404 Tech Support

ServiceDesk Plus: Weak Diffie-Hellman Key with Firefox or Website Security Issue with Safari

Beginning in early July with Firefox 39’s release, the Help Desk software ServiceDesk Plus would not load. It cited a security issue with SSL using a weak ephemeral Diffie-Hellman key. “Secure connection failed”

More recently Safari on OS X 10.10 and 10.11 has been causing a similar issue with the error message:

“Website Security Issue
Safari will not open this website because site.com is using weak encryption”

Upon discovering the issue with Firefox 39, I reported the problem to ManageEngine, the company behind ServiceDesk Plus. I was told it was a known issue with bug code SD-57847 and that it would be resolved when the Java Runtime Environment bundled with SDP was updated to version 1.7 with a future service pack. 5 weeks later with no resolution and the problem becoming increasingly prevalent with Safari now being affected, I looked into the problem some more.

Searching for the bug number SD-57847, I found a thread on the ManageEngine support forums complaining about the same issue. In the thread, the answer was to mostly wait for a future service pack. Fortunately, another commenter provided a link to SDP documentation on the General Module FAQ. One of the points explains how to avoid using weak ciphers.

With a quick update to the Tomcat configuration, you can implement the change and resolve this issue. By updating servers.xml  in <ServiceDesk_Home>serverdefaultdeployjbossweb-tomcat50.sar, you can add a value to the XML file to specify which ciphers to use. You want to add

ciphers=”TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA”

to the Connector tag. The end results should look something like the following code segment.

<Connector URIEncoding="UTF-8" address="${jboss.bind.address}" clientAuth="false" compressableMimeType="text/css,text/javascript,application/javascript,text/plain,text/html" compression="on" compressionMinSize="2048" keystoreFile="${jboss.server.home.dir}/conf/sdp.keystore" keystorePass="12345678" maxPostSize="-1" maxSpareThreads="15" maxThreads="100" minSpareThreads="5" noCompressionUserAgents="gozilla, traviata" port="443" scheme="https" secure="true" sslProtocol="TLS" ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA"/>

Given the location of the file, you will edit servers.xml with Notepad or Notepad++ and either have to save to a different location and copy the replacement or run the text editor as an administrator before opening the file.

Once the file has been updated, you can stop and restart the service. Once ServiceDesk Plus comes back up, you should now be able to access the site without security warnings from Firefox or Safari browsers.