Community


All times are UTC - 5 hours




Post new topic Reply to topic  [ 3 posts ] 
Author Message
 Post subject: SOLVED: Weak NeoRouter SSL certificate
PostPosted: Tue Dec 22, 2015 7:32 am 
Offline

Joined: Sun Aug 23, 2015 10:39 am
Posts: 7
I have just checked my NeoRouter Free server on SSL Labs. Just put IP address and port a hit "Submit" buttons. The results seem to be not very good.
Obviously, SSL Labs reports that certificate is self-signed, therefore it should not be trusted. I don't see this as a big problem.

What worries me, though, is the following:
1. Certificate has a weak signature (SHA1). SHA1 should be deprecated after 2015. NeoRouter should really switch to SHA2.
2. Server accepts RC4 cipher.
3. Server does not support Forward Secrecy.

I see these findings quite disturbing. Correct me if I am wrong. Anyway, is it so difficult for developers to generate SHA2 certificate to increase security? Would be happy to have feedback from devs.


Last edited by acetylator on Sun Jan 17, 2016 7:58 am, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Weak NeoRouter SSL certificate
PostPosted: Fri Dec 25, 2015 1:11 pm 
Offline

Joined: Sun Nov 16, 2008 6:41 am
Posts: 1868
Hi acetylator,

While installing, the NR installer generates a default self-signed ssl certificates used for the communication encryption; but one can replace the certificates with any valid certs, either commercial certs or self-signed. The default signature algorithm of the latest version (v2.4) is sha1, we will change it to sha256RSA in the next release.

Thanks,
KevinZ - NeoRouter team


Top
 Profile  
 
 Post subject: Re: Weak NeoRouter SSL certificate
PostPosted: Sun Jan 17, 2016 7:55 am 
Offline

Joined: Sun Aug 23, 2015 10:39 am
Posts: 7
Thank you for the info, Kevin. I have generated my own self-signed certificate and key (server.crt and server.key) and it works perfectly. Here are my steps in case anyone wants to do the same:
Code:
openssl req -new -x509 -days 365 -nodes -out server.crt -keyout server.key

Replace original server.crt and server.key files in /usr/local/ZebraNetworkSystems/NeoRouter directory with new files and restart NeoRouter server.
Making your own certificate (which does not have to contain any mentions about NeoRouter) also helps to hide the fact that NeoRouter server is running, which can be seen as a security measure (yes, I know, security through obscurity, but this is just another brick in the wall, so it's OK). For this purpose, I recommend to use "*" as CN field.

Cheers.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron