cert over a 2012 Edition and we have applied the SSL DLL that is required to upgrade to 2048 encryption.

We have tested that the Cert and CSR are both valid and fine yet all browsers to receive an error : Server has a weak ephemeral Diffie-Hellman public key

We did run a site check through an external service and it did indicate that the web server may be accepting low encryption cipher suites and this is probably why browsers dont accept the request.

Any idea on how to fix ?
Des - NowSMS Support
Board Administrator
Username: Desosms

Post Number: 5496
Registered: 08-2008
Posted on Tuesday, November 10, 2015 - 07:58 pm:   

Hi,

It is most likely an issue related to SHA-1 deprecation. See http://www.nowsms.com/ssl-sha1-deprecation-and-sha256-support

Officially, we only support this update with 2014 and 2015 versions, but it will probably work with 2012. (Backup the replaced files in case it does not.)

--
Des
NowSMS Support
Sherif Amir
New member
Username: Sherifamir

Post Number: 2
Registered: 11-2015
Posted on Tuesday, November 10, 2015 - 08:11 pm:   

It didnt work!

Do we need to re-issue our Certs ? though they were 2048 bit already ?

A quick online check https://www.sslshopper.com/ssl-checker.html#hostname=securesms.extremesolution.c om resulted this.. is there a way to install chained certificate not knowing the type of web server??
Sherif Amir
New member
Username: Sherifamir

Post Number: 3
Registered: 11-2015
Posted on Tuesday, November 10, 2015 - 08:20 pm:   

Everything looks fine ,yet it still spits the same error

https://securesms.extremesolution.com
Sherif Amir
New member
Username: Sherifamir

Post Number: 4
Registered: 11-2015
Posted on Tuesday, November 10, 2015 - 08:39 pm:   

Needless to mention, the only browser that did work was Safari for some reason... nothing else works not on any platform!
Des - NowSMS Support
Board Administrator
Username: Desosms

Post Number: 5497
Registered: 08-2008
Posted on Tuesday, November 10, 2015 - 08:45 pm:   

Which SHA algorithm is used is decided by the certificate signing request (CSR). My understanding is that this algorithm choice then becomes part of the certificate.

So, yes, I do believe the certs need to be reissued.

--
Des
NowSMS Support
Sherif Amir
New member
Username: Sherifamir

Post Number: 5
Registered: 11-2015
Posted on Tuesday, November 10, 2015 - 10:03 pm:   

we have re-generated Certs and still same problem, while HTTPS is only working through Safari browsers

any help ?
Bryce Norwood - NowSMS Support
Board Administrator
Username: Bryce

Post Number: 8128
Registered: 10-2002
Posted on Wednesday, November 11, 2015 - 02:26 am:   

Hi,

I can see that the certificate is updated for SHA-256, but there is yet another issue that can affect some certificates.

Try the updated SMSSSL.DLL at http://www.nowsms.com/download/smsssl-logjam.zip

It is not necessary to update the cert again.

If there is still a problem, this version has support for more configurable parameters...but I think this will resolve the issue.

-bn
Sherif Amir
New member
Username: Sherifamir

Post Number: 6
Registered: 11-2015
Posted on Wednesday, November 11, 2015 - 02:47 pm:   

Hello Bryce,

Same error for all non Safari browsers :
Server has a weak ephemeral Diffie-Hellman public key - ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY

What parameters you think we should try? All Certs are valid and tested through external parties.
Bryce Norwood - NowSMS Support
Board Administrator
Username: Bryce

Post Number: 8129
Registered: 10-2002
Posted on Wednesday, November 11, 2015 - 03:57 pm:   

Hi Sherif,

This may be more difficult to resolve than I thought. But at least the error is different.

Try another updated SMSSSL.DLL at http://www.nowsms.com/download/smsssl-logjam2.zip

-bn
Sherif Amir
New member
Username: Sherifamir

Post Number: 7
Registered: 11-2015
Posted on Wednesday, November 11, 2015 - 04:22 pm:   

Hello,

This is the same Error we had all along even with that dll update : Server has a weak ephemeral Diffie-Hellman public key - ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY

one of the Public SSL checking websites reports the following :

Accepting low encryption cipher suites

This site accepts connections with a weak cipher suite! Cipher suites with an encryption lower than 128 bit are not safe and should not be accepted. Normally modern browsers don’t use weak ciphers by default, but on this site hackers could force a lower encryption session.

Thanks
Bryce Norwood - NowSMS Support
Board Administrator
Username: Bryce

Post Number: 8130
Registered: 10-2002
Posted on Wednesday, November 11, 2015 - 04:57 pm:   

Hi again,

This has me extremely confused as your system seems to be accepting SSL ciphers that we do not enable. (I can see by making test connections.)

Is there any chance that you are not using the SSL/TLS functionality in NowSMS, but instead using some sort of external SSL wrapper like STUNNEL?

-bn

Bryce Norwood
Now SMS/MMS Support
Sherif Amir
New member
Username: Sherifamir

Post Number: 8
Registered: 11-2015
Posted on Wednesday, November 11, 2015 - 05:03 pm:   

This is a RackSpace Cloud Server so there shouldnt be any tunnels.

I have switched NOWSMS Port to 8801 to ensure we arent conflicting with any other service and its the same error

I will create a support ticket in parallel just in case but let me confirm this :

The Host works fine over SSL through Safari browsers and now sms interface works fine!
Bryce Norwood - NowSMS Support
Board Administrator
Username: Bryce

Post Number: 8131
Registered: 10-2002
Posted on Wednesday, November 11, 2015 - 05:37 pm:   

I wouldn't expect that to be a problem with a Rackspace cloud server. I assume you have a dedicated IP?

In the same directory as the SSL certs, try creating CIPHER.INI with the following content:

[Cipher]
Cipher=HIGH:!DH:!aNULL:!EXPORT


Restart the NowSMS SMS service after making this change.

If this doesn't resolve the problem, I'm wondering if there is still an old version of SMSSSL.DLL somewhere on the server which is getting loaded instead of the newer version.

Another idea, which is a security no-no, would be to arrange for me to download your SSL files and try to recreate the problem. We obviously don't want the files to leak, but maybe we can arrange a way for me to get them...to discus via private email, send a message to nowsms@nowsms.com with Attention: Bryce in the subject line.

One other idea...can you load a trial NowSMS on your network and configure it with the same SSL files (including the updated SMSSSL.DLL). Then use a HOSTS file entry to redirect local requests for your server to that IP and see if the security warning remains.

-bn

Bryce Norwood
Now SMS/MMS Support
Sherif Amir
New member
Username: Sherifamir

Post Number: 9
Registered: 11-2015
Posted on Wednesday, November 11, 2015 - 06:25 pm:   

Here is an update...

Rebooted Server , added CIPHER.INI resulted that http://securesms.extremesolution.com refuses any connection and removing the INI file results the previous error.

I will arrange a copy of the Certs to be sent over, once its resolved we can revoke them and create new ones.

thanks
Sherif Amir
New member
Username: Sherifamir

Post Number: 10
Registered: 11-2015
Posted on Wednesday, November 11, 2015 - 06:39 pm:   

The CIPHER.INI posted behavior may have been in-accurate
Certs are already shared.
Bryce Norwood - NowSMS Support
Board Administrator
Username: Bryce

Post Number: 8132
Registered: 10-2002
Posted on Wednesday, November 11, 2015 - 07:17 pm:   

Hi Sherif,

I tried your cert files on a NowSMS server on a local LAN.

I modified HOSTS files on a PC and a Mac to redirect your host name to the local LAN IP of this server.

No errors are reported connecting to this server by Internet Explorer, Chrome, Firefox or Safari. All are happy with the certificate and encryption protocols.

This is with no CIPHER.INI, and the most recent SMSSSL.DLL.

If I remove the HOSTS entry, I see errors in all but Safari when connecting to your actual server.

I then reverted to the SHA256 version of SMSSSL.DLL...and still I see no errors. This tells me that there was no need for the two updated versions that I posted, as the SHA256 version already addressed the problem. The ability to modify cipher selection in the update is nice, but appears irrelevant to whatever problem you are facing.

When I manually try the OpenSSL tests on this page: https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ I can clearly see that your server supports export ciphers, and I do not see how that is possible.


Please confirm that the updated SMSSSL.DLL is in \Program Files (x86)\NowSMS or (\Program Files\NowSMS) in the same directory as smsgws.exe.

The only other idea I have is to send you an updated NowSMS that reports the cipher used to accept a connection. I can run tests that use the export cipher, and we can see what NowSMS reports as the cipher...if the ciphers are different, then that would show that there is some sort of SSL tunnel at the provider.

-bn

Bryce Norwood
Now SMS/MMS Support