{"id":182,"date":"2015-09-03T10:14:10","date_gmt":"2015-09-03T10:14:10","guid":{"rendered":"http:\/\/blog.goodwill.co.id\/?p=182"},"modified":"2015-09-04T01:36:11","modified_gmt":"2015-09-04T01:36:11","slug":"guide-to-disable-weak-diffie-hellman-in-adempiere","status":"publish","type":"post","link":"https:\/\/www.goodwill.co.id\/blog\/guide-to-disable-weak-diffie-hellman-in-adempiere\/","title":{"rendered":"Guide to Disable Weak Diffie-Hellman in Adempiere"},"content":{"rendered":"

Diffie-Hellman key exchange<\/a> is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS.<\/p>\n

Logjam<\/a> is a new attack against the Diffie-Hellman key-exchange protocol used in TLS. Basically:<\/p>\n

The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. The attack is reminiscent of the FREAK attack<\/a>, but is due to a flaw in the TLS protocol rather than an implementation vulnerability, and attacks a Diffie-Hellman key exchange rather than an RSA key exchange. The attack affects any server that supports DHE_EXPORT<\/tt> ciphers, and affects all modern web browsers. 8.4% of the Top 1 Million domains were initially vulnerable.<\/p><\/blockquote>\n

Adempiere 370 too can’t get away with this vulnerability issue. The good news is that it is only susceptible to passive eavesdropping from an attacker with nation-state<\/span> resources, so you should be less worry. Nevertheless, to eliminate the risk, we have to disable the use of the weak Diffie-Hellman group and use a stronger 2048-bit group. If you don’t do this, your server is no longer accessible using the most recent release of popular browsers. You would get Secure Connection Failed error (see also our post about how to temporarily solve the error).<\/p>\n

JSSE Configuration<\/h2>\n

If you run your own Adempiere 370 server, you might want to follow this advice. Open file serverTemplate.xml that resides in @ADEMPIERE_HOME@\\jboss\\server\\adempiere\\deploy\\jboss-web.deployer. Look for Connector that define a SSL HTTP\/1.1 and add ciphers<\/span> attribute as shown below.<\/p>\n

<!-- Define a SSL HTTP\/1.1 Connector on port 8443
\nThis connector uses the JSSE configuration, when using APR, the
\nconnector should be using the OpenSSL style configuration
\ndescribed in the APR documentation -->
\n<Connector port=\"@ADEMPIERE_SSL_PORT@\" address=\"${jboss.bind.address}\" protocol=\"HTTP\/1.1\" SSLEnabled=\"true\"
\nmaxThreads=\"150\" scheme=\"https\" secure=\"true\"
\nclientAuth=\"false\"
\nkeystoreFile=\"@ADEMPIERE_KEYSTORE@\"
\nkeystorePass=\"@ADEMPIERE_KEYSTOREPASS@\"
\nsslProtocol=\"TLS\"
\nciphers=\"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
\nTLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,
\nTLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
\nTLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA\"
\n\/><\/code><\/p>\n

Choosing a cipher suite<\/h2>\n

A cipher suite<\/a> is really four different ciphers in one, describing the key exchange, bulk encryption, message authentication and random number function. In this particular case, we\u2019re focusing on the bulk encryption cipher.<\/p>\n

The JSSE list of cipher suites is here<\/a> and there is an extensive comparison list<\/a>. There\u2019s a number of different ciphers available, and the list has changed substantially between JDK 1.7 and JDK 1.6.<\/p>\n

In 1.6, the default list is out of order<\/a> \u2014 some of the weaker ciphers show up before the stronger ciphers do. Not only that, but 1.6 has no support for Elliptic Curve cryptography (ECC) ciphers, which are much stronger and allow for perfect forward secrecy. In 1.7, the default cipher list is reportedly pretty good<\/a>. Unfortunately Adempiere 370 is still using 1.6.<\/p>\n

Choosing a browser<\/h2>\n

Make sure you have the most recent version of your browser installed, and check for updates frequently. Google Chrome (including Android Browser), Mozilla Firefox, Microsoft Internet Explorer, and Apple Safari are all deploying fixes for the Logjam attack.<\/p>\n

Reference<\/h2>\n

Guide to Deploying Diffie-Hellman for TLS<\/a>
\nSSL\/TLS, ciphers, perfect forward secrecy and Tomcat<\/a>
\nFixing the Most Dangerous Code in the World<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS. Logjam is a new attack against the Diffie-Hellman key-exchange protocol used in TLS. Basically: The […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16,10],"tags":[],"class_list":["post-182","post","type-post","status-publish","format-standard","hentry","category-open-source-erp","category-security-2"],"yoast_head":"\nGuide to Disable Weak Diffie-Hellman in Adempiere - Goodwill Consulting<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.goodwill.co.id\/blog\/guide-to-disable-weak-diffie-hellman-in-adempiere\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Guide to Disable Weak Diffie-Hellman in Adempiere - Goodwill Consulting\" \/>\n<meta property=\"og:description\" content=\"Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS. Logjam is a new attack against the Diffie-Hellman key-exchange protocol used in TLS. Basically: The […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.goodwill.co.id\/blog\/guide-to-disable-weak-diffie-hellman-in-adempiere\/\" \/>\n<meta property=\"og:site_name\" content=\"Goodwill Consulting\" \/>\n<meta property=\"article:published_time\" content=\"2015-09-03T10:14:10+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2015-09-04T01:36:11+00:00\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.goodwill.co.id\/blog\/guide-to-disable-weak-diffie-hellman-in-adempiere\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.goodwill.co.id\/blog\/guide-to-disable-weak-diffie-hellman-in-adempiere\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/www.goodwill.co.id\/blog\/#\/schema\/person\/325c5449edc00ce11dc6c2c7bef75651\"},\"headline\":\"Guide to Disable Weak Diffie-Hellman in Adempiere\",\"datePublished\":\"2015-09-03T10:14:10+00:00\",\"dateModified\":\"2015-09-04T01:36:11+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.goodwill.co.id\/blog\/guide-to-disable-weak-diffie-hellman-in-adempiere\/\"},\"wordCount\":482,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.goodwill.co.id\/blog\/#organization\"},\"articleSection\":[\"Open Source ERP\",\"Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.goodwill.co.id\/blog\/guide-to-disable-weak-diffie-hellman-in-adempiere\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.goodwill.co.id\/blog\/guide-to-disable-weak-diffie-hellman-in-adempiere\/\",\"url\":\"https:\/\/www.goodwill.co.id\/blog\/guide-to-disable-weak-diffie-hellman-in-adempiere\/\",\"name\":\"Guide to Disable Weak Diffie-Hellman in Adempiere - Goodwill Consulting\",\"isPartOf\":{\"@id\":\"https:\/\/www.goodwill.co.id\/blog\/#website\"},\"datePublished\":\"2015-09-03T10:14:10+00:00\",\"dateModified\":\"2015-09-04T01:36:11+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.goodwill.co.id\/blog\/guide-to-disable-weak-diffie-hellman-in-adempiere\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.goodwill.co.id\/blog\/guide-to-disable-weak-diffie-hellman-in-adempiere\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.goodwill.co.id\/blog\/guide-to-disable-weak-diffie-hellman-in-adempiere\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.goodwill.co.id\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Guide to Disable Weak Diffie-Hellman in Adempiere\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.goodwill.co.id\/blog\/#website\",\"url\":\"https:\/\/www.goodwill.co.id\/blog\/\",\"name\":\"Goodwill Consulting\",\"description\":\"Goodwill ERP - Adempiere Indonesia - Idempiere Indonesia\",\"publisher\":{\"@id\":\"https:\/\/www.goodwill.co.id\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.goodwill.co.id\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.goodwill.co.id\/blog\/#organization\",\"name\":\"Goodwill Consulting\",\"url\":\"https:\/\/www.goodwill.co.id\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.goodwill.co.id\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.goodwill.co.id\/blog\/wp-content\/uploads\/2024\/07\/logo_goodwillerp.jpg\",\"contentUrl\":\"https:\/\/www.goodwill.co.id\/blog\/wp-content\/uploads\/2024\/07\/logo_goodwillerp.jpg\",\"width\":900,\"height\":599,\"caption\":\"Goodwill Consulting\"},\"image\":{\"@id\":\"https:\/\/www.goodwill.co.id\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.goodwill.co.id\/blog\/#\/schema\/person\/325c5449edc00ce11dc6c2c7bef75651\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.goodwill.co.id\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0e9b2810ebcd7f0f56602e676e270514?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0e9b2810ebcd7f0f56602e676e270514?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"url\":\"https:\/\/www.goodwill.co.id\/blog\/author\/admin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Guide to Disable Weak Diffie-Hellman in Adempiere - Goodwill Consulting","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.goodwill.co.id\/blog\/guide-to-disable-weak-diffie-hellman-in-adempiere\/","og_locale":"en_US","og_type":"article","og_title":"Guide to Disable Weak Diffie-Hellman in Adempiere - Goodwill Consulting","og_description":"Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS. Logjam is a new attack against the Diffie-Hellman key-exchange protocol used in TLS. Basically: The […]","og_url":"https:\/\/www.goodwill.co.id\/blog\/guide-to-disable-weak-diffie-hellman-in-adempiere\/","og_site_name":"Goodwill Consulting","article_published_time":"2015-09-03T10:14:10+00:00","article_modified_time":"2015-09-04T01:36:11+00:00","author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.goodwill.co.id\/blog\/guide-to-disable-weak-diffie-hellman-in-adempiere\/#article","isPartOf":{"@id":"https:\/\/www.goodwill.co.id\/blog\/guide-to-disable-weak-diffie-hellman-in-adempiere\/"},"author":{"name":"admin","@id":"https:\/\/www.goodwill.co.id\/blog\/#\/schema\/person\/325c5449edc00ce11dc6c2c7bef75651"},"headline":"Guide to Disable Weak Diffie-Hellman in Adempiere","datePublished":"2015-09-03T10:14:10+00:00","dateModified":"2015-09-04T01:36:11+00:00","mainEntityOfPage":{"@id":"https:\/\/www.goodwill.co.id\/blog\/guide-to-disable-weak-diffie-hellman-in-adempiere\/"},"wordCount":482,"commentCount":0,"publisher":{"@id":"https:\/\/www.goodwill.co.id\/blog\/#organization"},"articleSection":["Open Source ERP","Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.goodwill.co.id\/blog\/guide-to-disable-weak-diffie-hellman-in-adempiere\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.goodwill.co.id\/blog\/guide-to-disable-weak-diffie-hellman-in-adempiere\/","url":"https:\/\/www.goodwill.co.id\/blog\/guide-to-disable-weak-diffie-hellman-in-adempiere\/","name":"Guide to Disable Weak Diffie-Hellman in Adempiere - Goodwill Consulting","isPartOf":{"@id":"https:\/\/www.goodwill.co.id\/blog\/#website"},"datePublished":"2015-09-03T10:14:10+00:00","dateModified":"2015-09-04T01:36:11+00:00","breadcrumb":{"@id":"https:\/\/www.goodwill.co.id\/blog\/guide-to-disable-weak-diffie-hellman-in-adempiere\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.goodwill.co.id\/blog\/guide-to-disable-weak-diffie-hellman-in-adempiere\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.goodwill.co.id\/blog\/guide-to-disable-weak-diffie-hellman-in-adempiere\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.goodwill.co.id\/blog\/"},{"@type":"ListItem","position":2,"name":"Guide to Disable Weak Diffie-Hellman in Adempiere"}]},{"@type":"WebSite","@id":"https:\/\/www.goodwill.co.id\/blog\/#website","url":"https:\/\/www.goodwill.co.id\/blog\/","name":"Goodwill Consulting","description":"Goodwill ERP - Adempiere Indonesia - Idempiere Indonesia","publisher":{"@id":"https:\/\/www.goodwill.co.id\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.goodwill.co.id\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.goodwill.co.id\/blog\/#organization","name":"Goodwill Consulting","url":"https:\/\/www.goodwill.co.id\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.goodwill.co.id\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.goodwill.co.id\/blog\/wp-content\/uploads\/2024\/07\/logo_goodwillerp.jpg","contentUrl":"https:\/\/www.goodwill.co.id\/blog\/wp-content\/uploads\/2024\/07\/logo_goodwillerp.jpg","width":900,"height":599,"caption":"Goodwill Consulting"},"image":{"@id":"https:\/\/www.goodwill.co.id\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.goodwill.co.id\/blog\/#\/schema\/person\/325c5449edc00ce11dc6c2c7bef75651","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.goodwill.co.id\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/0e9b2810ebcd7f0f56602e676e270514?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0e9b2810ebcd7f0f56602e676e270514?s=96&d=mm&r=g","caption":"admin"},"url":"https:\/\/www.goodwill.co.id\/blog\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/www.goodwill.co.id\/blog\/wp-json\/wp\/v2\/posts\/182"}],"collection":[{"href":"https:\/\/www.goodwill.co.id\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.goodwill.co.id\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.goodwill.co.id\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.goodwill.co.id\/blog\/wp-json\/wp\/v2\/comments?post=182"}],"version-history":[{"count":10,"href":"https:\/\/www.goodwill.co.id\/blog\/wp-json\/wp\/v2\/posts\/182\/revisions"}],"predecessor-version":[{"id":193,"href":"https:\/\/www.goodwill.co.id\/blog\/wp-json\/wp\/v2\/posts\/182\/revisions\/193"}],"wp:attachment":[{"href":"https:\/\/www.goodwill.co.id\/blog\/wp-json\/wp\/v2\/media?parent=182"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.goodwill.co.id\/blog\/wp-json\/wp\/v2\/categories?post=182"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.goodwill.co.id\/blog\/wp-json\/wp\/v2\/tags?post=182"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}