HTTPS: Create self-signed certificate with unique serial
Hi guys,
I have got a bug report/feature request:
When generating a self-signed certificate for HTTPS, the switch always uses its MAC address as serial number, which is not permissible and causes Browsers to reject connecting to the device when a certificate with the same serial is already known.
For example in Firefox, one needs to shut down the browser and delete the file cert8.db in the Firefox profile to make it work again.
This could be resolved generating a serial by appending a random string to the MAC address.
Regards,
// Veit
I have got a bug report/feature request:
When generating a self-signed certificate for HTTPS, the switch always uses its MAC address as serial number, which is not permissible and causes Browsers to reject connecting to the device when a certificate with the same serial is already known.
For example in Firefox, one needs to shut down the browser and delete the file cert8.db in the Firefox profile to make it work again.
This could be resolved generating a serial by appending a random string to the MAC address.
Regards,
// Veit
0
Comments
-
Hi @Veit,
Thanks for the information.
I've made a local test using XGS2210-28HP version 4.50 and Firefox version 59.0.2.
In the beginning, accessing the switch via Https will pop-out a warning message "Your connection is not secure". But after I added the switch IP in the "Add Exception" list, the switch can be successfully accessed and didn't need to delete the file cert8.db in the Firefox file.
May I know if you could share your operating system version, Firefox version and procedure how did you encounter the issue?
Thanks.
Zyxel_Jonas
https://us.v-cdn.net/6029482/uploads/78HOOSV0BUBI/240828-nebula-27s-intentcommunity-homepage-1920-x-400.jpgDon't miss this great chance to upgrade your Nebula org. for free! https://bit.ly/4g2pS9L
0 -
Hi @Zyxel_Jonas,
thank you for your reply.
This issue does NOT involve 2 switches, but it happened with several switches (all XGS2210-28 FW 4.50, upgraded from 4.40) for me during my tests and automatic (re)configuration. I could invest time to reproduce the issue, if that really helps, but I'd be glad if you tried it first following the following steps.
These are the steps to reproduce:
Prerequisites: Firefox 59.0.2 and a switch XGS2210-28, FW 4.50, let's say its MAC address is 11:22:33:44:55:66.
1. Boot the switch. On first boot it will generate a new self-signed certificate, I assume.
2. Access the switch via https using Firefox.
3. Firefox will ask you to add an exception for the self-signed cert issued for "XGS2210 112233445566".
3. In Firefox click the Padlock symbol next to the URL bar, then ">" button, then the "More information" button.
4. A new window will appear, click "View certificate".
5. A new window will appear, in the first tab you will see that the seriel number of the certificate is the switch's MAC address, so for this hypothetical device "11:22:33:44:55:66".
6. Perform a factory reset using the reset button -- I assume that other methods will work, too. During this process, the switch will generate a new certificate.
7. Perform steps 1 and 2 again. You will likely assert that you will not be able to access the switch as another certificate from the same CA with the same serial number is already known to Firefox.
8. Close Firefox, remove your Firefox profile's cert8.db, start Firefox again.
9. Perform steps 1 to 5 again. You will find out that the new certificate has the same serial as the one before, which is illegitimate and causes the problem described above.
I tested and reproduced this issue with the following browsers:
* Firefox 59.0.2 on Linux
* Firefox 52.7.3 ESR on Linux x86_64
Best regards,
// Veit
0 -
Hi @veit,
Sorry for my late response.
I had successfully reproduced the symptoms on my XGS2210-28 using Linux and Windows OS.
Our internal is already verifying the root cause and will make an update once I've got the result.
For the meantime, kindly delete the cert8.db or cert9.db file as a workaround.
Sorry for the inconvenience.
Thanks.Zyxel_Jonas
https://us.v-cdn.net/6029482/uploads/78HOOSV0BUBI/240828-nebula-27s-intentcommunity-homepage-1920-x-400.jpgDon't miss this great chance to upgrade your Nebula org. for free! https://bit.ly/4g2pS9L
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight