Solved: Web UI not working after disabling the SSL3

NeEl · ‎04-10-2018

Hi,

I have disabled the SSLv3 through CLI post then WEB UI is not working.

NeEl · ‎04-12-2018

Hi Matthew,

Issue is resolved,

GUI is accessible after enabling the TLSv1.1 & TLSv1.2 for WEBUI.

Regards,

Neel Mehta

View solution in original post

Mathew Huynh · ‎04-11-2018

Hello NeEl,

Could you try a different browser and see if it returns any availability of access.
Also by SSLv3 i assume the protocol on the checkboxes for GUI?

Please ensure you have valid ciphers available to allow negotiation as well.

Regards,
Matthew

NeEl · ‎04-11-2018

Hi Matthew,

Yes, I have checked on multiple browsers, and these are SMA devices and i have disabled SSLv3 for all the four services; EUQ, WEBUI, LDAP, UPDATER, i tried to re-enable with only WEBUI service but the issue persist even after enabling for all the services, Yes its giving error for ciphers after enabling for all the services, however i haven't made any changes for ciphers i simply disabled the SSLv3 for all the services.

Regards,

Neel Mehta

Mathew Huynh · ‎04-11-2018

Hello Neel,

When attempting to login now (even with SSLv3 enabled) it's giving you an SSL type error on the browser?

Could you try to clear any cache and cookies and re-try?

Regards,
Matthew

NeEl · ‎04-11-2018

Hi Matthew,

Please find the below error given by web browser, after deleting all the history and cookies.

This site can’t provide a secure connection
XXX.XXX.XXX.XXX uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Regards,

Neel Mehta

Mathew Huynh · ‎04-11-2018

Hey Neel,

It seems the SSL configuration may not be properly committing for the services required.
Are you able to use the CLI and mail the configuration to yourself.

Within that XML check the sslconfig and verify:

<ssl>
<ssl_inbound_method>tlsv1_0tlsv1_1tlsv1_2</ssl_inbound_method>
<ssl_inbound_ciphers>RC4-SHA:RC4-MD5:ALL:-aNULL:-EXPORT</ssl_inbound_ciphers>
<ssl_outbound_method>tlsv1_0tlsv1_1tlsv1_2</ssl_outbound_method>
<ssl_outbound_ciphers>RC4-SHA:RC4-MD5:ALL:-aNULL:-EXPORT</ssl_outbound_ciphers>
<ssl_gui_method>tlsv1_0tlsv1_1tlsv1_2</ssl_gui_method>
<ssl_gui_ciphers>RC4-SHA:RC4-MD5:ALL:-aNULL:-EXPORT</ssl_gui_ciphers>
</ssl>

<gui_ssl_tls_versions>
<gui_ssl_tls_version>TLSv1.0</gui_ssl_tls_version>
</gui_ssl_tls_versions>

(this is my lab device on version 11)

Regards,
Matthew

NeEl · ‎04-11-2018

Hi Matthew,

Please find below mentioned SSL Configuration.

<ssl>

<ssl_inbound_method>sslv3tlsv1_0tlsv1_1tlsv1_2</ssl_inbound_method>
<ssl_inbound_ciphers>RC4-SHA:RC4-MD5:ALL:-aNULL:-EXPORT</ssl_inbound_ciphers>
<ssl_outbound_method>sslv3tlsv1_0tlsv1_1tlsv1_2</ssl_outbound_method>
<ssl_outbound_ciphers>RC4-SHA:RC4-MD5:ALL:-aNULL:-EXPORT</ssl_outbound_ciphers>
<ssl_gui_method>sslv3tlsv1_0tlsv1_1tlsv1_2</ssl_gui_method>
<ssl_gui_ciphers>RC4-SHA:RC4-MD5:ALL:-aNULL:-
EXPORT</ssl_gui_ciphers>
</ssl>

<gui_ssl_tls_versions>

<gui_ssl_tls_version>TLSv1.0</gui_ssl_tls_version>
<gui_ssl_tls_version>SSLv3.0</gui_ssl_tls_version>

</gui_ssl_tls_versions>

Note: This is an old configuration file, as i don't know how to check through CLI for current configuration.

Regards,

Neel Mehta

Mathew Huynh · ‎04-11-2018

Hey Neel,

You can go on your SMA CLI -> mailconfig (or showconfig and press anykey until you find the ssl part, but that wil ltake longer).

So your old config it had both SSLv3 and TLS1 for it - cipher was pretty lax as well.

If the current config after commits shows differently you could consider XML editing and re-pasting the configuration back in.

Otherwise; if possible as it -may- get complex; if you can open a TAC case and share access to the SMA, it would help in that regard.

From what i can see the SSL config in your configuration file (old one) would work fine.

Regards,
matthew

NeEl · ‎04-11-2018

Hi Matthew

Please find the current configuration below:

<ssl>
<ssl_inbound_method>sslv3tlsv1_0tlsv1_1tlsv1_2</ssl_inbound_method>
<ssl_inbound_ciphers>RC4-SHA:RC4-MD5:ALL:-aNULL:-EXPORT</ssl_inbound_ciphers>
<ssl_outbound_method>sslv3tlsv1_0tlsv1_1tlsv1_2</ssl_outbound_method>
<ssl_outbound_ciphers>RC4-SHA:RC4-MD5:ALL:-aNULL:-EXPORT</ssl_outbound_ciphers>
<ssl_gui_method>tlsv1</ssl_gui_method>
<ssl_gui_ciphers>RC4-SHA:RC4-MD5:ALL:-aNULL:-EXPORT</ssl_gui_ciphers>
</ssl>

<gui_ssl_tls_versions>
<gui_ssl_tls_version>TLSv1.0</gui_ssl_tls_version>
</gui_ssl_tls_versions>

Regards,

Neel Mehta

Mathew Huynh · ‎04-11-2018

Hello Neel,

It looks like your SMA is set to use TLS1.0 for GUI.
Your browsers however, it seems it may not be negotiating SSL (TLSv1) properly if it's generating that error.
This cipher list is allowing a lot of available ciphers for negotiation, but if the the protocol negotiation fails we may not get to this stage.

Can you verify what happens if you re-enable SSLv3 for WebUI like your older config.
Once done, press enter a few times and commit; then retry.

I'm using latest firefox on my PC with SMA allowing TLSv1 only and it's operational on my end.

Regards,
matthew

NeEl · ‎04-12-2018

Hi Matthew,

Issue is resolved,

GUI is accessible after enabling the TLSv1.1 & TLSv1.2 for WEBUI.

Regards,

Neel Mehta

Mathew Huynh · ‎04-12-2018

Hello Neel,

Happy to hear you were able to resolve it :).

Regards,
matthew

NeEl · ‎04-12-2018

Hi Matthew,

Thank You :D, and also thanks for your help too for narrow down the issue...