|
Getting into the USG50 to change the key length to get into the USG50This topic is intended to avoid thread-jacking the "New ZyWALL USG firmware" topic.
kirby |
|
Kirby Smith |
I thought I would check my USG50 usage for before upgrading, but find that Firefox, as a result of some recent update it embraced, won't even connect to the unit, viz.,
"An error occurred during a connection to 192.168.1.1. The key does not support the requested operation. (Error code: sec_error_invalid_key)"
192.168.1.1 appears as a certificate in Firefox's certificates list.
I vaguely recall that this has happened before on a rarely used Windows 7 laptop, but not on my main Linux machine, and I don't recall where I might have stashed any information on the problem.
If the solution to this helpful security feature appears somewhere in the thousand plus pages of USG documentation, I'd appreciate a hint as to where. Otherwise, a direct clue for correction would be appreciated.
Thanks
kirby
P.S. I see in Firefox that the certificate expired on 8/02/2014. But I'm not sure how Firefox got that IP address named certificate. I could try changing the expire date, but somehow I think that if it worked it would defeat the entire function of certificates.
P.P.S. I can get in via PuTTY, but without a plan that doesn't do much. |
|
Kirby Smith |
~$ openssl s_client -connect 192.168.1.1:443 -showcerts -no_tls1 /dev/null
yields, in part
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 512 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : DHE-RSA-AES256-SHA
Verify return code: 10 (certificate has expired)
So, my research shows recent Firefoxen won't accept this. I need the USG50 to construct a more acceptable certificate.
kirby |
|
Kirby Smith 1 edit |
Gork, in a message Oct 26, 2012 10:57 pm (in some time zone) provided an answer to upgrading the certificate, but it requires that one get into the browser interface of the USG in order to upgrade the certificate so Firefox can get into the browser interface. I guess I'll need to install some less choosy browser software than Firefox to do this.
kirby |
|
Kirby Smith |
OK, installing Chrome allowed be in so I could construct a new certificate. Once the certificate was constructed and made the active certificate for the communications modes, I could login via Firefox and let it accept the certificate.
It is also possible to highlight the certificate and choose edit, then at the bottom of the edit menu export the certificate to computer. Use a password for encryption or else Firefox won't accept it.
In any case, I am now uploading firmware from ZyWALL USG 50_3.30(BDS.6)C0. Or maybe it already finished uploading but the web page intends to show perpetual uploading. We'll see when perpetuity or my patience ends, whichever comes first.
kirby |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2014-Nov-7 7:22 pm
If you had console cable and console terminal opened while upgrading you'd see the whole process and knew when it's done |
|
|
Then I'd have to drag a laptop and myself to the rack in my basement after I discovered where I stored the cable.
What appears to have happened is that BDS.6 uploaded and rebooted, but Firefox web page just went merrily on showing the Javascript bar image. When I finally closed Firefox, opened it, and relooked at the dashboard, the upper left dashboard panel showed BDS.6 was in use.
Rebooting confirmed it.
I did find a CLI approach to generating a certificate, but the necessary parameter values were not clear to me.
kirby |
|