Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at
Bug 1549096 - FF and TB can't connect to several sites due to SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY error
Summary: FF and TB can't connect to several sites due to SSL_ERROR_WEAK_SERVER_EPHEMER...
Alias: None
Product: Fedora
Classification: Fedora
Component: crypto-policies
Version: rawhide
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Nikos Mavrogiannopoulos
QA Contact: Fedora Extras Quality Assurance
: 1548016 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2018-02-26 11:50 UTC by Vít Ondruch
Modified: 2018-02-26 15:58 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-02-26 15:58:57 UTC
Type: Bug

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1534532 0 unspecified CLOSED Strong crypto settings 2022-05-16 11:32:56 UTC

Internal Links: 1534532

Description Vít Ondruch 2018-02-26 11:50:48 UTC
Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:

Comment 1 Vít Ondruch 2018-02-26 11:56:18 UTC
Sorry, somehow hit enter too early :/

Nevertheless, this is a bit blind shot, since I really don't know what might be the root cause of my issues. But since I updated my Rawhide last week, I have issues connecting to some sites using FF due to errors like:

An error occurred during a connection to ****.com. Při komunikaci protokolem SSL byl v inicializační zprávě typu Server Key Exchange obdržen slabý klíč typu Diffie-Hellman. Error code: SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY

I have similar issues connecting my TB to the mail server [1]. I have not updated neither FF nor TB, so it must be something else. Any idea what it could be? I can provide you list of updated libraries if that helps.

$ rpm -q ca-certificates 


Comment 2 Vít Ondruch 2018-02-26 11:58:50 UTC
Actually, this might be crypto-policies, which were updated as well:

$ rpm -q crypto-policies

Comment 3 Nikos Mavrogiannopoulos 2018-02-26 15:23:35 UTC

Comment 4 Nikos Mavrogiannopoulos 2018-02-26 15:25:00 UTC
Thank you for reporting that. Could you please move that issue to the tracking bug of the change? We are already aware of the fact that some internal (usually) sites fail to work with the new rule, but it is good to have it explicit.


Comment 5 Vít Ondruch 2018-02-26 15:29:25 UTC
(In reply to Nikos Mavrogiannopoulos from comment #4)
> Could you please move that issue to the
> tracking bug of the change?

Sorry, I am not sure what do you mean by this. Should I comment there and close this one or should I just block the tracking bug by this one?

Comment 6 Vít Ondruch 2018-02-26 15:31:03 UTC
BTW if you can send a short note to fedora-devel that this change landed and it might cause some issues, it could save some time to Rawhide users.

Also, for FF and TB, there is workaround. In about:config change every "dhe" option to "False", although it works for some sites but breaks others.

Comment 7 Vít Ondruch 2018-02-26 15:34:41 UTC
*** Bug 1548016 has been marked as a duplicate of this bug. ***

Comment 8 Nikos Mavrogiannopoulos 2018-02-26 15:39:28 UTC
Yes, please close that one and report the issue (+the sites affected) in #1534532. I've just sent a fedora-devel update on that.

Comment 9 Vít Ondruch 2018-02-26 15:58:57 UTC
Closing this in favor of bug 1534532

Note You need to log in before you can comment on or make changes to this bug.