How to fix Diffie-Hellman public key issue in Tomcat


Cannot access Tomcat web server

I was using older Tomcat and deployed an Java application, but when I accessed the server through Google Chrome and Firefox, I got a message "Server has a weak ephemeral Diffie-Hellman public key ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY". So I explain how to solve the issue.




Diffie-Hellman public key issue

When you accessed older Tomcat server through Google Chrome or Firefox, you may get a message "Server has a weak ephemeral Diffie-Hellman public key ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY". So I looked into the issue. 

Server has a weak ephemeral Diffie-Hellman public key
ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY


Google Chrome Help describes the issue.
"Server has a weak ephemeral Diffie-Hellman public key" or "ERR_SSL_WEAK_EPHEMERAL_DH_KEY"
You'll see this error if you're trying to go to a website that has outdated security code. Chrome protects your privacy by not letting you connect to these sites.

If you own this website, try updating your server to support ECDHE and turn off DHE. If ECDHE is unavailable, you can turn off all DHE cipher suites and use plain RSA.


How to fix the issue in Tomcat

In order to fix the issue, we need to add the following settings into server.xml file. This settings tell Tomcat to use more secure public keys. 
      sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
      ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA"

My server.xml looks like as follows. 
<Service name="Catalina">

  <Connector
      port="2000"
      maxThreads="200"
      acceptCount="100"
      minSpareThreads="25"
      maxSpareThreads="50"
      compression="on"
      URIEncoding="Shift_JIS"
      keystorePass="XYZ"
      keystoreFile="/opt/www/.keystore"
      enableLookups="true"
      connectionTimeout="60000"
      scheme="https" secure="true"
      sslProtocol="TLS"
      sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
      ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA"
  />
.....

Once you added the above settings, you just need to restart Tomcat. As a result of that, you can access Tomcat website.