SSL_ERROR_UNSUPPORTED_VERSION

SSL_ERROR_UNSUPPORTED_VERSION KB ID 0001856

Problem

I get it, older versions of TLS and SSL are insecure and we should not be using them. However I needed to get on an HPE Server iLO management interface last week and I

was met with this.

Firefox Error: SSL_ERROR_UNSUPPORTED_VERSION
Microsoft Edge, Chrome, and Opera Error: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Microsoft Internet Explorer Error:
This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website’s owner. Your TLS security settings aren’t set to the defaults, which could also be causing this error.

Firefox Solution : SSL_ERROR_UNSUPPORTED_VERSION

I advise you just do this to get to the page you need to and set it back afterwards. In your browser windows enter about:config, Type TLS into the search bar and locate security.tls.version.min and change its value to 1, Then tick to save.

And now, I can get to where I want to go.

IE Solution : SSL_ERROR_UNSUPPORTED_VERSION

Yeah, I know Internet Explorer is supposed to be dead, but it’s still there and you can utilise it to solve this problem, from your internet options in IE > Advanced  > you can then enable TLS 1.1. and 1.2.

You will still get a warning but now you can click past it.

Related Articles, References, Credits, or External Links

ERR_CERT_WEAK_SIGNATURE_ALGORITHM

ERR_CERT_COMMON_NAME_INVALID

 

Software is Preventing Firefox From Safely Connecting to this Site

KB ID 0001727

Problem

I was setting up some HTTPS/SSL inspection this week and while testing it, I ran into this problem;

Firefox Certificate Settings

So the machine I’m using DOES trust the CA that issued that certificate, (it’s a FortiGate firewall) But the BROWSER does not. (Firefox maintains its own list of certificates, and more importantly which CA certificates it will trust). Essentially the browser is trying to protect you from a MITM attack.

Browse to about:prefernces#privacy > Certificates  > View Certificates.

Import.

Navigate to the CA certificate for the authority that signed the certificate(s) you are having a problem with, and import it > Select ‘Trust this CA to identify websites” > OK

Related Articles, References, Credits, or External Links

NA

Fortigate Blank Web Page?

KB ID 0001713

Problem

I’ve been trying to deploy a Fortigate into EVE-NG (article to follow) this week. I could get the appliance running fine but when I tried to access the web management console all I got was the following.

Note: I have a couple of management VMs in EVE-G (Windows 7 and Server 2012), they had a mixture of IE, Chrome and Firefox on them but still I could not get in?

Solution

All forums yielded no more info other than ‘Check you have allowed access for http“. But as you can see (above) for Fortinet Logo is on the windows I was hitting the firewall and http was allowed? (Also the http daemon was running inside the appliance.

Just for fun I connected the outside interface to my test network, allowed http, and tried from there, it worked perfectly? So I deployed another Fortigate and connected the ‘inside’ interface to my test network, again it worked fine? At this point it was becoming obvious that my management machines browsers were probably the problem. Is I deployed a new Kali Linux VM fired up Firefox and;

That took a LOT longer than it needed to!

Related Articles, References, Credits, or External Links

NA

 

Cannot Access / Open ASDM

KB ID 0000458

Problem

Out of the box Cisco PIX/ASA devices should have a working ASDM. This config can get broken over time, and also there are a few things that can trip you up on your client machine.

Solution

Make sure the client machine you are using is not the problem

1. The ASDM runs using Java make sure the machine has Java installed.

Note: If you are using Java version 7 Update 51 see the following article.

Unable to Access ASDM – “Unable to launch device manager from…”

2. Make sure the internet browser you are using is supported:

Operating System
Browser
 
Java SE Plug-in1
Internet Explorer
Firefox2
Safari
Chrome

Microsoft Windows

10
8(8.1)
7
Server 2012 R2
Server 2012
2008 Server
XP

Yes

Yes

No support

Yes

8.0

Apple Macintosh OS X:

10.6
10.5
10.4

No support

Yes

Yes

Yes (64 bit only)

8.0

Ubuntu Linux 14.04
Debian Linux 7

N/A

Yes

N/A

Yes

8.0 (Oracle only)

Note: Support for Java 5.0 was removed in ASDM 6.4. Obtain Sun Java updates from java.sun.com.

Note: ASDM requires an SSL connection from the browser to the ASA. By default, Firefox does not support base encryption (DES) for SSL and therefore requires the ASA to have a strong encryption (3DES/AES) license. As a workaround, you can enable the security.ssl3.dhe_dss_des_sha setting in Firefox. See http://kb.mozillazine.org/About:config to learn how to change hidden configuration preferences.

3. Make sure you are NOT trying to access the ASDM through a proxy server, this is a common “gotcha”!

4. Can another machine access the ASDM?

5. If the ASDM opens but does not display correctly, then do the following, File > Clear ASDM Cache > File > Clear Internal Log Buffer > File > Refresh ASDM with the running Configuration on the Device.

Make sure the ASA is configured correctly, and your PC is “allowed” access

1. Connect to the firewall using either SSH, Telnet, or via the Console Cable.

2. Log into the firewall, go to enable mode > Enter the enable password

[box]

Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA#

[/box]

3. The ASDM is enabled with the command “http server enabled”, to make sure that’s there issue a “show run http” command”

[box]

PetesASA# show run http
http server enable
http 10.254.254.0 255.255.255.0 inside
http 123.123.123.123 255.255.255.255 outside

[/box]

Note: if the command is NOT there, you need to issue the following three commands:

[box]

PetesASA# configure terminal
PetesASA(config)# http server enable
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c69

9878 bytes copied in 1.550 secs (9878 bytes/sec)
[OK]
PetesASA(config)# 

[/box]

Note: If you see a number after the command e.g. “http server enable 2456” then you need to access the ASDM on that port, like so {IP address/Name of ASA}:2456 (This is common if you’re port forwarding https but you still want to access the ASDM externally).

4. Assuming that the ASDM has been enabled, the IP address you are accessing from (or the subnet you are on) also needs to be allowed access. You will notice in step 3 above that when you issue the show run http command, it also shows you the addresses that are allowed access, if yours is NOT listed you can add it as follows:

[box]

PetesASA# configure terminal
PetesASA(config)# http 10.254.254.5 255.255.255.255 inside
PetesASA(config)# http 10.254.254.0 255.255.255.0 inside
PetesASA(config)# http 123.123.123.123 255.255.255.255 outside
PetesASA(config)# write mem
Building configuration...

Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c89 9878 bytes copied in 1.550 secs (9878 bytes/sec)
[OK]
PetesASA(config)#

[/box]

5. At this point try and access the ASDM again.

6. The ASA needs to be told what file to use for the ASDM, to make sure its been told issue the following command, (If there is NOT one specified then skip forward to step 7 to see if there is an ASDM image on the firewal)l.

[box]

PetesASA# show run asdm
asdm image disk0:/asdm-739.bin

Note: on a Cisco PIX the results will look like..

PetesPIX# show run asdm
asdm image flash:/asdm-501.bin

[/box]

7. Write down the file that it has been told to use (in the example above asdm-632.bin). Then make sure that file is actually in the firewalls memory with a “show flash” command.

[box]

PetesASA# show flash
--#-- --length-- -----date/time------ path
142 15943680 May 08 2010 18:10:42 asa831-k8.bin
144 14240396 May 08 2010 18:11:50 asdm-739.bin
3 2048 Jul 21 2009 12:04:26 log
6 2048 Apr 28 2010 15:08:32 crypto_archive
163 393828 Feb 14 2010 12:23:28 crypto_archive/crypto_arch_1.bin
164 393828 Apr 28 2010 15:08:32 crypto_archive/crypto_arch_2.bin
147 9526560 Jul 21 2009 12:04:52 csd_3.4.1108.pkg
148 2048 Jul 21 2009 12:04:54 sdesktop
150 2648712 Jul 21 2009 12:04:54 anyconnect-win-2.3.0254-k9.pkg


127135744 bytes total (29583360 bytes free)

[/box]

Note: If the file you are looking for is NOT there then (providing you have a valid support agreement with Cisco) download an ASDM image and load it into the firewall see here for instructions.

Note: If the file is in the flash memory but was not referenced in step 6 then you can add the reference with the following command (obviously change the filename to match the one that’s listed in your flash memory).

[box]

PetesASA# configure terminal
PetesASA(config)# asdm image disk0:/asdm-631.bin
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c89

9878 bytes copied in 1.550 secs (9878 bytes/sec)
[OK]
PetesASA(config)#

[/box]

 

Related Articles, References, Credits, or External Links

Connecting to and Managing Cisco Firewalls

Cisco Allowing Remote Management

Cisco ASA5500 Update System and ASDM (From ASDM)

Firefox: Cannot Open vCenter Web Client

KB ID 0001482

Problem

I wonder how many hours Ive lost trying to get browsers to connect to things, and the browser has not been happy? This week I needed to connect to a vCenter (6.5) web console with Firefox and was greeted with this.

Your connection is not secure
The owner of {site} has configured their web site improperly. To protect information being stolen, Firefox has not connected to this website.
Error Code: , SEC_ERROR_UNKNOWN_ISSUER

Normally I use Firefox, because if there’s a problem I can simply add an exception and all is well, but this time there was no way to connect at all.

Solution

Browse to about:config, and then search for security.enterprise, set it to true.

Now it will work

Related Articles, References, Credits, or External Links

NA

Firefox Error – SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY

KB ID 0001189 

Problem

Firefox is what I use when Opera does not work, so when I tried to connect to some management servers that did not support Opera this happened;

 

Secure Connection Failed
An error occurred during a connection to {FQDN). SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY)

 

Solution

Navigate to ‘about:config’ > I’ll be careful, I promise!

In the search bar type ssl3.dhe_rsa_aes_128_sha > change its value to false.

In the search bar type ssl3.dhe_rsa_aes_256_sha > change its value to false.

 

Related Articles, References, Credits, or External Links

NA

Ubuntu – Installing Java

KB ID 0000395 

Problem

Did you know you can install Java and Flash with the Ubuntu Restricted extras pack? click here

Im not a big fan of Java, In the past I’ve either had the wrong version, or it’s made something run like a dog, but I need it for the Cisco management stuff I need to do. (Guess what the next article is going to be 🙂 Like Adobe Flash, there seems to be a lot of different info out on the web about how to do this, so it took me a while to do something that was painfully easy in the end.

Solution

1. Click Applications > Ubuntu Software Centre > Type “java” in the search terms > Locate OpenJDK Java 6 Runtime.

2. Hit install.

3. You may be asked to authenticate, do so. My netbook is a little slow so at this point it appeared to hand for a while (Go and have a brew! It will be finished by the time you come back.

 

Related Articles, References, Credits, or External Links

Also See Ubuntu (Chrome) Installing Adobe Flash

Firefox 7 – Restore the Full URL / Address Bar

KB ID 0000517 

Problem

Firefox 7 came out today (Download Firefox 7), and the new version has decided to shorten the URL displayed in your address bar, to put it back to its old style you need to change a setting.

Solution

1. In the address bar type about:config, and then click “I’ll be carefull, I promise”.

2. Locate the  browser.urlbar.trimURLsentry then double click it to change it from true to false.

 

Related Articles, References, Credits, or External Links

NA

Cisco ASDM – Accessing with Ubuntu

KB ID 0000396 Dtd 11/02/11

Problem

Even though I prefer to use command line, there are times I need to manage Cisco firewalls from the ASDM. To do this from my Netbook running Ubuntu 10.10 it was not as straight forward as I was used to.

Solution

In my scenario I’m using Ubuntu 10.10 Desktop Edition, Chrome as my browser, and the ASDM is running version 6.3(1).

1. Before we start I’m assuming you know what the ASDM is and how to connect to to it and configure it for access. Also you will need Java Installed.

2. Connect to the web console of the firewall using its configured IP Address, Chrome by default will download the Java file (which I’ve written about before). Normally this is annoying, but here it’s a good thing, by default it will drop the file in your home folder in the downloads directory, for simplicity I moved it to the root of my home folder. Then open a terminal window (Applications > Accessories > Terminal), and execute the following command.

[box]javaws asdm.jnlp[/box]

3. After a little while, you will be prompted to accept the certificate (The self signed certificate on the server will not be trusted that’s OK).

4. After entering your password (User name will be blank, unless you have enabled AAA). the ASDM will open.

5. Thankfully, you only need to do this the first time you connect, the next time you try it will open the ASDM password prompt and run correctly.

 

Related Articles, References, Credits, or External Links

Cisco Serial – Accessing with Ubuntu

Windows – Set Chrome as the Default Browser

KB ID 0000656 

Problem

Even though I had installed Chrome, and told Windows 8 to set it as the default browser, it had not.

Solution

1. Whilst within Windows 8 > Press Windows Key+Q > This brings up the Apps menu > In the search box type ‘default’ > Select ‘Default’ Programs.

2. Set your default programs.

3. Locate Google Chrome > Then click “Set this program as default”.

4. Now you can (if you wish) remove Internet explorer from the ‘Modern UI’. Right click the tile and select ‘Unpin from start’.

5. Now you can drag the Chrome tile over to replace it.

Related Articles, References, Credits, or External Links

NA