Mozilla released Firefox v39.0 yesterday and it blocks connections to any web site which supports weak Diffie-Hellman keys.

"In order to prevent Logjam man-in-the-middle attacks, the lower length of the supported Ephemeral Diffie-Hellman (DHE) keys has been limited to 1023-bit. 512-bit export-grade cryptography is no longer available in the Mozilla products, and users may encounter the following error message on sites offering such a weak key:
SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)"

(Source: https://developer.mozilla.org/en-US/Firefox/Releases/39/Site_Compatibility#Security)

When I connect to my SEPM web console using FF39 I get the above error message and therefore never get to the login page.    Does anyone know if this is due to a problem with the Windows operating system or with SEP software?   FWIW the SEPM server is patched with MS15-55 (KB3061518) which fixes the Logjam vulnerability.   So it seems like a SEP software problem but I haven't seen anything from Symantec about this and can't find any KB articles.

I am running SEPM v12.1 RU5 (12.1.5337.5000)

Related forum discussion at https://www-secure.symantec.com/connect/forums/ssltls-diffie-hellman-modulus-1024-bits-logjam

May be a known issue/vuln, this was all I found from a post earlier

https://www-secure.symantec.com/connect/forums/ssltls-diffie-hellman-modulus-1024-bits-logjam

Same for me. Firefox 39 SEPM12.1.6

Replaced the cipher values in server.xml and replaced the Java JCE policy files. Restarted the webservice and done.

Followed these recomendations and i'm up.

https://weakdh.org/sysadmin.html
Apache TomcatIn the server.xml file (for JSSE)
Cipher Suites

server.xml was here: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\conf

Only changed the cipher= value under <Service name="WebService">

ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA"

NEXT

Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 Download

http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
 

unzip and replace files at C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\jre\lib\security

Restart webservice.

done

Excellent advice! Probably worth noting that I doubt Symantec officially supports this method so if something goes wrong you'd be on your own. But that's what backups are for ;)

Cheers!

Brɨan

I tried the above listed directions and first I noticed that We don't have RMM running on the SEPM but after looking at the Apache tomcat directions in https://weakdh.org/sysadmin.html 
after applying the java JRE unlimited strength .jar files listed, I was unable to log into the SEPM java console I would get unexepected server error on either the  downloaded SEPM console or the web based one.

I modified c:\program files (x86)\symantec\symantec endpoint protection manager\tomcat\conf\server.xml and I was able to login and have the error disappear in both firefox 39 and tenable results using enhanced Diffie-Hillman TLS 1.2 ciphers listed from https://www.openssl.org/docs/apps/ciphers.html#TLS-v1.0-cipher-suites
However now I noticed replication between our different SEPM's displays unexpected server error 0x10010000 and when checking SEPM replication partner certificates I get "failed to connect to the specified replication partner server, verify that server name and port are correct"
 when trying to setup a current replication partner I the same error
I have opened a ticket with symantec support and support symhelp files and I'm waiting a call back

I opened a ticket with symantec support and got this response from them

Hello,
Our development team is aware of the issue, and we have a patch for it that should be available in about a month, very roughly.  Until then, our official stance is that Firefox 39 is not supported.  I don't have any public documentation on it.
I shared your workaround with the senior engineer I met with and he had not seen it before.  I don't think that it is going to be supported, either.  The ramifications of the changes you made to get past that error are not immediately apparent (or I'm sure you'd have a fix already) so would require that I send the case up to development.  And, we might just get back that it's not supported.
So, is the knowledge that a patch is forthcoming going to be a good resolution for you, or do you want me to pursue whether we can get help with the work-around you found?

I realized where my error was coming from:
1: I had improper server.xml configuration and
2: I had improper rights on server.xml

to get it to work I did the following:
1: opened services.msc
2: stopped the symantec manger webserver server and then I stopped the symantec manager service
3: made a backup of c:\program files (x86)\symantec\symantec endpoint protection manager\tomcat\conf\server.xml as c:\program files (x86)\symantec\symantec endpoint protection manager\tomcat\conf\server-copy.xml and then I copied c:\program files (x86)\symantec\symantec endpoint protection manager\tomcat\conf\server.xml to my desktop and opened it
4: since I already had Web services for Symantec Protection Center (port 8444) and remote management (port 8446) disabled  I copied the following under the connector section for port 8443:

ciphers="TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"

If you have Web services for Symantec Protection Center (port 8444) and remote management (port 8446) enabled then you would copy the same under those sections too
5: save server.xml and then replace the current c:\program files (x86)\symantec\symantec endpoint protection manager\tomcat\conf\server.xml with it
6: in windows explorer right click on c:\program files (x86)\symantec\symantec endpoint protection manager\tomcat\conf\ and select properties and then click on the security tab and then click the advanced, click continue and click the box for "replace all child permission entried with inheritable permission entries from this object", click OK twice to close the security properties windows
7: If you haven't already download and copy the .jar files from UnlimitedJCEPolicyJDK8 to C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\jre\lib\security and replace the current files
8: switch back to services.msc and restart symantec manager service and then restart the symantec manager webserver
9: test your connections by opening https://YOUR_SEPM_URL:8443 in firefox 39, you should get your normal connection options screen, also test your downloaded SEPM console (JAVA based) https://YOUR_SEPM_URL:8443/servlet/JnlpServlet  once in the console if you replication setup to multiple sites you'll want to  click on admin > servers  and then right click on the replication partner and click "check certificate".

It should succeed and you can run replication

Thanks, that has worked out great - Problem solved

Firefox 39 works for me with SEPM running 12.1.6 MP1 but not 12.1.5.  Looks like upgrade solves issue.