ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY — Chrome detected the server using a Diffie-Hellman ephemeral key below 1024 bits (Logjam attack, 2015). Precomputation lets an attacker decrypt traffic. Fix: raise DH group to 2048 bits, or move to ECDHE (elliptic curve). nginx: ssl_dhparam with a freshly generated 2048-bit file + cipher list without DHE.
Below: causes, fixes, FAQ.
Free online tool — SSL certificate checker: instant results, no signup.
openssl dhparam -out dhparam.pem 2048 (5-10 minutes)ssl_dhparam /etc/ssl/dhparam.pem;ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;The ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY error occurs when a server uses a weak ephemeral Diffie-Hellman (DH) key for SSL/TLS connections, making it vulnerable to attacks like Logjam. To fix this, ensure your server is configured with strong DH parameters (2048 bits or higher) and update your web server software to the latest version. This enhances security and resolves compatibility issues with modern browsers.
The ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY error is a result of using weak or outdated Diffie-Hellman parameters in SSL/TLS configurations. When a client attempts to establish a secure connection with a server that uses a DH key size less than 1024 bits, modern browsers like Chrome and Firefox will reject the connection due to security concerns.
Specifically, the Logjam attack exploits the use of weak DH parameters, allowing an attacker to downgrade the security of the connection. This vulnerability is particularly concerning for web applications handling sensitive data. The Internet Engineering Task Force (IETF) recommends using at least 2048-bit DH parameters to prevent such attacks.
To identify if your server is susceptible to this issue, you can use tools like SSL Labs' SSL Test or OpenSSL commands to inspect your server's SSL/TLS configuration. For example, you can run the following command to check the DH parameters:
openssl s_client -connect yourdomain.com:443 -cipher 'EDH' -msgIf the output indicates a weak DH key size, it is imperative to take corrective measures.
To resolve the ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY error, follow these steps:
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048ssl_dhparam /etc/ssl/certs/dhparam.pem;# For Apache: sudo systemctl restart apache2
# For Nginx: sudo systemctl restart nginxBy following these steps, you can effectively resolve the ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY error and enhance the security of your server's SSL/TLS implementation.
SSL/TLS is the encryption protocol that protects data between the browser and server. Our tool analyzes the certificate, chain of trust, TLS version, and knownvulnerabilities.
Issuer, validity period, signature algorithm, covered domains (SAN), and validation type (DV/OV/EV).
Full chain verification: from leaf certificate through intermediates to root CA.
Protocol version (TLS 1.2/1.3), cipher suites, Perfect Forward Secrecy (PFS) support.
Set up a monitor — get Telegram and email alerts 30/14/7 days before expiration.
SSL certificate monitoring
TLS config audit
HTTPS as ranking factor
customer trust
www and subdomains.Strict-Transport-Security header forces browsers to always use HTTPS.SSL certificate monitoring, check history and alerts 30 days before expiry.
Sign up free2015 attack: precomputed 1024-bit DH group enables MITM at ~$100k (state actor). All major browsers reject < 1024 bit.
More CPU cost for marginal gain (NIST SP 800-131A: 2048 secure through 2030+). 2048 is the recommended baseline.
Yes, ECDHE P-256 is faster + secure. Modern TLS configs use ECDHE only and drop DHE entirely.
No, Logjam fix is server TLS config, the cert itself is unchanged.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.