NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

vpollinzi's avatar
vpollinzi
Aspirant
Jan 20, 2024

Enabling Always Use HTTPS to Access Extender breaks connectivity

Hello - Tried to enable "Always Use HTTPS to Access Extender" for Web Services Management however once enabled, I can no longer connect to extender. Running Windows 10 Pro, build 19045.3930 with late...
schumaku's avatar
schumaku
Guru - Experienced User
Jan 21, 2024

Yes, it's a nifty issue with the certificate usage bits, for example on the self-signed certificates in use. Explained in depth here.

  • vpollinzi's avatar
    vpollinzi
    Aspirant
    Jan 21, 2024

    Thanks for your feedback! I suppose the developer/programmer that added the option didn't understand the ramifications of maintaining certificates. Disabling RSA key usage in chrome doesn't buy me any more security than what I have with http protocol, (chrome --force-fieldtrials=RSAKeyUsageForLocalAnchors/DisabledLaunch).
     

    An encrypted connection to management console would have been nice though. Guess I'll have to rely on strong password. Thanks again.

     

    • schumaku's avatar
      schumaku
      Guru - Experienced User
      Jan 21, 2024
      vpollinzi wrote:

      I suppose the developer/programmer that added the option didn't understand the ramifications of maintaining certificates. Disabling RSA key usage in chrome doesn't buy me any more security than what I have with http protocol, (chrome --force-fieldtrials=RSAKeyUsageForLocalAnchors/DisabledLaunch).

      That's not the case. For once one of the browser makers again run ahead for something the industry - and even more consumer devices and infrastructures - can't cope with (like fully featured DNS infrastructures, to allow complete https deployment. This does not abandon any https security. Many more vendors are affected by this wonderful rush forward. The browser will just not look for the keyUsage bits like digitalSignature -and- keyEncipherment which does typically not exist on any self-signed and many CA signed certificates. It won't abandon the basic encryption. The browser simply error-out and won't continue in case the keyEncipherment bit is not set.

      • vpollinzi's avatar
        vpollinzi
        Aspirant
        Jan 21, 2024

        Thanks for follow-up and elaborating on full scope of the problem. I found instructions on Windows registry modifications for workaround here: https://community.netgear.com/t5/Orbi-Pro-WiFi-for-Small-Business/SSL-error/m-p/2347112

         

        Specifically, create this key in the registry: 

        [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
        "RSAKeyUsageForLocalAnchorsEnabled"=dword:00000000
         
        Not sure if I'm going to bother with it or not but good to know I can enable the feature.