vRO ERR_SSL_WEAK_EPHEMERAL_DH_KEY error

I’m currently working on a project for VMware Professional Services in Schiphol-Rijk, The Netherlands along with Marco van Baggum (twitter/blog). While testing the deployment of vRO my colleague and I noticed that we were getting errors when using certain browsers.

vRO-DH-Error01

This error hadn’t occurred previously and nothing had changed with the SSL certificates. After a bit of head scratching I noticed that Chrome had recently updated to Version 45 (also disabling Java!) and was now blocking access to sites with weak ephemeral Diffie-Hellman keys. This is also the case for Firefox v40 and above but I’ve not come across the issue with Internet Explorer 11.

After some research I found VMware KB (link) which pointed me in the right direction.

vRO 6.x has the following keys enabled by default:

This includes the weak ephemeral Diffie-Hellman keys:

SSH to the vRO appliance, and edit the file /etc/vco/app-server/server.xml

Search for the line :

Remove the weak ciphers so the line is now:

Repeat the above for the file /var/lib/vco/configuration/conf/server.xml

Save the files and reboot the appliance.

When you access the vRO URL you should now see the following:

vRO-DH-Error02