TEA can not be accessed with latest browsers, Chrome(43.0.2357.130) and Firefox(38.0.5) when using SSL.
Article ID: KB0092754
Updated On:
| Products | Versions |
|---|---|
| TIBCO Enterprise Administrator (TEA) | - |
| Not Applicable | - |
Description
Description:
Latest upgrades of Chrome and Firefox have instituted a new security policy to drop support for DSA. Due to this, we can not access TEA with the latest browsers. This happens only when a TEA server is configured for SSL with weak cipher signature algorithm keypair (e.g DSA).
Symptoms:
Can not access TEA over SSL using latest browsers, Chrome(43.0.2357.130) and Firefox(38.0.5)
Cause:
Latest browsers are rejecting request for keypair using weak cipher signature algorithm. Example : If you have used Keytool to generate Keypair. then by default, it uses key Algorithm(-keyalg) as "DSA".
keytool.exe -genkeypair -keystore \tea\ssl\keystore.jks -storepass changeit -keypass 123456 -alias tea_ssl
======================
By default
-keyalg
"DSA" (when using -genkeypair)
======================
Resolution
Generate the keypair with a strong cipher signature algorithm such as RSA and keysize=2048.
keytool.exe -genkeypair -keyalg RSA -keysize 2048 -keystore \tea\ssl\keystore.jks -storepass changeit -alias tea_ssl
TLS ciphers with Diffie Hellman, the ones named _EDH_ or _DHE_ and Java 7u80 or earlier are weak and rejected by Firefox. This affects RSA ciphers as well. We recommend to use TEA sever with JDK 1.7.0.85 or JDK 1.8.0.x.
Workarounds are: install EC so that ECDHE is used; upgrade Java; exclude ciphers
Issue/Introduction
TEA can not be accessed with latest browsers, Chrome(43.0.2357.130) and Firefox(38.0.5) when using SSL.
Additional Information
Feedback
Yes
No
Powered by
