Reply

Re: FVS336Gv3 - trying to upload CRL, getting error page

train_wreck
Luminary

FVS336Gv3 - trying to upload CRL, getting error page

The title says it; I have an existing self-signed PKI and I am trying to upload the CRL pem file. This is the exact same CRL file that is being used on other Cisco, Ubiquiti and Mikrotik routers, WIndows, Mac, Linux, iOS/Android, and other operating systems with no problem whatsoever.

 

When I click "Upload" on the "Certificates" config web page, I am presented with the following error page:

 

netgearerror.png

 

Any ideas? I am running the latest firmware as of this post.

Model: FVS336Gv3|ProSafe dual WAN gigabit firewall with SSL and IPSec VPN
Message 1 of 7
train_wreck
Luminary

Re: FVS336Gv3 - trying to upload CRL, getting error page

OK so it's been a week and no replies here.....

 

One theory: our CA provides SHA256 hashed CRLs. I notice that some of the VPN settings reference hash algorithms, and only allow MD5 and SHA1. Does the router support CRLs generated with SHA 2 family algorithms? (SHA256, SHA384, SHA512, etc.)

Message 2 of 7
DaneA
NETGEAR Moderator

Re: FVS336Gv3 - trying to upload CRL, getting error page

Hi train_wreck,

 

Not sure if this will help.  However, let me share this old forum link: https://community.netgear.com/t5/VPN-Firewalls/Can-t-Upload-Invalid-Self-Certificate/td-p/975149

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 3 of 7
train_wreck
Luminary

Re: FVS336Gv3 - trying to upload CRL, getting error page

Yep, that pretty much sums it up. Our certs and CRL use 2048-bit RSA. We won't be able to integrate it.

 

Curious, is this limitation mentioned in the documentation anywhere?

Message 4 of 7
DaneA
NETGEAR Moderator

Re: FVS336Gv3 - trying to upload CRL, getting error page

Hi train_wreck,

 

I have just inquired about it to a higher tier of NETGEAR Support almost a year ago.  I also cannot find any documentation.

 

 

Regards,

 

DaneA

NETGEAR Community Team

 

Message 5 of 7
train_wreck
Luminary

Re: FVS336Gv3 - trying to upload CRL, getting error page

OK, got it. I suppose this will be a feature request from me then, since many CAs are moving to 2048 bit RSA (as well as SHA2 hashes). Indeed, the CA browser forum recommends it.

 

Thanks DaneA for all of you & the other moderators assistance. I will check back  to see if Netgear's products can be implemented in our organization in the future. Thank you.

Message 6 of 7
bghavami
Initiate

Re: FVS336Gv3 - trying to upload CRL, getting error page

Even SRX5308 does not support SHA-2. I have seen references to it in Netgear UTM products, which being sunset pretty soon. Just go to

https://community.netgear.com/t5/Idea-Exchange-For-Business/SHA-256-signature-algorithm-for-SRX-5308...

and add a Kudos to this similar idea. may be when there are sufficient number kudos, Netgear will consider adding it to their firewall series firmware.

Message 7 of 7
Discussion stats
  • 6 replies
  • 3846 views
  • 4 kudos
  • 3 in conversation
Announcements