Highlighted
mtoal94769
Bronze

Browsing to Dell N1548P - Secure Connection Failed - SSL_NO_CYPHER_OVERLAP

Jump to solution

Hi Dell Community,

When browsing to my N1548P switches web management via HTTPS, I get this error in Firefox.
I get similar errors in Edge and Internet Explorer.

I have followed the steps described in in HOW10832 "How to set up management access for the N1500 series switch"

I have generated RSA and DSA keys and have "ip http secure-server" set in the configuration.

I have NOT disabled HTTP (I tried that, but I put it back because HTTPS doesn't work)

I am able to browse by HTTP with no issue, and I can ssh to the switches with no issue.

The switches are on firmware 6.3.3.10 which I understand is current as of November 2017.

My X1000 series products do not have this issue and I can browse to them with HTTPS.

Any suggestions? Thanks! Smiley Happy

0 Kudos
10 Replies
Moderator
Moderator

RE: Browsing to Dell N1548P - Secure Connection Failed - SSL_NO_CYPHER_OVERLAP

Jump to solution

Sounds like you may be missing a couple commands in your config. I followed this guide and it worked like charm.

http://dell.to/2AaMa7L

I believe the step you may be missing is step 5.

  • console(config)# crypto certificate 1 generate
  • console(config-crypto-cert)#key-generate <512-2048>
  • console(config-crypto-cert)#exit
  • console(config)# ip http secure-certificate <1 - 2> Instance of the certificate to be activated.
  • console(config)# ip http secure-server

This system is capable of the generation and storage of 2 certificates.To generate the second key, replace the number 1 with 2.To activate the second key, use (config)# ip http secure-certificate 2.

Daniel Covey
Dell EMC| Enterprise Support Services
Get support on Twitter:@DellCaresPRO
Download our QRL app:iOS, Android, Windows
Dell Networking Resources

0 Kudos
mtoal94769
Bronze

RE: Browsing to Dell N1548P - Secure Connection Failed - SSL_NO_CYPHER_OVERLAP

Jump to solution

Hmmm.

I had already generated keys as described, as this procedure was also specified in HOW10832

however I redid it as shown below.

I still get the error.

Here's a screenshot from IE11. It complains of an SSL Error due to invalid certificate.

Do I need to reload the switch to restart the crypto services?

Do I need to generate the second certificate?

Do I need to generate a certificate somewhere else and upload it to the switch?

---------------------------------------------------------------------------------------------------------------

ch-switch(config)#no ip http secure-server

ch-switch(config)#no ip ssh server

ch-switch(config)#crypto key generate rsa

Do you want to overwrite the existing RSA keys? (y/n):y

RSA key generation started, this may take a few minutes...
RSA key generation complete.

ch-switch(config)#crypto key generate dsa

Do you want to overwrite the existing DSA keys? (y/n):y

DSA key generation started, this may take a few minutes...
DSA key generation complete.

ch-switch(config)#ip ssh server

ch-switch(config)#crypto certificate 1 generate

ch-switch(config-crypto-cert)#key-generate 2048

Self-signed Certificate and RSA key-pair Exists.
If you want to overwrite Existing keys, Enter 'y'.
If you want to keep existing keys as it is, Enter 'n'.
[y:n] y

ch-switch(config-crypto-cert)#exit

Certificate Generation Successful..

ch-switch(config)#ip http secure-certificate 1

ch-switch(config)#ip http secure-server

ch-switch(config)#ip ssh pubkey-auth

------------------------------------------------------------------------------------------------------

0 Kudos
mtoal94769
Bronze

RE: Browsing to Dell N1548P - Secure Connection Failed - SSL_NO_CYPHER_OVERLAP

Jump to solution

Here is some (obfuscated) crypto output from the switch, after I had completed the above commands. We do have RSA and DSA keys, and a certificate. We had this stuff before I regenerated it. I'm not enough of an expert on the math behind the crypto stuff to understand why what I have here does not work. Is it because it is self-signed or self-generated?

0 Kudos
Moderator
Moderator

RE: Browsing to Dell N1548P - Secure Connection Failed - SSL_NO_CYPHER_OVERLAP

Jump to solution

Being a self signed cert the browser will throw up a warning message, but you should be presented with an option to accept the self sign cert. Are there any additional options if you select the drop down for more information?

Daniel Covey
Dell EMC| Enterprise Support Services
Get support on Twitter:@DellCaresPRO
Download our QRL app:iOS, Android, Windows
Dell Networking Resources

0 Kudos
mtoal94769
Bronze

RE: Browsing to Dell N1548P - Secure Connection Failed - SSL_NO_CYPHER_OVERLAP

Jump to solution

Hi Daniel,

No, there is no option to continue with the unsigned certificate. Consider the difference between the "Page info" from Firefox about both an X1008P switch, and the N1548P.

The X1008P works fine, despite that the certificate is signed by the chipset manufacturer (Marvell), meaning it is self-signed. We can make an exception for this in Firefox (and in Edge, and in IE).

The N1548P doesn't even seem to be sending my browser a certificate, though as we can see above I believe I have generated a certificate. It entirely rejects connecting via https and there is no option to make an exception, I presume because there is no encryption, or the cypher it is trying to communicate with is not acceptable. I am not sure how to test this.

0 Kudos
mtoal94769
Bronze

RE: Browsing to Dell N1548P - Secure Connection Failed - SSL_NO_CYPHER_OVERLAP

Jump to solution

OK I can use nmap to probe ciphers used by my x1008p, and my n1548p.

On the n1548P I note a warning: "Weak certificate signature: SHA1"

It is also specifying server-side cipher preference. So it ignores the browser.

Are we able to specify a cipher other than SHA1 when it generates its certificate on the N1500 series?

See below. Thanks.

-------------------------------------------------------------------------------------------------------

Here is the output from the x1008p:

Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-28 16:23 Central Standard Time

Nmap scan report for 192.168.18.42

Host is up (0.0052s latency).

Not shown: 996 closed ports

PORT    STATE SERVICE

22/tcp  open  ssh

23/tcp  open  telnet

80/tcp  open  http

443/tcp open  https

| ssl-enum-ciphers:

|   TLSv1.1:

|     ciphers:

|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A

|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A

|       TLS_RSA_WITH_SEED_CBC_SHA (rsa 1024) - A

|     compressors:

|       NULL

|     cipher preference: client

|   TLSv1.2:

|     ciphers:

|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A

|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 1024) - A

|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 1024) - A

|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A

|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 1024) - A

|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 1024) - A

|       TLS_RSA_WITH_SEED_CBC_SHA (rsa 1024) - A

|     compressors:

|       NULL

|     cipher preference: client

|_  least strength: A

MAC Address: F4:8E:38:32:84:F3 (Dell)



Nmap done: 1 IP address (1 host up) scanned in 11.77 seconds








-------------------------------------------------------------------------------------------------------

Here is the output from the N1548P:




Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-28 16:21 Central Standard Time

Nmap scan report for 192.168.18.1

Host is up (0.021s latency).

Not shown: 997 closed ports

PORT    STATE SERVICE

22/tcp  open  ssh

23/tcp  open  telnet

443/tcp open  https

| ssl-enum-ciphers:

|   TLSv1.2:

|     ciphers:

|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A

|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024) - A

|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A

|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A

|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A

|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A

|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A

|     compressors:

|       NULL

|     cipher preference: server

|     warnings:

|       Key exchange (dh 1024) of lower strength than certificate key

|       Weak certificate signature: SHA1

|_  least strength: A

MAC Address: F4:8E:38:49:94:EE (Dell)



Nmap done: 1 IP address (1 host up) scanned in 5.14 seconds



0 Kudos
mtoal94769
Bronze

RE: Browsing to Dell N1548P - Secure Connection Failed - SSL_NO_CYPHER_OVERLAP

Jump to solution

(duplicate post removed, sorry! Smiley Happy )

0 Kudos
Moderator
Moderator

RE: Browsing to Dell N1548P - Secure Connection Failed - SSL_NO_CYPHER_OVERLAP

Jump to solution

I was not able to get firefox to work. I got the same messages that you did, and could not find any workaround. IE and Chrome Both gave me warning messages, but then provided me with the option to continue. Once they had the certificate added, I could then connect without issue.

 

I tried using SSL3 and TLS1 protocols on the switch, and both produced the same results for me. I played around with some of IE advanced settings, disabling some of the checks for certificate revocation, but none of them seemed to change the behavior. I also tried enabling Chrome's option to allow invalid certificates, but it had no effect.

 

I am not certain what else we can try here. I suggest using IE or Chrome, and see if you can get that option to continue. Perhaps also try a different client to make the connection from.

Daniel Covey
Dell EMC| Enterprise Support Services
Get support on Twitter:@DellCaresPRO
Download our QRL app:iOS, Android, Windows
Dell Networking Resources

mtoal94769
Bronze

RE: Browsing to Dell N1548P - Secure Connection Failed - SSL_NO_CYPHER_OVERLAP

Jump to solution

First of all I'd like to thank you Daniel for the time you have given in responding to this thread.

This problem is seen on all 14 of my N1548P's. Daniel from Dell has reproduced it. Can any one else reading this thread confirm and reproduce this?

I can bypass the error in Chrome, and that's a valid workaround despite my ideological preference for Firefox. I acknowledge that I may have done something very wrong in terms of how I have provisioned my switches, but it is also possible that something about the certificate generation in the N1500 products I have is badly broken.  I am certainly not a crypto expert, but the nmap output seems to indicate the latter. So I am kind of thinking the best solution, would be to fix the switch firmware so it is secure.

To that end, unless you (Daniel) can recommend to me someone specific at Dell to contact, I'm going to contact support and request this as an enhancement/bugfix. Thanks again for your help.

0 Kudos