GS1900-10HP and GS1900-24: No SSL-Connection possible anymore

chris_n
chris_n Posts: 4  Freshman Member
edited August 2022 in Switch
Hello everyone,

i'm in posession of a GS1900-10HP and GS1900-24-Switch, which were configured Mid 2018 (bought Q1 2018). Recently i wanted to access their WebUI through https (unfortunately secured only by their self-generated Certificates) to upload the recent Patch-Hotfix based on the current Beta-Firmware. To my surprise, i wasn't able to access the WebUI through https anymore. Through the current Firefox-Version i got the response "SSL_ERROR_NO_CYPHER_OVERLAP", while Chromium told me about "ERR_SSL_VERSION_OR_CIPHER_MISMATCH", so it seems these Zyxel switches uses some kind of outdated SSL-ciphers in securing their https-connection, which none of my current browsers accept. Fortunately i still got access over http (even though i planned of disabling it for security purposes), so i finally could upgrade their firmware with the latest one.
Well i thought, hey maybe something were changed in the last release, especially as they were mentioned in the changelogs that you now can regenerate a ssl-certificate. Unfortunately it didn't help at all in solving these problems, so the symptoms are the same. As i cannot change the https-security profile to something else except the default entry "default", there are no options to try out here.

Are these problems already known and if that's the case, will there be a fix for it (through setting the ssl default ciphers to something current)?

Many thanks in advance and best regards
Chris

#Biz_Switch_Jan_2019

All Replies

  • Sakura_T
    Sakura_T Posts: 101  Ally Member
    First Anniversary Friend Collector First Answer First Comment
    I also bought a GS1900-24 last year but had no such issue. I wonder what version of Firefox / Chrome you are using? 
  • newBie_
    newBie_ Posts: 15  Freshman Member
    First Anniversary Friend Collector First Comment
    Firefox has a unique behavior, after you login to the switch Firefox itself will create a file named "cert9.db" in the Firefox folder. I've read some article that this file is saving the shared key and deleting this file will solve the case.
    I'm not quite sure it will work because I'm using Edge and no issue, but you can try it.

    Peace~
  • chris_n
    chris_n Posts: 4  Freshman Member
    edited January 2019
    Thank you very much for your responses. I'm using Firefox in its most current version (64.0.2), as well as Chromium. Interestingly i also encounter identical problems with different (older) Firefox-Portable-Versions like V25, V29, V35 etc, as i first thought, that there might be some deprecated ciphers in use by the switches, which older versions would still allow. In the end no browser (including MS Edge and the Win10 IE) is able to connect to the https-interface.
    Maybe the "default" ssl-profile in the https-settings got somehow broken in the background?
    I'm stumped

    Edit: I've tried out deleting the cert9.db from the Firefox-Profile-Folder. Unfortunately it didn't help with the issues. The results were the same.
  • Kim
    Kim Posts: 37  Freshman Member
    I found some articles talking about this issue
    I will send a message to you
    You can take a look and try it
    But not sure if it works
  • Kim
    Kim Posts: 37  Freshman Member
    I found these on the Internet 
    You can refer to the link and try it.
    not sure if it works
    Reference 1
    Reference 2

  • Sakura_T
    Sakura_T Posts: 101  Ally Member
    First Anniversary Friend Collector First Answer First Comment
    Just found out there is a "Re-Generate Certificate" option in switch's web interface.
    Configuration > Management > HTTP/HTTPS > HTTPS

    Perhaps it may help.




  • chris_n
    chris_n Posts: 4  Freshman Member
    edited January 2019
    Many thanks to all of you for your help. I finally was able to "solve" these issues. Regenerating the certificate or resetting Firefox unfortunately wasn't the solution, as i tried both of it before i posted here. I'm actually pretty speechless that there isn't an option in providing a trusted ssl-certificate to each of the switch-instances, so they don't ever run on self-signed certs (which give no trust anchor at all). I know of the workaround over telnet, but it isn't officially supported and i guess it won't survive any firmware-upgrades in the future.

    So the solution had actually to do with my local Bitdefener Total Security, which went MITM though it's SSL-Inspection-Module. It seems it doesn't only scan encrypted traffic going through your browser to the destination server (which i was well aware of), but also decides for me, what is worthy for my browser and what is not according to ssl-cipher- and trust-constellations. That's also the reason, why no older Firefox-Portable-Instances (which still supports older ciphers) were able to connect.

    As soon as i disabled the SSL-inspection i could finally readd the "trust" to the provided self-signed-certificate of my switches and could go directly through to the web-ui with ssl-encryption.
    I hope this solution helps anyone with identical problems, as almost all AV-Engines today support somehow an SSL-Inspection through MITM. Try disabling this function.