This is an issue on your server related to the logjam attack (https://weakdh.org). We have run into it too and have been unable to successfully patch our JBoss server. Chrome and IE still work, so we are recommending those browsers.
More info is here:
Thank you very much for your input.
I did look above thread which is for lunix server. However we are using windows 7 as jboss server.
Have you or anyone done it on windows server?
Thanks again.
Amy
We are also on Windows. We have tried changing the config in JBoss to remove the weak ciphers, but there is no good info on configuring it. Our Windows patches are up to date, so it is not a patching issue.
This patch was suggested, but we had already applied it, so I’m not sure if it helps:
Thank you so much. Very helpful information! I’ll try it.
I did some research on this issue and found out This problem can be solved by downgrading nss libraries (nss nss-sysinit nss-util nss-softokn nss-softokn-freebl nss-tools nss-sysinit ) at code.
https://support.mozilla.org/en-US/questions/1065417
Hope OS development team would notice this issue and fix it at root.
Thanks again.
Amy
OS v1.x is currently in “as-is” mode and no new releases or bug fixes will be made by Krishagni.
~Sri
Thank you Sri,
Dose OS 2.0 fix the browser issue ?
We are using catissue 1.2 now, is it possible to upgrade directly from catissue 1.2 to OS 2.0?
Thanks again.
Amy
@Amy_Bai1 Yes, you wont encounter these issues in v2.x.
Upgrade from NCI v1.2 is very much possible. However it is not necessarily 100% automated or seamless due to the re-architecture.
~Sri
We are working through the upgrade from OS v1.1 to OS v2.1 on our dev environment now and we are seeing some of this. Much of it seems to be related to new database contraints, so we’re working through it slowly and identifying what we need to do manually when we move it to our other environments. I assume the hurdles are different for different institutions, because we may each be “violating” the new contraints differently.
Just an FYI; I just updated Chrome to version 45 (the latest) and it also fails for the weak Diffie-Hellman key, so OS v1.x (or the underlying architecture) does not work with the latest versions of Firefox or Chrome. I believe IE is still okay, but I’m back on IE9, so I can’t speak about the latest version.
Sri,
Thanks for point it.
We are about going ’ live ’ production for OS 1.1_RC3 from catissue 1.2 . However because of the issue ‘the weak Diffie-Hellman key’ on Chrome 45, the upgrading project is on hold.
Is IE 9 working?
Bob_lange, thanks for your input. IE 9 doesn’t work for us, I could login, but nothing under Collection Protocol tree when click Collection Based View. I’m using Jboss 5.1.0.GA. Do I need use slim jboss?
Thanks again for both your help!
Amy
@bob_lange and @Amy_Bai1
so OS v1.x (or the underlying architecture) does not work with the latest versions of Firefox or Chrome.
IMO, this is incorrect. OpenSpecimen or its architecture has no role to play in this problem 
The solutions to fix weak DH based on your choice of front end server are given in below link:
https://weakdh.org/sysadmin.html
Let us know how it goes.
Thanks.
I understand that it is not OS itself, but we are having trouble with the underlying architecture (JBoss). I have seen the page you referenced, but there is nothing about fixing this for JBoss (on a Windows server or otherwise).
Are you directly accessing JBoss without any front end web server? If yes, then copying cipher suites mentioned in Apache Tomcat section should help? Also you need to copy required JCE policy files.
File to modify in JBoss: Connector settings in {profile}/deploy/jbossweb.sar/server.xml
BTW, OS v2x is independent of AS. We’ve tested it to work on both JBoss 7/8 and Tomcat 8.
I agree with you. It is not OS self-problem. However, our upgrading project is on hold because of this issue. I’m pretty sure some other intuitions may have same concern.
BTW, I just want to make our upgrading project moving, could anyone help me on IE9 since IE9 doesn’t have any problem so far?
"I could login, but nothing under Collection Protocol tree when click Collection Based View. I’m using Jboss 5.1.0.GA. Do I need use slim jboss? "
Thanks advance.
Amy
@Amy_Bai1 Does this happen even with Apache front-ending?
You can follow the steps here:
https://openspecimen.atlassian.net/wiki/display/CAT/Fronting+JBoss+with+Apache
You can follow the additional steps here to tweak it further:
https://weakdh.org/sysadmin.html
~Sri
Thank you very much Sri.
I’ll give a try and post result here.
Amy
I have followed the instructions under https://weakdh.org/sysadmin.html, but still get the weak Diffie-Hellman error.
My connector setting under server.xml looks like this:
I added the ciphers to the existing connector as explained in the link. I also downloaded and included the JCE Unlimited Strength Jurisdiction Policy Files.
Any idea what I’m doing wrong? I am editting the server.xml under JBOSS_HOME\server\default\deploy\jbossweb.sar.
I must had something slightly wrong in the above config. I redid it and now it looks like we’re no longer getting the Diffie-Hellman error in Firefox or Chrome.
Thank you Bob_lange,
I did same thing as you did. Still not work.
May I ask which java version are you using? I’m using 1.6, so I download JCE Unlimited Strength Jurisdiction Policy Files version 1.6
Appreciate you help
Amy
We are also using 1.6 and I downloaded the same JCE.
The first time I tried this, it didn’t work and then I tried again and it worked, so there may have been a small typo or something. Unfortunately, I don’t have the one that didn’t work for comparison. Let me clean up anything sensitive in my server.xml and I’ll send you a copy. Maybe you can compare it to what you have directly and see what you find.