NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
M4300-28G (GSM4328S) HTTPS Admin "ERR_SSL_PROTOCOL_ERROR"
Netgear support seems to be unable to figure this out, so I'm hoping someone in the community can. I'm trying to enable the HTTPS Admin Interface, but the switch seems to only give me protocol errors...
With atian's help, I have found the solution.
In addition to "pem format" and "include the private key with the server certificate", any chain CA certficates must be appended to the server certificate file, not the trusted root file, and the Trusted root pem file should only contain the root. Doing this has resulted in the switch properly serving HTTPS and a complete chain of trust to the root CA in my computer's trust store.
I want to be VERY clear here, though. Other than "PEM Formatted", no other guidance or information is offerred in any documentation I was able to find or anything offered by support. Nowhere does it say that the private key is to be prepended to the "Server Certificate PEM file", nor does it offer guidance on where to add or append or upload CA chain files (many systems I've used before use separate files for the server private key, the server certificate, and the CA chain certs). This REALLY needs to be documented, and would have saved me two and a half months struggling with support that doesn't have a clue about how this is supposed to work, either (I'm guessing the internal documentation doesn't mention this, either).
Hi brwyatt,
Welcome to NETGEAR community!:smileyhappy:
Currently M4300 just support TLSv1.0 and SSLv3.0.
But there will be a new updata to support TLSv1.2 for M4300 soon due to our internal security team are working on it.
So could you please change protocol to TLSv1.0 and try again for certificate download on M4300?
Thanks,
Daniel.
Unfortunately, TLS 1.0 is enabled by default, as is SSL 3.0. I've attempted the same steps with SSLv3.0 disabled, but the result is the same.
It is good to hear that TLS 1.2 is "in the works", though it is worth mentioning that Chrome does support TLS 1.0, so things should be working, but Chrome, FireFox, and OpenSSL s_client all return protocol errors.
I've attached the output of running testssl.sh to this ticket. Strangely, this seems to show that the switch is seeming to support TLS 1.1 and TLS 1.2? Either way, double checking OpenSSL s_client and forcing -tls1 still shows the same protocol errors:
139847755073176:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:157:
139847755073176:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:tasn_dec.c:1205:
139847755073176:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:386:Type=X509
139847755073176:error:1409000D:SSL routines:ssl3_get_server_certificate:ASN1 lib:s3_clnt.c:1237:
Which would, to me, seem to indicate that the switch is manipulating or munging the certificate in some way before it sends it. I'll re-iterate that prior to uploading the cert/key to the switch, I am able to locally verify the certificate (in PEM format) using OpenSSL, and have generated and installed certs using the same methods to multiple other services/applications (RabbitMQ, Apache, etc).
Either the switch is expecting some non-standard format or has some extra requirements that aren't called out in the documentation (and aren't checked for on upload or on attempt to activate the HTTPS Admin interface), or something is severely broken in the SSL/TLS implementation (or some combination of both). I'm really hoping I'm just doing it wrong, but so far I've been unable to verify that, and the documentation offers no guidance on how to do this at all (neither has support, for that matter), so I'm kinda stuck hoping I can find someone who can point me in the right direction.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
