dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
310
Kirby Smith
join:2001-01-26
Derry, NH

Kirby Smith

Member

Getting into the USG50 to change the key length to get into the USG50

This topic is intended to avoid thread-jacking the "New ZyWALL USG firmware" topic.

kirby
Kirby Smith

Kirby Smith

Member

I thought I would check my USG50 usage for before upgrading, but find that Firefox, as a result of some recent update it embraced, won't even connect to the unit, viz.,

"An error occurred during a connection to 192.168.1.1. The key does not support the requested operation. (Error code: sec_error_invalid_key)"

192.168.1.1 appears as a certificate in Firefox's certificates list.

I vaguely recall that this has happened before on a rarely used Windows 7 laptop, but not on my main Linux machine, and I don't recall where I might have stashed any information on the problem.

If the solution to this helpful security feature appears somewhere in the thousand plus pages of USG documentation, I'd appreciate a hint as to where. Otherwise, a direct clue for correction would be appreciated.

Thanks

kirby

P.S. I see in Firefox that the certificate expired on 8/02/2014. But I'm not sure how Firefox got that IP address named certificate. I could try changing the expire date, but somehow I think that if it worked it would defeat the entire function of certificates.

P.P.S. I can get in via PuTTY, but without a plan that doesn't do much.
Kirby Smith

Kirby Smith

Member

~$ openssl s_client -connect 192.168.1.1:443 -showcerts -no_tls1 /dev/null

yields, in part

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA

Server public key is 512 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : DHE-RSA-AES256-SHA

Verify return code: 10 (certificate has expired)

So, my research shows recent Firefoxen won't accept this. I need the USG50 to construct a more acceptable certificate.

kirby
Kirby Smith

1 edit

Kirby Smith

Member

Gork, in a message Oct 26, 2012 10:57 pm (in some time zone) provided an answer to upgrading the certificate, but it requires that one get into the browser interface of the USG in order to upgrade the certificate so Firefox can get into the browser interface. I guess I'll need to install some less choosy browser software than Firefox to do this.

kirby
Kirby Smith

Kirby Smith

Member

OK, installing Chrome allowed be in so I could construct a new certificate. Once the certificate was constructed and made the active certificate for the communications modes, I could login via Firefox and let it accept the certificate.

It is also possible to highlight the certificate and choose edit, then at the bottom of the edit menu export the certificate to computer. Use a password for encryption or else Firefox won't accept it.

In any case, I am now uploading firmware from ZyWALL USG 50_3.30(BDS.6)C0. Or maybe it already finished uploading but the web page intends to show perpetual uploading. We'll see when perpetuity or my patience ends, whichever comes first.

kirby

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano

MVM

If you had console cable and console terminal opened while upgrading you'd see the whole process and knew when it's done
Kirby Smith
join:2001-01-26
Derry, NH

Kirby Smith

Member

Then I'd have to drag a laptop and myself to the rack in my basement after I discovered where I stored the cable.

What appears to have happened is that BDS.6 uploaded and rebooted, but Firefox web page just went merrily on showing the Javascript bar image. When I finally closed Firefox, opened it, and relooked at the dashboard, the upper left dashboard panel showed BDS.6 was in use.

Rebooting confirmed it.

I did find a CLI approach to generating a certificate, but the necessary parameter values were not clear to me.

kirby