GS1900-10HP and GS1900-24: No SSL-Connection possible anymore
Hello everyone,
i'm in posession of a GS1900-10HP and GS1900-24-Switch, which were configured Mid 2018 (bought Q1 2018). Recently i wanted to access their WebUI through https (unfortunately secured only by their self-generated Certificates) to upload the recent Patch-Hotfix based on the current Beta-Firmware. To my surprise, i wasn't able to access the WebUI through https anymore. Through the current Firefox-Version i got the response "SSL_ERROR_NO_CYPHER_OVERLAP", while Chromium told me about "ERR_SSL_VERSION_OR_CIPHER_MISMATCH", so it seems these Zyxel switches uses some kind of outdated SSL-ciphers in securing their https-connection, which none of my current browsers accept. Fortunately i still got access over http (even though i planned of disabling it for security purposes), so i finally could upgrade their firmware with the latest one.
Well i thought, hey maybe something were changed in the last release, especially as they were mentioned in the changelogs that you now can regenerate a ssl-certificate. Unfortunately it didn't help at all in solving these problems, so the symptoms are the same. As i cannot change the https-security profile to something else except the default entry "default", there are no options to try out here.
Are these problems already known and if that's the case, will there be a fix for it (through setting the ssl default ciphers to something current)?
Many thanks in advance and best regards
Chris
#Biz_Switch_Jan_2019
#Biz_Switch_Jan_2019
0
All Replies
-
I also bought a GS1900-24 last year but had no such issue. I wonder what version of Firefox / Chrome you are using?1
-
Firefox has a unique behavior, after you login to the switch Firefox itself will create a file named "cert9.db" in the Firefox folder. I've read some article that this file is saving the shared key and deleting this file will solve the case.
I'm not quite sure it will work because I'm using Edge and no issue, but you can try it.
Peace~0 -
Thank you very much for your responses. I'm using Firefox in its most current version (64.0.2), as well as Chromium. Interestingly i also encounter identical problems with different (older) Firefox-Portable-Versions like V25, V29, V35 etc, as i first thought, that there might be some deprecated ciphers in use by the switches, which older versions would still allow. In the end no browser (including MS Edge and the Win10 IE) is able to connect to the https-interface.Maybe the "default" ssl-profile in the https-settings got somehow broken in the background?I'm stumpedEdit: I've tried out deleting the cert9.db from the Firefox-Profile-Folder. Unfortunately it didn't help with the issues. The results were the same.0
-
I found some articles talking about this issue
I will send a message to you
You can take a look and try it
But not sure if it works0 -
I found these on the Internet
You can refer to the link and try it.
not sure if it works
Reference 1
Reference 2
0 -
Just found out there is a "Re-Generate Certificate" option in switch's web interface.
Configuration > Management > HTTP/HTTPS > HTTPS
Perhaps it may help.
0 -
Many thanks to all of you for your help. I finally was able to "solve" these issues. Regenerating the certificate or resetting Firefox unfortunately wasn't the solution, as i tried both of it before i posted here. I'm actually pretty speechless that there isn't an option in providing a trusted ssl-certificate to each of the switch-instances, so they don't ever run on self-signed certs (which give no trust anchor at all). I know of the workaround over telnet, but it isn't officially supported and i guess it won't survive any firmware-upgrades in the future.So the solution had actually to do with my local Bitdefener Total Security, which went MITM though it's SSL-Inspection-Module. It seems it doesn't only scan encrypted traffic going through your browser to the destination server (which i was well aware of), but also decides for me, what is worthy for my browser and what is not according to ssl-cipher- and trust-constellations. That's also the reason, why no older Firefox-Portable-Instances (which still supports older ciphers) were able to connect.As soon as i disabled the SSL-inspection i could finally readd the "trust" to the provided self-signed-certificate of my switches and could go directly through to the web-ui with ssl-encryption.I hope this solution helps anyone with identical problems, as almost all AV-Engines today support somehow an SSL-Inspection through MITM. Try disabling this function.0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 145 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 239 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight