Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burp Suite generates "weak ephemeral Diffie-Hellman key" error with Firefox Developer Edition

Alan | Last updated: May 28, 2015 07:08PM UTC

I've been using Burp Suite with Firefox Developer Edition, but as of today, I cannot make HTTPS connections when using Burp Suite as a proxy. I now get the following error message: An error occurred during a connection to www.yahoo.com. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key) Unfortunately, this error does not appear to be overridable (i.e. - there is no option to ignore the error and proceed). I tried to gather more information by sniffing my localhost interface using Wireshark. In the server Hello, I see that Burp Suite is sending the following Diffie-Hellman params in the Server Hello: p Length: 96 g Length: 96 pubkey Length: 96 Signature Length: 128 For TLS connections that do not throw the 'weak key' error, I see that the p Length is set to 128. I believe this change to reject connections with smaller p Length values was made to Firefox in response to the recent Logjam attack on TLS (https://weakdh.org/). I looked at the SSL options in Burp Suite (Options -> SSL) but these only seem to change the connection between Burp Suite and the upstream server; there don't seem to be any options to change the SSL connection between Burp Suite and the downstream client. Has anyone run into this error? Is there any way to fix it?

PortSwigger Agent | Last updated: Jun 01, 2015 08:58AM UTC

We've tried to reproduce this problem (using the latest nightly build of Firefox Developer Edition, with the latest Burp, running on Windows 7 with Java 8) and we're not seeing the problem. To help us diagnose the problem further: 1. Can you restore defaults in Burp at Options / SSL / SSL Negotiation, restart Burp, and see if that helps? 2. Does this affect every HTTPS server you try to connect to, or only some? 3. What OS / Java version / Burp version are you using?

Burp User | Last updated: Jun 03, 2015 01:33PM UTC

Hi Dafydd, This was my configuration at the time I was having the problem: Operating System: OS X Version 10.8.5 Java Version: java version "1.6.0_65" Java(TM) SE Runtime Environment (build 1.6.0_65-b14-462-11M4609) Java HotSpot(TM) 64-Bit Server VM (build 20.65-b04-462, mixed mode) Burp version: Burp Suite Professional v.1.6.18 Per your message, I've upgraded my Java version to Java 8: java version "1.8.0_45" Java(TM) SE Runtime Environment (build 1.8.0_45-b14) Java HotSpot(TM) 64-Bit Server VM (build 25.45-b02, mixed mode) After upgrading, I am no longer getting the DHE error. Thank you for your assistance!

PortSwigger Agent | Last updated: Jun 04, 2015 12:38PM UTC

Glad you got things working. If other people experience this same problem, please post the relevant details here, and we will investigate further.

Burp User | Last updated: Jun 10, 2015 10:41AM UTC

I'm also encountering a problem regarding this: An internal site which can't be easily fixed gives me since the update to 39.0 (beta) an error page with no possibility to continue: Secure Connection Failed An error occurred during a connection to os-prod.bnvmobility.nl. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key) It would be really handy to make clear to the user that this is insecure, but still give the option to continue.

PortSwigger Agent | Last updated: Jun 11, 2015 10:45AM UTC

Is this problem only affecting this one server, or HTTPS generally? Please can you provide a screenshot of the error message?

Burp User | Last updated: Jul 06, 2015 05:58PM UTC

As a workaround, you can make the following change in about:config security.ssl3.dhe_rsa_aes_128_sha=false

PortSwigger Agent | Last updated: Jul 06, 2015 07:24PM UTC

@pjh Does making the following change in about:config help for you? security.ssl3.dhe_rsa_aes_128_sha=false

Burp User | Last updated: Jul 11, 2015 01:54AM UTC

I am also having this very same problem. [*] specs Java version 8 update 45 (build 1.8.0_45-b14) Mac OSX 10.9.5 Firefox 39 Burpsuite Professional 1.6.21 [*] action - Browser is configured to proxy through 127.0.0.1:8080 for all protocols - Burp CA is installed - Browse to https://www.google.com [*] error "An error occurred during a connection to www.google.com. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem."

Burp User | Last updated: Jul 15, 2015 06:31AM UTC

I found error Secure Connection Failed in Mozilla Firefox. Please solve this

Burp User | Last updated: Aug 10, 2015 02:30AM UTC

I had the same issue, I solved it by following the steps given in, http://letusexplain.blogspot.com/2015/08/solved-server-has-weak-ephemeral-diffie.html

Burp User | Last updated: Sep 18, 2015 04:32PM UTC

This also impacts Chrome as well. There is no obvious way to tell Chrome to not use a cipher.

Burp User | Last updated: Oct 06, 2015 09:12AM UTC

security.ssl3.dhe_rsa_aes_128_sha=false helped me solve the problem

Burp User | Last updated: Oct 22, 2015 03:50PM UTC

For what I have researched it would seem that the root of the problem is really on the server side using a certificate vulnerable to the logjam vulnerability, the ideal solution would be for the administrators of the webserver to update the certificate to one secure enough. Accessing about:config in firefox and setting to false security.ssl3.dhe_rsa_aes_128_sha may let you in to the server but would render you as well vulnerable to compromised certificates.

Burp User | Last updated: Mar 23, 2017 07:12AM UTC

security.ssl3.dhe_rsa_aes_128_sha=false helped me solve the problem

Burp User | Last updated: Dec 19, 2017 10:16AM UTC

Hi all, My 2 cents : I'm using firefox 57.0.1 ; the issue is "resolved" when I disable the ssl3.dhe... parameter i about:config. However, the error is thrown always ( also if I enter https://NONexistingdssqsdqsdhjkhj ) -> Thus the real fix should be applied in the certificate used by Burp ? kr

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.