SSL received a weak ephemeral Diffie-Hellman key reported by Chrome and Firefox

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Problem

When accessing Fisheye/Crucible, you'll see the following message in the browser and will not be able to access the site:

An error occurred during a connection to fisheye.server.com. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

Cause

Recent updates to Chrome and Firefox prevent access to websites that use the vulnerable Dillie-Heffman public key cipher.

Workaround

Use a different browser such as IE or Edge.

Resolution

Follow our Configuring SSL cipher suites for Jetty guide to disable these weak ciphers. If you are using Fisheye/Crucible 3.5 or earlier, use these instructions to configure the below ciphers in jetty-web.xml.

Shut down Fisheye.
Open the config.xml file in your Fisheye instance directory (the data directory that the FISHEYE_INST system environment variable points to).
Find the <ssl> element under the <web-server> element in the file, and add <includeCipherSuites>, <includeProtocols>,<excludeCipherSuites>, and<excludeProtocols>. For example:
config.xml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69<config version="1.0"> <web-server context="/foo"> <ssl bind=":443" keystore="/etc/dev/keystore" keystore-password="" truststore="/etc/dev/keystore" truststore-password=""> <includeProtocols> <protocol>TLSv1</protocol> <protocol>TLSv1.1</protocol> <protocol>TLSv1.2</protocol> </includeProtocols> <includeCipherSuites> <cipherSuite>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</cipherSuite> <cipherSuite>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</cipherSuite> <cipherSuite>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</cipherSuite> <cipherSuite>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</cipherSuite> <cipherSuite>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</cipherSuite> <cipherSuite>TLS_DHE_DSS_WITH_AES_128_GCM_SHA256</cipherSuite> <cipherSuite>TLS_DHE_DSS_WITH_AES_256_GCM_SHA384</cipherSuite> <cipherSuite>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384</cipherSuite> <cipherSuite>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</cipherSuite> <cipherSuite>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</cipherSuite> <cipherSuite>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</cipherSuite> <cipherSuite>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</cipherSuite> <cipherSuite>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</cipherSuite> <cipherSuite>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384</cipherSuite> <cipherSuite>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</cipherSuite> <cipherSuite>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</cipherSuite> <cipherSuite>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</cipherSuite> <cipherSuite>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</cipherSuite> <cipherSuite>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</cipherSuite> <cipherSuite>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</cipherSuite> <cipherSuite>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</cipherSuite> <cipherSuite>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</cipherSuite> <cipherSuite>TLS_RSA_WITH_AES_128_GCM_SHA256</cipherSuite> <cipherSuite>TLS_RSA_WITH_AES_256_GCM_SHA384</cipherSuite> <cipherSuite>TLS_RSA_WITH_AES_128_CBC_SHA256</cipherSuite> <cipherSuite>TLS_RSA_WITH_AES_256_CBC_SHA256</cipherSuite> <cipherSuite>TLS_RSA_WITH_AES_128_CBC_SHA</cipherSuite> <cipherSuite>TLS_RSA_WITH_AES_256_CBC_SHA</cipherSuite> <cipherSuite>TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA</cipherSuite> <cipherSuite>TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA</cipherSuite> <cipherSuite>TLS_SRP_SHA_WITH_AES_256_CBC_SHA</cipherSuite> <cipherSuite>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256</cipherSuite> <cipherSuite>TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA</cipherSuite> <cipherSuite>TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA</cipherSuite> <cipherSuite>TLS_SRP_SHA_WITH_AES_128_CBC_SHA</cipherSuite> <cipherSuite>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</cipherSuite> <cipherSuite>TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA</cipherSuite> <cipherSuite>TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA</cipherSuite> <cipherSuite>TLS_RSA_WITH_CAMELLIA_256_CBC_SHA</cipherSuite> <cipherSuite>TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA</cipherSuite> <cipherSuite>TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA</cipherSuite> <cipherSuite>TLS_RSA_WITH_CAMELLIA_128_CBC_SHA</cipherSuite> </includeCipherSuites> <excludeProtocols> <protocol>SSLv3</protocol> </excludeProtocols> <excludeCipherSuites> <cipherSuite>SSL_RSA_WITH_3DES_EDE_CBC_SHA</cipherSuite> <cipherSuite>SSL_DHE_RSA_WITH_DES_CBC_SHA</cipherSuite> <cipherSuite>SSL_DHE_DSS_WITH_DES_CBC_SHA</cipherSuite> <cipherSuite>EXP-RC4-MD5</cipherSuite> <cipherSuite>EDH-RSA-DES-CBC-SHA</cipherSuite> <cipherSuite>EXP-EDH-RSA-DESCBC-SHA</cipherSuite> <cipherSuite>DES-CBC-SHA</cipherSuite> <cipherSuite>EXP-DES-CBC-SHA</cipherSuite> <cipherSuite>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</cipherSuite> <cipherSuite>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</cipherSuite> </excludeCipherSuites> </ssl> </web-server>
Restart Fisheye.

Updated on April 15, 2025

Was this helpful?

It wasn't accurateIt wasn't clearIt wasn't relevant

Atlassian Support

SSL received a weak ephemeral Diffie-Hellman key reported by Chrome and Firefox

Problem

Cause

Workaround

Resolution

Still need help?