9 Replies Latest reply on Sep 9, 2015 6:07 PM by an.iori

    NSM GUI not working with Google Chrome 44.0.2403.107

    peter.mason

      Hi All,

       

      After upgrading to Google Chrome 44.0.2403.107 the Network Security Manager interface does not load correctly, it displays a broken page image

       

      Sad_NSM.PNG

       

      This is not the enable-npapi problem as I have already applied that work around.

       

      Any one else experienced this issue or have a solution?

       

      I'm using NSM v8.2.7.25

       

      Regards

       

      Peter

        • 1. Re: NSM GUI not working with Google Chrome 44.0.2403.107
          an.iori

          As following page doesn't solve your issue but might hope to help understanding the situation to community members.

           

          Plugin-based content doesn't work on Chrome

           

          Why NPAPI plugins don’t work now

          In the past, many plugins were developed using an old system called NPAPI. Today fewer sites are using NPAPI plugins and they have often caused security risks on websites.

          To make browsing with Chrome safer, faster, and more stable, we stopped allowing NPAPI plugins on September 1, 2015.

          Plugins that use NPAPI, including Silverlight, Java, and Unity, won’t work. If you want to use a website that uses an NPAPI plugin, you’ll need to use a different web browser.

           

          Regards,

          • 2. Re: Re: NSM GUI not working with Google Chrome 44.0.2403.107
            peter.mason

            Hi an.iori,

             

            I understand that Google Chrome is no longer a supported browser as of version 45 which is documented in KB84632.

             

            Impact of Google Chrome Java applet support (NPAPI) EOL on Network Security Manager GUI access

             

            https://kc.mcafee.com/agent/index?page=content&id=KB84632

             

            At the time this was posted Chrome should have been a supported browser. I have spoken to McAfee Support and they confirmed that the changes to Chrome v44 unexpectedly caused it to stop working with NSM.

             

            Chrome will be a supported browser again once version 8.3 of NSM is released later in the year.

             

            Peter

            • 3. Re: Re: NSM GUI not working with Google Chrome 44.0.2403.107
              allencrawford

              There seems to be another issue starting with Chrome 45 that is far worse.  Guessing McAfee Support won't help much if they consider it an unsupported browser in NSM 8.2, but my larger concern is that this message (see below) is being triggered in the first place.  How can we increase the key size?

               

              Server has a weak ephemeral Diffie-Hellman public key

              ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY

               

              More info at: ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY - The Chromium Projects

              "As of Chrome 45, this error message is triggered if the SSL/TLS handshake attempts to use a public key, smaller than 1024 bits, for ephemeral Diffie-Hellman key agreement."

               

              Curious on how we could fix this vs. a workaround of using IE or Firefox.

              • 4. Re: Re: NSM GUI not working with Google Chrome 44.0.2403.107
                an.iori

                Hi Peter,

                 

                Bad luck for the unexpectedly caused and good luck for the  version 8.3 of NSM.

                 

                Regards,

                • 5. Re: Re: NSM GUI not working with Google Chrome 44.0.2403.107
                  an.iori

                  Hi Allen


                  Note:

                  The server side workaround below modifies a server configuration file and doesn’t guarantee any problems on NSM.

                  Recommend to only apply the browser side workaround.


                  For browser side: (workaround of using IE or Firefox)

                  IE: Not verified

                  Chrome: Affected and not investigated

                  Firefox: Affected

                  1. Input about:config at Firefox address bar then hit Enter

                  2. Search DHE

                  3. Set false (default: true)

                  security.ssl3.dhe_rsa_aes_128_sha

                  security.ssl3.dhe_rsa_aes_256_sha

                  4. Restart Firefox

                   

                  Note: At accessing non NSM, setting true is recommended.

                   

                  For server side: (How can we increase the key size?)

                  1. Stop NSM

                  2. Backup the <install path>\App\apache-tomcat\conf\server.xml file

                  3. Open <install path>\App\apache-tomcat\conf\server.xml with a text edtor

                  4. Remove TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA at ciphers=

                  5. Start NSM

                   

                  Note: Only verified on test environment.


                  FYI:

                  The steps above is quite similar on How to disable SSLV3 on Network Security Manager (KB83531).

                   

                  Regards,

                  • 6. Re: Re: NSM GUI not working with Google Chrome 44.0.2403.107
                    allencrawford

                    I don't seem to have that section in the "ciphers=" section.  Here's how my two lines read (one for port 443, one for 444):

                     

                    ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,T LS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_C BC_SHA"

                     

                    ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,T LS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_C BC_SHA"

                    • 7. Re: NSM GUI not working with Google Chrome 44.0.2403.107
                      an.iori

                      Hi Allen,


                      Checking the server.xml file with fresh 8.2.7.46 installation and the version in <install path>\App\config\ems.properties.

                      ems.version=8.2.7.46

                      ems.build=201504300152

                       

                      I got your point and did not check the 444.

                      The modification is below on a test box.

                       

                      After:

                            <!--

                            To disable TLSv1.0, add sslEnabledProtocols="TLSv1.1,TLSv1.2" to connector

                            -->

                            <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"

                      maxThreads="150" scheme="https" secure="true"

                      keystoreFile="conf/my-server.keystore" keystorePass="changeit" keystoreType="jks"

                      compression="on" compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css,ap plication/x-javascript,application/javascript"

                      address="${jboss.tomcat.bind.address}"

                      ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH _3DES_EDE_CBC_SHA"

                                       clientAuth="false" sslProtocol="TLS"

                                                                               maxPostSize="10485760"

                                    />

                      Before:

                            <!--

                            To disable TLSv1.0, add sslEnabledProtocols="TLSv1.1,TLSv1.2" to connector

                            -->

                            <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"

                                       maxThreads="150" scheme="https" secure="true"

                      keystoreFile="conf/my-server.keystore" keystorePass="changeit" keystoreType="jks"

                      compression="on" compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css,ap plication/x-javascript,application/javascript"

                      address="${jboss.tomcat.bind.address}"

                      ciphers="TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_ CBC_SHA"

                      clientAuth="false" sslProtocol="TLS"

                                                                               maxPostSize="10485760"

                                    />

                       

                      Try the Firefox workaround first then Chrome with server side workaround on your test box.

                       

                      FYI:

                      It seems <Connector port="444" …> tag is commented out by <!- .. ->.

                            <!--         Following connector open port 444 for CAC, uncomment it for using CAC -->

                            <!--

                          <Connector port="444" protocol="HTTP/1.1" SSLEnabled="true"

                      maxThreads="150" scheme="https" secure="true"

                      keystoreFile="conf/my-server.keystore" keystorePass="changeit" keystoreType="jks"

                                       compression="on" compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css,ap plication/x-javascript,application/javascript"

                      address="${jboss.tomcat.bind.address}"

                      truststoreFile="conf/ca.keystore" truststorePass="snowcap" truststoreType="jks"

                      clientAuth="true" sslProtocol="TLS"

                      ciphers="TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_ SHA"

                                                          redirectPort="443" maxPostSize="10485760"/>

                            -->

                       

                      Regards,

                      AN

                      • 8. Re: Re: NSM GUI not working with Google Chrome 44.0.2403.107
                        allencrawford

                        Thanks for the info.  Turns out, I don't have to do anything.  I don't know what happened, but I suspect it was something with the Chrome browser.  When I came into the office on Tuesday, Chrome 45 works just fine against NSM 8.2.7.71 now--no SSL error.  From what I can tell, there wasn't a new minor version of Chrome released, but maybe there was some sort of back-end change.  We definitely didn't change anything with the NSM server.  I suppose it is possible there was an internal PKI issue, but I do not know yet.  Regardless, Chrome 45 is working on NSM 8.2.7.71 just fine now.

                        • 9. Re: NSM GUI not working with Google Chrome 44.0.2403.107
                          an.iori

                          Hi Allen,

                           

                          Glad to know the issue is fixed.

                           

                          Thanks for sharing the information,

                          AN