cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6303
Views
0
Helpful
21
Replies

spa122 unable to connect https: firefox 34 or 39+ or latest chrome "The connection was interrupted"

Sam Stormy
Level 1
Level 1

I'm using Firefox 34 and firmware 1.3.5 (latest) on SPA122, however, unable to connect to the admin page on https, this is probably similar to:

 

http://kb.mit.edu/confluence/pages/viewpage.action?pageId=147914951

 

Firefox fails with:

 

"The connection was interrupted

The connection to 192.168.1.134 was interrupted while the page was loading."

 

I suspect somehow the "certificate" has to be re-generated on the cisco device..

 

Changing the access method to http is a quick workaround, but looking long term, need a way to use https/firefox.

 

Any ideas?

Thanks.

 

21 Replies 21

Thanks Dan.  I think I have a higher chance to convince Cisco to put out a newer certificate into their firmware than to convince all the browser development teams that ssl3 is not broken :)

 

From a security stand point, if a protocol is deemed broken, it is to be removed, and continuous usage leaves the door open, be it in your so called "secure" environment or what not, the leading browsers seem to want nothing to do with broken code..

 

I'm curious how are OTHERS dealing with this?  Running older browsers ? have a workaround for current browsers?  and what about Cisco TESTING teams? how can they test this?  Using old "non-secure" software?? :)

 

Stormy.

Moved to Firmware 1.4.0: http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/csbpvga/spa100-200/release/spa112-122-232d-302d-rn-1-4-0.html

Absolutely no change at all from before.

- Firefox 38 is able to login to HTTPS (spa122), however firefox 39 or higher cannot connect to the SAME device..

- Chrome Version 46.0.2490.80 m cannot connect using https. 

- IE9 can connect using https.

Also, despite BOTH http & https check-marked in Web Access Management and "Admin Access" marked as Enabled, only http connection is not working from ANY browser, and even "wget http://192.168.1.41" does not return anything, yet pings, and https do return data.

Can someone with support pass this to Cisco.. I've got 3 such boxes, all showing same behavior..  Is it just ME seeing this? or just me using SPA122 ? or just me trying to connect via web interface on "modern borwsers" :) :)

Sam...

We are in the same boat and are trying to move to HTTPS web interfaces only on all phones and ATA devices.

So we are also unable to access the Cisco SPA1x2 devices due to all major browsers removing SSLv3 support completely (which still can be considered a good thing basically).

So the only way forward would be to change the defaults in the ATA firmware. Hopefully we are seeing support for TLSv1.2 in the next firmware.

I really do hope, that Cisco does not advice customers to use insecure browsers (or specifically known to be insecure settings). That would imply that it is also common practice for Cisco support and QA, opening some nice attack vectors (which have nothing to do with the SPA now, but having to use insecure protocols to access them).

So keep your thumbs crossed, for the next firmware.

Just note that Cisco engineers seems not to read those forums. Call SMB support center if you wish to express a feature request.

But you should prepare better arguments than "you should not advice to use insecure browser". Either learn something about security, or don't use security-related arguments.

If a protocol is disabled by default, but it can be enabled by skilled administrator, then you may claim such product "more secure". But if you remove support for particular protocol so it can't be enabled, then such product is less secure.

E.g. overall security of Firefox 39 (with protocol removed) is lower than the security of Firefox 38 (with protocol just disabled by default).

There are other (good) reason to fully remove support for those ancient protocol, but it have nothing to do with security.

Well, I hate such common lie repeated again and again, so I'm upset a lot to hear it again. Ignore the gray part of comment, if you wish know nothing about security.

I think that with the SPA1x2 Cisco has a very good product and as they are still selling and supporting it, I hope they see enough reason to adjust the firmware to use a secure transport protocol for the web interface that is supported by major browser vendors.

I also still hope that Cisco also at least partly follows these forums, there must be a reason they host those...

Keep up the good work on the SPA1x2 Cisco, we appreciate it.

As I'm really not into flamewars let me say that I totally respect your opinion. Please also know that I can spell out enough security buzzwords and abbreviations to be able to understand your reasoning.

IMHO as browser vendors had the consensus decision already, there is not much to argue. Enabling SSLv3 in the browser would lead to this browser being *less* secure, as known downgrade attacks are possible now against this browser (not the SPA) with a prepared webserver (see https://en.wikipedia.org/wiki/POODLE for example, CVE-2014-3566). So unless a feature to "enable this particular protocol only for this single site I know is fine" would be available in browsers (which I also would prefer), I can not second you generalized claims of making the browser less secure.

It is also known that there reasons to not trust the TLS protocol due to protocol complexity, uncovered errors in the implementations of openssl by the openssl/libressl team like heartblead). But browsers support these today, so we should use those.

Feel free to ignore the grey part of comment, as you probably won't learn anything about security from it.

Well, I wish not to make this thread off topic. So I will comment neither SPA112 product quality nor the quality of SMB Support center here. Not even your chances a Cisco engineer will read your request.

Just final note related to your request - new firmware will not help you in full. The units will be sold with the older one for very long time. You will need to access the UI to upgrade unit (I assume you are unable to use provisioning). Thus unrestricted browser will be still necessary to deploy the unit. .

Remember such browser if requested firmware will not be released in reasonable time.

yeah, a bit strange that a year passed and no solution in firmware.. btw, a newer v1.4.1 is out, no change though...still requires old and non-secure browsers.

I did contact Cisco, but having no support contract, they totally ignore the request.  Strange that no other customer WITH support requested that, or they did, and it never got around to getting done... the new world....