« Back to all recent discussions

GS1900-10HP and GS1900-24: No SSL-Connection possible anymore

chris_nchris_n Posts: 4  Junior Member
edited January 10 in Questions
Hello everyone,

i'm in posession of a GS1900-10HP and GS1900-24-Switch, which were configured Mid 2018 (bought Q1 2018). Recently i wanted to access their WebUI through https (unfortunately secured only by their self-generated Certificates) to upload the recent Patch-Hotfix based on the current Beta-Firmware. To my surprise, i wasn't able to access the WebUI through https anymore. Through the current Firefox-Version i got the response "SSL_ERROR_NO_CYPHER_OVERLAP", while Chromium told me about "ERR_SSL_VERSION_OR_CIPHER_MISMATCH", so it seems these Zyxel switches uses some kind of outdated SSL-ciphers in securing their https-connection, which none of my current browsers accept. Fortunately i still got access over http (even though i planned of disabling it for security purposes), so i finally could upgrade their firmware with the latest one.
Well i thought, hey maybe something were changed in the last release, especially as they were mentioned in the changelogs that you now can regenerate a ssl-certificate. Unfortunately it didn't help at all in solving these problems, so the symptoms are the same. As i cannot change the https-security profile to something else except the default entry "default", there are no options to try out here.

Are these problems already known and if that's the case, will there be a fix for it (through setting the ssl default ciphers to something current)?

Many thanks in advance and best regards
Chris

#Biz_Switch_Jan_2019
Tagged:

Answers

  • TY9527TY9527 Posts: 6  Junior Member
    I also bought a GS1900-24 last year but had no such issue. I wonder what version of Firefox / Chrome you are using? 
  • newBie_newBie_ Posts: 5  Junior Member
    Firefox has a unique behavior, after you login to the switch Firefox itself will create a file named "cert9.db" in the Firefox folder. I've read some article that this file is saving the shared key and deleting this file will solve the case.
    I'm not quite sure it will work because I'm using Edge and no issue, but you can try it.

    Peace~
  • chris_nchris_n Posts: 4  Junior Member
    edited January 12
    Thank you very much for your responses. I'm using Firefox in its most current version (64.0.2), as well as Chromium. Interestingly i also encounter identical problems with different (older) Firefox-Portable-Versions like V25, V29, V35 etc, as i first thought, that there might be some deprecated ciphers in use by the switches, which older versions would still allow. In the end no browser (including MS Edge and the Win10 IE) is able to connect to the https-interface.
    Maybe the "default" ssl-profile in the https-settings got somehow broken in the background?
    I'm stumped

    Edit: I've tried out deleting the cert9.db from the Firefox-Profile-Folder. Unfortunately it didn't help with the issues. The results were the same.
  • KimKim Posts: 2  Junior Member
    I found some articles talking about this issue
    I will send a message to you
    You can take a look and try it
    But not sure if it works
  • KimKim Posts: 2  Junior Member
    I found these on the Internet 
    You can refer to the link and try it.
    not sure if it works
    Reference 1
    Reference 2

  • TY9527TY9527 Posts: 6  Junior Member
    Just found out there is a "Re-Generate Certificate" option in switch's web interface.
    Configuration > Management > HTTP/HTTPS > HTTPS

    Perhaps it may help.




  • chris_nchris_n Posts: 4  Junior Member
    edited January 27
    Many thanks to all of you for your help. I finally was able to "solve" these issues. Regenerating the certificate or resetting Firefox unfortunately wasn't the solution, as i tried both of it before i posted here. I'm actually pretty speechless that there isn't an option in providing a trusted ssl-certificate to each of the switch-instances, so they don't ever run on self-signed certs (which give no trust anchor at all). I know of the workaround over telnet, but it isn't officially supported and i guess it won't survive any firmware-upgrades in the future.

    So the solution had actually to do with my local Bitdefener Total Security, which went MITM though it's SSL-Inspection-Module. It seems it doesn't only scan encrypted traffic going through your browser to the destination server (which i was well aware of), but also decides for me, what is worthy for my browser and what is not according to ssl-cipher- and trust-constellations. That's also the reason, why no older Firefox-Portable-Instances (which still supports older ciphers) were able to connect.

    As soon as i disabled the SSL-inspection i could finally readd the "trust" to the provided self-signed-certificate of my switches and could go directly through to the web-ui with ssl-encryption.
    I hope this solution helps anyone with identical problems, as almost all AV-Engines today support somehow an SSL-Inspection through MITM. Try disabling this function.
Sign In or Register to comment.