Subsonic Forum

[rts1066]

I'm using Subsonic 5.2

Code: Select all

[root@server ~]# rpm -q subsonic
subsonic-5.2.1-4428.i386


On CentOS 6.3 and I'm trying to work around the:

Code: Select all

Server has a weak, ephemeral Diffie-Hellman public key

ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY


Generated by Chrome. I've already replaced the SSL certificate I am using with an RSA key using 2048 and as confirmed when I connect using OpenSSL

Code: Select all

[richard@jdtop cert]$ openssl s_client -connect 192.168.2.100:4043
CONNECTED(00000003)
depth=0 C = GB, ST = ENG, L = WIG, O = Default Company Ltd, OU = 192.168.2.100, CN = 192.168.2.100, emailAddress = a@a.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = GB, ST = ENG, L = WIG, O = Default Company Ltd, OU = 192.168.2.100, CN = 192.168.2.100, emailAddress = a@a.com
verify return:1
---
Certificate chain
0 s:/C=GB/ST=ENG/L=WIG/O=Default Company Ltd/OU=192.168.2.100/CN=192.168.2.100/emailAddress=a@a.com
   i:/C=GB/ST=ENG/L=WIG/O=Default Company Ltd/OU=192.168.2.100/CN=192.168.2.100/emailAddress=a@a.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDnjCCAoYCCQDZtZWrziOmvDANBgkqhkiG9w0BAQUFADCBjzELMAkGA1UEBhMC
R0IxDDAKBgNVBAgMA0VORzEMMAoGA1UEBwwDV0lHMRwwGgYDVQQKDBNEZWZhdWx0
IENvbXBhbnkgTHRkMRYwFAYDVQQLDA0xOTIuMTY4LjIuMTAwMRYwFAYDVQQDDA0x
OTIuMTY4LjIuMTAwMRYwFAYJKoZIhvcNAQkBFgdhQGEuY29tMCAXDTE1MTEwNDE5
NDIxMVoYDzIwNjUxMDIyMTk0MjExWjCBjzELMAkGA1UEBhMCR0IxDDAKBgNVBAgM
A0VORzEMMAoGA1UEBwwDV0lHMRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRk
MRYwFAYDVQQLDA0xOTIuMTY4LjIuMTAwMRYwFAYDVQQDDA0xOTIuMTY4LjIuMTAw
MRYwFAYJKoZIhvcNAQkBFgdhQGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAskOsg35uXd4keujqAV7+7+skHK7qig8yN5cQYQwQ/7dVaah5PwWx
vlmOYF7Zb+oPOmFFWtgEUbDkizvPU7a3lklXurIxUQRl9pjTDAqIGHFTzXE3NBp7
b8Yw82uqA8Doc00q9H4+A7C5JNtkJluYhPxGdV+55WpYckTLQ0X5myLEj7O7Br3y
qMuB2LYcIYPOJ6J1VFTsWhG6kiJ4OwMXodR32AqB4oceaTCeP2feFlnrK43m0J+T
Mi3BQdkrx048A+P0ZeJE1AM1XZwHsRVGqzpKxpnuDdR2/HjriAmN4DqhMHXwlUno
0yNgnmokYUWbcw8zLL3hXOY7i54fP4tLbwIDAQABMA0GCSqGSIb3DQEBBQUAA4IB
AQBz8qjaLdv33dLlbWY52EBU+tvD/xvrZeZQM8HJCf0/ICnnCCoM7XvKmdrafSMT
WNRYF13OE2dHZZIMEgjUyxzndqTzKSk3MtisrzT4/1P/GkEldbhoaYwyZ/MdC8ur
b+wMPfXQlu8Z5V5o37jveI2XjF+GgJprU874g/CpSWIc9tR/wFBmOeqWUXxaKQOP
lb6uw67ZUGti8u86ChqWuQ/QtsT+UoaYV9iTu6+NFrjYBmlADGvZFhQXcXUQlycE
a6/nB65FSz4aN+zGARDkRslsdt/xyzpldDzv1NW9UBvJODN9bnVdLAZC/RctfYiq
GZEKCU2Dl7xBuXiDBeQ0a3ho
-----END CERTIFICATE-----
subject=/C=GB/ST=ENG/L=WIG/O=Default Company Ltd/OU=192.168.2.100/CN=192.168.2.100/emailAddress=a@a.com
issuer=/C=GB/ST=ENG/L=WIG/O=Default Company Ltd/OU=192.168.2.100/CN=192.168.2.100/emailAddress=a@a.com
---
No client certificate CA names sent
Server Temp Key: DH, 768 bits
---
SSL handshake has read 1645 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 563A6ADAF2459AE7C9ACB59767B205E993E69D401C9273389EF4BF3D1EF8DD14
    Session-ID-ctx:
    Master-Key: 4827396B9040C431B7193C3F97F2E1FA20DCEBB8A603DC74F57EAD2FCF4EA6AF22B8261641E4160067CB7EFC5FFD055E
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1446669018
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)



How do I increase the 'Server Temp Key' of the certificate/server configuration to 1024?

I used the following to generate my certificate (and create pkcs12)

Code: Select all

openssl genrsa 2048 > rui.key
openssl req -new -key rui.key > rui.csr
openssl x509 -req -days 18250 -in rui.csr -signkey rui.key -out rui.crt
cat  rui.* > subsonic-new.crt
openssl pkcs12 -in subsonic-new.crt -export -out subsonic.pkcs12


[frnx]

Diffie-Hellman parameters are not related to a key/certificate pair but rather to the configuration of the web server. I have never done it, so I'm not aware of any way to update it (I think the server module is called Jetty?) inside a Subsonic release.

This may not be a solution for you, but I'm personally having Nginx provide SSL to Subsonic as well as other web services on my server. This has the huge advantage that I only have to do the configuration once. In my case, DH parameters live in /etc/nginx/dhparams.pem, and you can regenerate others using :

Code: Select all

openssl dhparam -out dhparam.pem 4096

[rts1066]

Thanks, I've found the same through some testing (that it's a server parameter). The only alternative seems to be, as you suggest, to essentially wrap subsonic with a mainstream, configurable webserver like nginx.

I was hoping to avoid this.