Force Chrome to Ignore a "weak ephemeral Diffie-Hellman public key”

Solution 1:

Hacky fix to get around this issue (Mac OSX)

  • Run this in commandline to workaround the issue while launching Chrome

Chrome:

open /Applications/Google\ Chrome.app --args --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

Canary:

open /Applications/Google\ Chrome\ Canary.app --args --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

For Firefox

  • Go to about:config
  • Search for security.ssl3.dhe_rsa_aes_128_sha and security.ssl3.dhe_rsa_aes_256_sha
  • Set them both to false.

NOTE: Permanently fix would be to update the DH key with a length > 1024

Solution 2:

Indeed, seems that browsers have taken seriously the Diffie-Hellman issue with lower keys than 1024 in length, which in a part is great news, but on the other hand, it has generated a lot of angry Chrome users.

The fix for this issue (and many others related to security) is sysadmins' responsibility, so as I understand it, the decision of blocking any website that offers a weak 512 bit or lower Diffie-Hellman key is a measure of pressure directed to the ones who manage security on remote sites, with the "downside" of users suffering the effects.

It is currently possible to blacklist some Cipher Suites when launching the Google Chrome browser by running it with the --cipher-suite-blacklist= 0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013 parameter, which seem to disable the ones related to the LogJam vulnerability and permits users join the sites, but I insist that it should be sysadmins' responsibility to fix the issue with their Diffie-Hellmann's keys.