I get it, older versions of TLS and SSL are insecure and we should not be using them. However I needed to get on an HPE Server iLO management interface last week and I
was met with this.
Firefox Error: SSL_ERROR_UNSUPPORTED_VERSION Microsoft Edge, Chrome, and Opera Error: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Microsoft Internet Explorer Error: This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website’s owner. Your TLS security settings aren’t set to the defaults, which could also be causing this error.
Firefox Solution : SSL_ERROR_UNSUPPORTED_VERSION
I advise you just do this to get to the page you need to and set it back afterwards. In your browser windows enter about:config, Type TLS into the search bar and locate security.tls.version.min and change its value to 1, Then tick to save.
And now, I can get to where I want to go.
IE Solution : SSL_ERROR_UNSUPPORTED_VERSION
Yeah, I know Internet Explorer is supposed to be dead, but it’s still there and you can utilise it to solve this problem, from your internet options in IE > Advanced > you can then enable TLS 1.1. and 1.2.
You will still get a warning but now you can click past it.
Related Articles, References, Credits, or External Links
I was setting up some HTTPS/SSL inspection this week and while testing it, I ran into this problem;
Firefox Certificate Settings
So the machine I’m using DOES trust the CA that issued that certificate, (it’s a FortiGate firewall) But the BROWSER does not. (Firefox maintains its own list of certificates, and more importantly which CA certificates it will trust). Essentially the browser is trying to protect you from a MITM attack.
Browse to about:prefernces#privacy > Certificates > View Certificates.
Import.
Navigate to the CA certificate for the authority that signed the certificate(s) you are having a problem with, and import it > Select ‘Trust this CA to identify websites” > OK
Related Articles, References, Credits, or External Links
I’ve been trying to deploy a Fortigate into EVE-NG (article to follow) this week. I could get the appliance running fine but when I tried to access the web management console all I got was the following.
Note: I have a couple of management VMs in EVE-G (Windows 7 and Server 2012), they had a mixture of IE, Chrome and Firefox on them but still I could not get in?
Solution
All forums yielded no more info other than ‘Check you have allowed access for http“. But as you can see (above) for Fortinet Logo is on the windows I was hitting the firewall and http was allowed? (Also the http daemon was running inside the appliance.
Just for fun I connected the outside interface to my test network, allowed http, and tried from there, it worked perfectly? So I deployed another Fortigate and connected the ‘inside’ interface to my test network, again it worked fine? At this point it was becoming obvious that my management machines browsers were probably the problem. Is I deployed a new Kali Linux VM fired up Firefox and;
That took a LOT longer than it needed to!
Related Articles, References, Credits, or External Links
Out of the box Cisco PIX/ASA devices should have a working ASDM. This config can get broken over time, and also there are a few things that can trip you up on your client machine.
Solution
Make sure the client machine you are using is not the problem
1. The ASDM runs using Java make sure the machine has Java installed.
Note: If you are using Java version 7 Update 51 see the following article.
10
8(8.1)
7
Server 2012 R2
Server 2012
2008 Server
XP
Yes
Yes
No support
Yes
8.0
Apple Macintosh OS X:
10.6
10.5
10.4
No support
Yes
Yes
Yes (64 bit only)
8.0
Ubuntu Linux 14.04
Debian Linux 7
N/A
Yes
N/A
Yes
8.0 (Oracle only)
Note: Support for Java 5.0 was removed in ASDM 6.4. Obtain Sun Java updates from java.sun.com.
Note: ASDM requires an SSL connection from the browser to the ASA. By default, Firefox does not support base encryption (DES) for SSL and therefore requires the ASA to have a strong encryption (3DES/AES) license. As a workaround, you can enable the security.ssl3.dhe_dss_des_sha setting in Firefox. See http://kb.mozillazine.org/About:config to learn how to change hidden configuration preferences.
3. Make sure you are NOT trying to access the ASDM through a proxy server, this is a common “gotcha”!
4. Can another machine access the ASDM?
5. If the ASDM opens but does not display correctly, then do the following, File > Clear ASDM Cache > File > Clear Internal Log Buffer > File > Refresh ASDM with the running Configuration on the Device.
Make sure the ASA is configured correctly, and your PC is “allowed” access
2. Log into the firewall, go to enable mode > Enter the enable password
[box]
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA#
[/box]
3. The ASDM is enabled with the command “http server enabled”, to make sure that’s there issue a “show run http” command”
[box]
PetesASA# show run http
http server enable
http 10.254.254.0 255.255.255.0 inside
http 123.123.123.123 255.255.255.255 outside
[/box]
Note: if the command is NOT there, you need to issue the following three commands:
[box]
PetesASA# configure terminal
PetesASA(config)# http server enable
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c69
9878 bytes copied in 1.550 secs (9878 bytes/sec)
[OK]
PetesASA(config)#
[/box]
Note: If you see a number after the command e.g. “http server enable 2456” then you need to access the ASDM on that port, like so {IP address/Name of ASA}:2456 (This is common if you’re port forwarding https but you still want to access the ASDM externally).
4. Assuming that the ASDM has been enabled, the IP address you are accessing from (or the subnet you are on) also needs to be allowed access. You will notice in step 3 above that when you issue the show run http command, it also shows you the addresses that are allowed access, if yours is NOT listed you can add it as follows:
6. The ASA needs to be told what file to use for the ASDM, to make sure its been told issue the following command, (If there is NOT one specified then skip forward to step 7 to see if there is an ASDM image on the firewal)l.
[box]
PetesASA# show run asdm
asdm image disk0:/asdm-739.bin
Note: on a Cisco PIX the results will look like..
PetesPIX# show run asdm
asdm image flash:/asdm-501.bin
[/box]
7. Write down the file that it has been told to use (in the example above asdm-632.bin). Then make sure that file is actually in the firewalls memory with a “show flash” command.
Note: If the file you are looking for is NOT there then (providing you have a valid support agreement with Cisco) download an ASDM image and load it into the firewall see here for instructions.
Note: If the file is in the flash memory but was not referenced in step 6 then you can add the reference with the following command (obviously change the filename to match the one that’s listed in your flash memory).
[box]
PetesASA# configure terminal
PetesASA(config)# asdm image disk0:/asdm-631.bin
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c89
9878 bytes copied in 1.550 secs (9878 bytes/sec)
[OK]
PetesASA(config)#
[/box]
Related Articles, References, Credits, or External Links
I wonder how many hours Ive lost trying to get browsers to connect to things, and the browser has not been happy? This week I needed to connect to a vCenter (6.5) web console with Firefox and was greeted with this.
Your connection is not secure
The owner of {site} has configured their web site improperly. To protect information being stolen, Firefox has not connected to this website.
Error Code: , SEC_ERROR_UNKNOWN_ISSUER
Normally I use Firefox, because if there’s a problem I can simply add an exception and all is well, but this time there was no way to connect at all.
Solution
Browse to about:config, and then search for security.enterprise, set it to true.
Now it will work
Related Articles, References, Credits, or External Links
Firefox is what I use when Opera does not work, so when I tried to connect to some management servers that did not support Opera this happened;
Secure Connection Failed An error occurred during a connection to {FQDN). SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY)
Solution
Navigate to ‘about:config’ > I’ll be careful, I promise!
In the search bar type ssl3.dhe_rsa_aes_128_sha > change its value to false.
In the search bar type ssl3.dhe_rsa_aes_256_sha > change its value to false.
Related Articles, References, Credits, or External Links
Did you know you can install Java and Flash with the Ubuntu Restricted extras pack?click here
Im not a big fan of Java, In the past I’ve either had the wrong version, or it’s made something run like a dog, but I need it for the Cisco management stuff I need to do. (Guess what the next article is going to be 🙂 Like Adobe Flash, there seems to be a lot of different info out on the web about how to do this, so it took me a while to do something that was painfully easy in the end.
Solution
1. Click Applications > Ubuntu Software Centre > Type “java” in the search terms > Locate OpenJDK Java 6 Runtime.
2. Hit install.
3. You may be asked to authenticate, do so. My netbook is a little slow so at this point it appeared to hand for a while (Go and have a brew! It will be finished by the time you come back.
Related Articles, References, Credits, or External Links
Firefox 7 came out today (Download Firefox 7), and the new version has decided to shorten the URL displayed in your address bar, to put it back to its old style you need to change a setting.
Solution
1. In the address bar type about:config, and then click “I’ll be carefull, I promise”.
2. Locate the browser.urlbar.trimURLsentry then double click it to change it from true to false.
Related Articles, References, Credits, or External Links
Even though I prefer to use command line, there are times I need to manage Cisco firewalls from the ASDM. To do this from my Netbook running Ubuntu 10.10 it was not as straight forward as I was used to.
Solution
In my scenario I’m using Ubuntu 10.10 Desktop Edition, Chrome as my browser, and the ASDM is running version 6.3(1).
2. Connect to the web console of the firewall using its configured IP Address, Chrome by default will download the Java file (which I’ve written about before). Normally this is annoying, but here it’s a good thing, by default it will drop the file in your home folder in the downloads directory, for simplicity I moved it to the root of my home folder. Then open a terminal window (Applications > Accessories > Terminal), and execute the following command.
[box]javaws asdm.jnlp[/box]
3. After a little while, you will be prompted to accept the certificate (The self signed certificate on the server will not be trusted that’s OK).
4. After entering your password (User name will be blank, unless you have enabled AAA). the ASDM will open.
5. Thankfully, you only need to do this the first time you connect, the next time you try it will open the ASDM password prompt and run correctly.
Related Articles, References, Credits, or External Links