Fix: Server has a Weak ephemeral Diffie-Hellman public key

Users experience the error message ‘Sever has a weak ephemeral Diffie-Hellman public key’ when they try to access a website from their computer but the security protocols are not set correctly. This error message doesn’t mean anything is wrong with the user’s end. This problem originates from the server side where the security configurations are not properly. There are still a few workarounds to access the website but the issue has to be fixed properly by the webmaster.

Diffie-Hellman key exchange (DH) is a method of exchanging cryptographic keys over a public channel. DH is one of the easiest practical examples of public key exchange implemented in the field of cryptography. Server and client machines exchange information every now and then with the secure information in cryptographic keys. If DH is used for the transfer and the DH key is weak, the browser will refuse to establish a connection to protect your privacy.

What causes ‘Server has a weak ephemeral Diffie-Hellman public key’ error?

Like mentioned before, this error message implies that there is some problem along the server side; not at your end. The configuration is not set correctly which causes the SSL3 security protocol to fail and hence restrict you from accessing the website.

The most you can do is disable the SSL3 from your browser and access the website. Do note that you might be able to access it but the security of the connection will not be guaranteed. For server-side webmasters, you need to configure your site correctly so users can connect to it properly.

Solution 1: Disabling SSL3 (client side)

Before we give some insight regarding how to fix the error at the server side, we will cover how the client (you the user) can bypass this error message and still access the website. SSL3 (Secure Sockets Layer) is a security standard for establishing an encrypted link between your browser and the server. We can disable SSL3 on your browser and see if this fixes the problem.

Here we are demonstrating how to disable SSL3 on Firefox. You can replicate the steps on your browser.

1. Open up Firefox and type the following in the address bar “about:config”. Once in the configurations, search for security from the search bar.

2. Now all the configurations regarding security will be listed. Search for the following entries:

security.ssl3.dhe_rsa_aes_128_sha

security.ssl3.dhe_rsa_aes_256_sha

Right-click on each of them and click Toggle. If the value is true, it will be false.

3. After making changes, restart Firefox and try accessing the website again. Check if the issue is solved.

For Google Chrome, you execute the following commands in the command line and workaround the issue.

1. Press Windows + S, type “command prompt” in the dialogue box, right-click on the application and select Run as administrator.
2. Once in elevated command prompt, execute the following commands:

open /Applications/Google\ Chrome.app --args --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

3. Now try accessing the website and check if the error message is bypassed.

Solution 2: Setting a proper DH public key (server side)

If you are the webmaster, you would obviously know that you are using Diffie-Hellman key exchange on your server/website. It is proposed that you set the key longer than 1024 (bits). The longer the key is, the more secure the connection is between the server/website and the browser.

If you are a user who is experiencing the error when accessing the admin page of some networking hardware, make sure that it is updated to the latest build. There was even an official release of software by Netgear where it updated just to counter the very bug.