SSL cipher support

---Originally posted in wrong discussion board, so moving to the correct one now ------

Ok, there have been a few posts relating to the ability to disable old ciphers, but doesn't seem to be any real answers, so hoping that opening a new thread might spark more conversation. I have a few Sensor Gateways version 5 devices running the latest (8.6) firmware, but can't do anything with the https side of things. Every current browser blocks my ability to connect to the device over https due to the legacy ciphers. Has anyone been able to get around this issue?

Comments

  • PocholloPochollo
    Hello mate,

    HTTPS isn't supported yet with official firmware but there was a beta firmware released here in the forums that supports HTTPS but that firmware doesnt support latest sensor releases.

    If you need it for security I suggest you use the firewall settings instead.

    Cheers!

  • jimbojimbo
    Ok, I have tried to install the beta version of the software and it renders my device useless and have to revert to factory to get it functional again. Is there an option to just disable https/SSL altogether? I really don't need it, as we only use the web interface to configure the device and then just leverage SNMP with our monitoring system. Is this possible?
  • adminadmin
    jstasik

    Our SensorGateway does not support Web server HTTPS access. Which means by default you can only access your Gateway via HTTP.
    (No need to disable anything on the Gateway)

    Via accessing the Gateway over HTTP you can configure the SNMP settings and have it integrated with your monitoring system.

    if you do not have the latest firmware installed then you may download it from here
    https://serverscheck.com/support/firmware.asp

    In some cases that browsers automatically uses HTTPS to all url's you may disable that on the respective browsers settings
  • jimbojimbo
    It may not support HTTPS access, but port 443 is open. I am running Release 8.7 on the gateways in our environment and an nmap scan of these devices shows both port 80 and 443 listening. This scan also shows that there is an ssl cert with the common name of mchpboard. My IT security team also has run scans against them and they are running vulnerable versions of SSL.
  • AdministratorAdministrator
    We assume that the firewall is not enabled. Correct?
  • jimbojimbo
    yes, no firewall enabled.
  • adminadmin
    jstasik

    SSL is by default disabled (this is used for email) as some Mail servers still use the protocol it is an option still on our gateway.
    As for port 443 we have forwarded your concern over to our Development team as this port is currently not being used whilst still listening, it is on the road map.

    For firmware updates we invite you to follow us on our social media channels to know about our latest announcements.

    https://infrasensing.com/about/news.asp
  • JeltzJeltz
    edited August 17
    I am also attempting to solve the 'insecure ciphers'. So InfraSensing, WHAT VERSION OF THE FIRMWARE addresses the fact that all modern browsers die on SSLv3?

    I have 5.1 hardware and have successfully updated to the 8.5 firmware (August 2020). However when I attempt to bring it up the the newest (and only one) I can download is 8.9, the firmware upgrade just times out and never occurs. I get stuck on the 'device will now reboot...' and I have wait for hours (I didn't expect waiting that long would work, I just did it because I went to lunch). Your firmware download site says that 8.8 was the last 'free to all' firmware, but there is no link to it. What is the 8.8 firmware link? Does 8.8 bring the cipher into modern security practices? Or for that matter does 8.9?

    Just as a refresher, SSLv3 has not been secure since 2014.
  • AdministratorAdministrator
    edited August 17
    Jeltz as explained in this forum there won't be a general firmware with SSL TLS due to the ultralow voltage microprocessor unable to support it.

    Let's tackle one issue at a time and not take the uppercase into consideration (= shouting in online etiquette).

    - SSLv3 has not been secure since (bold) 2014

    As you know, SSLv3 being insecure means a man in the middle attack. As our base units sit in a LAN environment. They are not exposed to the public internet. What does this mean in simple terms? This means that to exploit SSLv3, there must be an attacker that has already access to your LAN. An issue that would be a bit more serious that the sensors don't you think?

    - Let's assume you don't think like that and that the webserver still is an issue

    For users like yourself we've made - free of charge - a feature in the firmware that allows you to disable the firewall except for specific IP addresses. So that an attacker can't access the base unit's configuration. You can even deactivate the webserver completely.

    - Firmware 8.9

    We do post release notes online. You can check for yourself what changes are made. It seems that the team made a mistake and made 8.9 available for download instead of only 8.8.


    If you have a support agreement, then you would have access to any version of the firmware. New and old. If not, then you are limited to the free resources provided.
This discussion has been closed.