This post is more than 5 years old
24 Posts
0
9712
Browsing to Dell N1548P - Secure Connection Failed - SSL_NO_CYPHER_OVERLAP
Hi Dell Community,
When browsing to my N1548P switches web management via HTTPS, I get this error in Firefox.
I get similar errors in Edge and Internet Explorer.
I have followed the steps described in in HOW10832 "How to set up management access for the N1500 series switch"
I have generated RSA and DSA keys and have "ip http secure-server" set in the configuration.
I have NOT disabled HTTP (I tried that, but I put it back because HTTPS doesn't work)
I am able to browse by HTTP with no issue, and I can ssh to the switches with no issue.
The switches are on firmware 6.3.3.10 which I understand is current as of November 2017.
My X1000 series products do not have this issue and I can browse to them with HTTPS.
Any suggestions? Thanks! :)
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
1
November 29th, 2017 09:00
I was not able to get firefox to work. I got the same messages that you did, and could not find any workaround. IE and Chrome Both gave me warning messages, but then provided me with the option to continue. Once they had the certificate added, I could then connect without issue.
I tried using SSL3 and TLS1 protocols on the switch, and both produced the same results for me. I played around with some of IE advanced settings, disabling some of the checks for certificate revocation, but none of them seemed to change the behavior. I also tried enabling Chrome's option to allow invalid certificates, but it had no effect.
I am not certain what else we can try here. I suggest using IE or Chrome, and see if you can get that option to continue. Perhaps also try a different client to make the connection from.
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
November 28th, 2017 05:00
Sounds like you may be missing a couple commands in your config. I followed this guide and it worked like charm.
http://dell.to/2AaMa7L
I believe the step you may be missing is step 5.
This system is capable of the generation and storage of 2 certificates.To generate the second key, replace the number 1 with 2.To activate the second key, use (config)# ip http secure-certificate 2.
mtoal94769
24 Posts
0
November 28th, 2017 08:00
Here is some (obfuscated) crypto output from the switch, after I had completed the above commands. We do have RSA and DSA keys, and a certificate. We had this stuff before I regenerated it. I'm not enough of an expert on the math behind the crypto stuff to understand why what I have here does not work. Is it because it is self-signed or self-generated?
mtoal94769
24 Posts
0
November 28th, 2017 08:00
Hmmm.
I had already generated keys as described, as this procedure was also specified in HOW10832
however I redid it as shown below.
I still get the error.
Here's a screenshot from IE11. It complains of an SSL Error due to invalid certificate.
Do I need to reload the switch to restart the crypto services?
Do I need to generate the second certificate?
Do I need to generate a certificate somewhere else and upload it to the switch?
---------------------------------------------------------------------------------------------------------------
ch-switch(config)#no ip http secure-server
ch-switch(config)#no ip ssh server
ch-switch(config)#crypto key generate rsa
Do you want to overwrite the existing RSA keys? (y/n):y
RSA key generation started, this may take a few minutes...
RSA key generation complete.
ch-switch(config)#crypto key generate dsa
Do you want to overwrite the existing DSA keys? (y/n):y
DSA key generation started, this may take a few minutes...
DSA key generation complete.
ch-switch(config)#ip ssh server
ch-switch(config)#crypto certificate 1 generate
ch-switch(config-crypto-cert)#key-generate 2048
Self-signed Certificate and RSA key-pair Exists.
If you want to overwrite Existing keys, Enter 'y'.
If you want to keep existing keys as it is, Enter 'n'.
[y:n] y
ch-switch(config-crypto-cert)#exit
Certificate Generation Successful..
ch-switch(config)#ip http secure-certificate 1
ch-switch(config)#ip http secure-server
ch-switch(config)#ip ssh pubkey-auth
------------------------------------------------------------------------------------------------------
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
November 28th, 2017 10:00
Being a self signed cert the browser will throw up a warning message, but you should be presented with an option to accept the self sign cert. Are there any additional options if you select the drop down for more information?
mtoal94769
24 Posts
0
November 28th, 2017 14:00
OK I can use nmap to probe ciphers used by my x1008p, and my n1548p.
On the n1548P I note a warning: "Weak certificate signature: SHA1"
It is also specifying server-side cipher preference. So it ignores the browser.
Are we able to specify a cipher other than SHA1 when it generates its certificate on the N1500 series?
See below. Thanks.
-------------------------------------------------------------------------------------------------------
Here is the output from the x1008p:
Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-28 16:23 Central Standard Time
Nmap scan report for 192.168.18.42
Host is up (0.0052s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
80/tcp open http
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 1024) - A
| compressors:
| NULL
| cipher preference: client
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 1024) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 1024) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 1024) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 1024) - A
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 1024) - A
| compressors:
| NULL
| cipher preference: client
|_ least strength: A
MAC Address: F4:8E:38:32:84:F3 (Dell)
Nmap done: 1 IP address (1 host up) scanned in 11.77 seconds
-------------------------------------------------------------------------------------------------------
Here is the output from the N1548P:
Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-28 16:21 Central Standard Time
Nmap scan report for 192.168.18.1
Host is up (0.021s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Key exchange (dh 1024) of lower strength than certificate key
| Weak certificate signature: SHA1
|_ least strength: A
MAC Address: F4:8E:38:49:94:EE (Dell)
Nmap done: 1 IP address (1 host up) scanned in 5.14 seconds
mtoal94769
24 Posts
0
November 28th, 2017 14:00
(duplicate post removed, sorry! :) )
mtoal94769
24 Posts
0
November 28th, 2017 14:00
Hi Daniel,
No, there is no option to continue with the unsigned certificate. Consider the difference between the "Page info" from Firefox about both an X1008P switch, and the N1548P.
The X1008P works fine, despite that the certificate is signed by the chipset manufacturer (Marvell), meaning it is self-signed. We can make an exception for this in Firefox (and in Edge, and in IE).
The N1548P doesn't even seem to be sending my browser a certificate, though as we can see above I believe I have generated a certificate. It entirely rejects connecting via https and there is no option to make an exception, I presume because there is no encryption, or the cypher it is trying to communicate with is not acceptable. I am not sure how to test this.
mtoal94769
24 Posts
0
November 29th, 2017 11:00
First of all I'd like to thank you Daniel for the time you have given in responding to this thread.
This problem is seen on all 14 of my N1548P's. Daniel from Dell has reproduced it. Can any one else reading this thread confirm and reproduce this?
I can bypass the error in Chrome, and that's a valid workaround despite my ideological preference for Firefox. I acknowledge that I may have done something very wrong in terms of how I have provisioned my switches, but it is also possible that something about the certificate generation in the N1500 products I have is badly broken. I am certainly not a crypto expert, but the nmap output seems to indicate the latter. So I am kind of thinking the best solution, would be to fix the switch firmware so it is secure.
To that end, unless you (Daniel) can recommend to me someone specific at Dell to contact, I'm going to contact support and request this as an enhancement/bugfix. Thanks again for your help.
Philip Chonacky
9 Posts
0
February 27th, 2018 11:00
Hi,
The issue here seems to be the switch uses problematic cyphers when using https.
I have a client who operates a secure environment and specifically purchased this switch because of its secure management features.
It is on;y a matter of time before my phone rings after their security-scanning software identifies the switch for using an insecure cypher.
Are there any settings, published or otherwise, that would allow us to change this behavior?
I tried using "ip http secure-protocol TLS1", but it made no difference. We also generated the key with 2048 bytes, so I don't think it's that either.
Thanks in advance.
/Philip
Scrotos
12 Posts
0
August 18th, 2018 08:00
I have this issue with Firefox and N4032 switches. This may shed more light on it.
https://support.mozilla.org/en-US/questions/1121391
Also, if Dell is using OpenSSL embedded in the switch OS, this may give them a hint on how to configure it for modern https requirements.