SSL cipher support
Jeltz
Thanks for the information about the fact that there won't be a general firmware with SSL TLS due to the ultralow voltage microprocessor. I could find no references to that on this support forum, only references to a public beta build with it included and open discussion items.
I do understand the issue with the man-in-the-middle, and ideally removal of the cipher would be the best option. In this circumstance I think using the built-in firewall is going to be my best option. But I would like to take a moment for why myself and others may bring it up. Really twofold.
First would be manageability. As I mentioned, modern browsers hard stop on the old ciphers. After much trial and error, I identified that Firefox ESR 31.0 works, but Firefox ESR 31.8 does not. Somewhere in the versions between 31.0 and 31.8 SSLv3 is disabled.
Second is our annoying security team. Our devices are in a LAN environment without public access. That does not stop security from scanning all known devices for security issues. And the CVSS base score for this is a 9.8, on a ten scale. I am sure everyone's different, but in our case all these scans go against a 'security reportcard' that our cyber insurance provider uses to base our premium against. Yes, I will be using the built-in firewall to hide the devices from the security scanners. Security-thru-obscurity is just not an ideal situation.
I do understand the issue with the man-in-the-middle, and ideally removal of the cipher would be the best option. In this circumstance I think using the built-in firewall is going to be my best option. But I would like to take a moment for why myself and others may bring it up. Really twofold.
First would be manageability. As I mentioned, modern browsers hard stop on the old ciphers. After much trial and error, I identified that Firefox ESR 31.0 works, but Firefox ESR 31.8 does not. Somewhere in the versions between 31.0 and 31.8 SSLv3 is disabled.
Second is our annoying security team. Our devices are in a LAN environment without public access. That does not stop security from scanning all known devices for security issues. And the CVSS base score for this is a 9.8, on a ten scale. I am sure everyone's different, but in our case all these scans go against a 'security reportcard' that our cyber insurance provider uses to base our premium against. Yes, I will be using the built-in firewall to hide the devices from the security scanners. Security-thru-obscurity is just not an ideal situation.
Comments
A work-around today is by using an invalid IP address in the firewall for web access.
The next gen Sensorgateway will support TLS.
For specific customers we have also designed non generic custom firmware with TLS. However support aof ll current firmware features and TLS on the chip is not possible.
Depending on what features you need, the beta version on this forum could also do the trick for you.
Last question, when is the next gen Sensorgateway due to be shipped?
8.9 does not have the feature yet to disable the web server. I think if I assume it right , you set up the gateway then you turn the web server off. that way you can poll data via SNMP or Modbus or depending on your integration. since URL/Web server will be disabled I think the only way to get back into that is by doing a reset.