How to Fix the ERR_SSL_WEAK_EPHEMERAL_DH

How to Fix Server Has a Weak Ephemeral Diffie-Hellman Public Key Warning Message?

(1 votes, average: 5.00 out of 5)

Have you ever clicked on a website and been greeted by an ERR_SSL_WEAK_EPHEMERAL_DH_KEY security error instead of the page? It’s a common security warning that indicates that the security of the site that you are attempting to access isn’t – strong enough. Modern browsers, like – Google Chrome, don’t let you connect to such websites to protect your privacy.

Comprehending the ERR_SSL_WEAK_EPHEMERAL_DH_KEY error can affect your browsing experience, and is hard to resolve. Therefore, in this article, we will understand what exactly the – “ERR_SSL_WEAK_EPHEMERAL_DH_KEY” error is, what are the reasons why this error pops up, and most importantly part – “how to get it fixed.”

What is the ERR_SSL_WEAK_EPHEMERAL_DH_KEY Error?

ERR_SSL_WEAK_EPHEMERAL_DH_KEY is an error that pops up when you try to connect to a website that is using an – “outdated SSL security code.”

When you use updated browsers like Mozilla Firefox, they won’t let you access websites if the security code is outdated. They will pop the ERR_SSL_WEAK_EPHEMERAL_DH_KEY error or Server Has a Weak Ephemeral Diffie-Hellman Public Key warning message.

Note: If you are not the webmaster (the person who owns or manages the website), you won’t be able to fix this issue.

What are the Reasons that Give Rise to the ERR_SSL_WEAK_EPHEMERAL_DH_KEY Error?

There is only a single reason behind this error can happen, and it’s the use of an – “outdated SSL security code“.

How to Resolve the ERR_SSL_WEAK_EPHEMERAL_DH_KEY Error?

To fix the issue, try two methods:

Update your server for Elliptic Curve Diffie-Hellman support.
Turn off Ephemeral Diffie-Hellman (DHE).

Let’s explore each method in depth.

Method 1: Update your Server for Elliptic Curve Diffie-Hellman (ECDHE) Support

Follow the steps mentioned below to update your server for Elliptic Curve Diffie-Hellman support:

Click Search, placed on the taskbar.
Type Run and press Enter.
The Run dialog box will appear.
In the Open text box, type regedit and press Enter.
The Registry Editor window will appear.
Navigate to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > SecurityProviders > SCHANNEL > KeyExchangeAlgorithms.
Right-click on KeyExchangeAlgorithms.
From the list, select New.
Click Key.
Name the new key PKCS.
Right-click on the PKCS key.
From the list, select New.
Click DWORD (32-bit) Value.
Name this new DWORD as ClientMinKeyBitLength.
Double-click on ClientMinKeyBitLength.
In the Value data box, enter the desired minimum key length (1024 is recommended).
Click OK.
Close the Registry Editor window.
Restart the server.
Try re-accessing the site.

Method 2: Turn off Ephemeral Diffie-Hellman (DHE)

Case1:

If you are using IIS as your web server, follow the steps mentioned below to disable Ephemeral Diffie-Hellman (DHE):

Navigate to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > SecurityProviders > SCHANNEL > KeyExchangeAlgorithms > Diffie-Hellman.
Modify the key Enabled with a DWORD value of 0.

Case2:

If you are using an Apache web server, follow the steps mentioned below to disable DHE:

Find any of these files in the Apache conf directory – ssl.conf or httpd.conf.
Search for the SSLCipherSuite keyword string value.
Add “! EDH: ! DHE: ! DH: ! ECDH,” after ALL: in the cipher spec to disable Diffie-Hellman.
Make this change in every SSL configuration if you are not using one global configuration.
Restart the web server.

Conclusion

To wrap up, fixing the – “ERR_SSL_WEAK_EPHEMERAL_DH_KEY error” is paramount for website security and user trust. This error, indicating outdated SSL security code, can be resolved by – “updating your server for Elliptic Curve Diffie-Hellman support” or “disabling Ephemeral Diffie-Hellman.”