| NeoRouter http://www.neorouter.com/forum/ |
|
| SOLVED: Weak NeoRouter SSL certificate http://www.neorouter.com/forum/viewtopic.php?f=3&t=5809 |
Page 1 of 1 |
| Author: | acetylator [ Tue Dec 22, 2015 7:32 am ] |
| Post subject: | SOLVED: Weak NeoRouter SSL certificate |
I have just checked my NeoRouter Free server on SSL Labs. Just put IP address and port a hit "Submit" buttons. The results seem to be not very good. Obviously, SSL Labs reports that certificate is self-signed, therefore it should not be trusted. I don't see this as a big problem. What worries me, though, is the following: 1. Certificate has a weak signature (SHA1). SHA1 should be deprecated after 2015. NeoRouter should really switch to SHA2. 2. Server accepts RC4 cipher. 3. Server does not support Forward Secrecy. I see these findings quite disturbing. Correct me if I am wrong. Anyway, is it so difficult for developers to generate SHA2 certificate to increase security? Would be happy to have feedback from devs. |
|
| Author: | kevinz [ Fri Dec 25, 2015 1:11 pm ] |
| Post subject: | Re: Weak NeoRouter SSL certificate |
Hi acetylator, While installing, the NR installer generates a default self-signed ssl certificates used for the communication encryption; but one can replace the certificates with any valid certs, either commercial certs or self-signed. The default signature algorithm of the latest version (v2.4) is sha1, we will change it to sha256RSA in the next release. Thanks, KevinZ - NeoRouter team |
|
| Author: | acetylator [ Sun Jan 17, 2016 7:55 am ] |
| Post subject: | Re: Weak NeoRouter SSL certificate |
Thank you for the info, Kevin. I have generated my own self-signed certificate and key (server.crt and server.key) and it works perfectly. Here are my steps in case anyone wants to do the same: Code: openssl req -new -x509 -days 365 -nodes -out server.crt -keyout server.key Replace original server.crt and server.key files in /usr/local/ZebraNetworkSystems/NeoRouter directory with new files and restart NeoRouter server. Making your own certificate (which does not have to contain any mentions about NeoRouter) also helps to hide the fact that NeoRouter server is running, which can be seen as a security measure (yes, I know, security through obscurity, but this is just another brick in the wall, so it's OK). For this purpose, I recommend to use "*" as CN field. Cheers. |
|
| Page 1 of 1 | All times are UTC - 5 hours |
| Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/ |
|