NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Workaround for ERR_SSL_VERSION_OR_CIPHER_MISMATCH problem for Sparc NAS (4.1.x firmware)
This workaround eliminates the redirection of http://nas-name-or-ip/admin to https://nas-name-or-ip/admin for NAS running 4.1.x firmware. It does require ssh to install.
Entering https://nas-name-or-ip/admin will still result in the mismatch error. However entering http://nas-name-or-ip/admin will not. Note this means that there is no encryption at all on the connection - so this is not something you want to deploy over the internet.
This change can coexist with a patch later on that installs TLS 1.2 (and of course it can be easily reversed).
The file that is modified is /etc/frontview/apache/Virtual.conf All that is needed is to comment out the rewrite engine rules. Changes are in blue.
#vers=2
<VirtualHost _default_:80>
SSLEngine off
# Eliminate HTTPS rewrite
# RewriteEngine on
# RewriteRule ^/admin/(.*)$ https://%{SERVER_NAME}/admin/$1 [R,L]
# RewriteRule ^/admin$ https://%{SERVER_NAME}/admin
# End Eliminate HTTPS rewrite
</VirtualHost>
I suggest preserving the original as Virtual.conf.orig. Reboot the NAS after updating the file.
If you copy this file on a Windows system, make sure you paste it into a tool that can save the file using Unix end-of-line convention (for instance, Notepad++). With Notepad++, set Edit->EOL Conversion to Unix (LF) before saving.
Note this is a simplified version of an earlier workaround posted by irae for 5.3.x (v2) NAS here: https://community.netgear.com/t5/Using-your-ReadyNAS-in-Business/ReadyNAS-NV-V2-TLS-Support-may-not-be-able-to-access-soon/td-p/1873534 irae's version also disables SSL in httpd.conf That might be needed in the v2 NAS, but isn't needed in 4.1.x systems.
108 Replies
Replies have been turned off for this discussion
Note that WhoCares_ has released add-ons for TLS 1.2 support at https://rnxtras.com/
Right now those are only available for 4.2.x and 5.3.x systems, though perhaps 4.1.x will show up later.
Note that WhoCares has the link wrong for the 4.2.x version. It should be https://github.com/rdynsxtrs/rn4bin/tree/main/apache2/x86 .
Thanks for this workaround - but could I ask how to do you actually make these changes step by step? I don't know how to access this to make the changes in BLUE that you've highlighted.
Sabedi wrote:
Thanks for this workaround - but could I ask how to do you actually make these changes step by step? I don't know how to access this to make the changes in BLUE that you've highlighted.
Here's one way. As usual, you are at your own risk when using SSH to make mods to the NAS. But if you have problems you can of course post here (I suggest using opening a different thread).
(1) First you need to regain access to Frontview, so you need to begin with either using Internet Explorer, IE mode in Edge, or a old version of a browser (for instance FireFox 94.0.2).
Note that if you are running 4.2.x or 5.3.x firmware, then you can install the add-on from www.rnxtras.com at this point. That installs TLS 1.2 on those NAS, which is enough to give you access. So you can stop at this point.
(2) For the 4.1.x systems, you need to enable ssh access, using the Netgear Enable Root SSH Access add-on found here: https://kb.netgear.com/24546/Add-ons-for-RAIDiator-4-1-3-Sparc.
Then install notepad++ on the PC from https://notepad-plus-plus.org/downloads/.
(3) Copy/Paste the file from the post above into Notepad++.
Go into Edit->EOL Conversion of Notepad++, and choose "unix". It will gray out that option when you do that (a somewhat non-intuitive way of marking the selection). This is a very important step, so make sure you get this right.
Then save the file as Virtual.conf directly to a share on the NAS. Let's call that share "sharename", and assume it is on the C volume for now.
(4) Now access the NAS using SSH. Use root for the username, and the NAS admin password. If you are using windows 10, then you can do this by entering
ssh root@nas-ip-addess
from the windows search bar (using the real NAS ip address of course). Windows will ask if you want to proceed (something also about saving the fingerprint).
I'm not a Mac owner, but I believe you can also enter this same command into terminal.
Either way, you'll get a prompt for the password after you enter this command - as I said earlier use the NAS admin password.
(5) Once in, you need to copy Virtual.Conf to the destination folder. The steps below save the original file, and keep a separate copy of the changed file in the destination folder. The last command makes sure the owner/group is preserved.
cd /etc/frontview/apache cp /c/sharename/Virtual.conf Virtual.conf.mod mv Virtual.conf Virtual.conf.orig cp Virtual.conf.mod Virtual.conf chown admin:admin Virtual.conf*
using the real sharename you stored the file to in step 3. Of course substitute the real volume if you are using flexraid (and didn't put it o the c volume).
Reboot the NAS, and it should connect to Frontview with current browsers when you enter http://nas-ip-address/admin
You can alternatively just restart Frontview:
/etc/init.d/frontview restartNote if this fails to connect (even with IE or the older firefox), you can still get into the NAS with ssh, and troubleshoot from there.
Awesome thread StephenB! I have old IE11 but I still had to go through the dreaded "ARE YOU CERTAIN!!!" page and now it just works!
I used vi to edit the Virtual.conf file after making a cp Virtual.conf Virtual.conf.orig and it was pretty straightforward, except that I did a vi :help and then didn't know how to kill it (instead I just ended the session).
Anyway this has been a long-standing bug in my ear and I thank you for making it go away!
ReadyNAS RND2000 v?
If you do NOT have a Linux go to STEP 4, for the step by step NAS configuration.
ALWAYS SAVE A COPY OF THE ORIGINAL FILE.
Step by Step: For those who have a Linux PC. (Fedora version)
STEP 1: First you have to login as Root. (Open the "Terminal") and use the "su" command
at the command line: eg: [yourname@fedora~]$ su (Press Enter)
(Enter your root password. (This step is necessary because you are going to use SSH to connect to your NAS as "Root" user.)
STEP 2: Start the SSH session :eg: root@Fedora mike ]# ssh (Enter)
The problem is : You can NOT connect with SSH because of the same problem. you will get an error like: "
Unable to negotiate ....no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
To fix this problem first, you have to modify the SSH config file at: etc/ssh and add a new command. "a new rule"
At prompt enter : cd /etc/ssh then open the file "ssh_config" with "vi" then add
one commend line WITHOUT the "hashtag" (#) KeyAlorithms diffie-helmman etc (the bold line)
Example: (The Bold line)
# etc....
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
# This system is following system-wide crypto policy.
# etc ....And now save the file.!!!! (Always good to save a copy of the original ssh_config file!!!!)
STEP 3: Now you can connect to the NAS via SSH
at the prompt connect to your NAS by using the SSH command
eg: root@fedora mike]# ssh 192.168.1.200 (enter) (Enter "yes" to accept the first time key exchange)
== ====AND NOW YOU ARE CONNECTED TO YOUR NAS via SSH as Root user ===
The prompt will change into something like this:
example: name_of_your_NAS:~#
STEP 4: (Modify the Virtual.conf file)
Enter cd /etc/frontview/apache/ (The directory where the "Virtual.conf" file is located
use the "ls" command to view the files if necessary.
open this file with "vi" command. (vi Virtual.conf) [with Capital "V" !!!!]
it will look like this:
#vers=2
<VirtualHost _default_:80>
SSLEngine off
RewriteEngine on
RewriteRule ^/admin$ https://%{SERVER_NAME}/admin
RewriteRule ^/admin/(.*)$ https://%{SERVER_NAME}/admin/$1 [R,L]
</VirtualHost>Make ALL the Bold lines a comment or "deactivate" them by adding the "#"
<VirtualHost _default_:80>
SSLEngine off#Start here
#RewriteEngine on
#RewriteRule ^/admin$ https://%{SERVER_NAME}/admin
#RewriteRule ^/admin/(.*)$ https://%{SERVER_NAME}/admin/$1 [R,L]#end here
</VirtualHost>The "Start here" and "End here" are some extra comments to help you remember what you did.
Safe the file and reboot your NAS and now you can connect without any problem. Remember it is not a secure connection!
I hope there will a new firmware update soon 😉
efgtest wrote:
ReadyNAS RND2000 v?
Step by Step: For those who have a Linux PC. (Fedora version)
Thanks for the addition about changing the ssh config on a linux PC. FWIW, that isn't required with Windows at this point.
If you have a Duo v2 - which says "ReadyNAS Duo v2" on the front panel - then I suggest using an old browser version, and installing the rnxtras add-on first. That enables TLS 1.2 on the Duo. If you still want to eliminate the https redirection for some reason, you can proceed with doing that.
Step 4 is already described in the earlier step by step (other than the use of vi).
efgtest wrote:I hope there will a new firmware update soon
I don't think that will ever happen. Netgear said there would be no more updates for these models in September 2016. They did provide one more after that in response to WannaCry in May 2017. But I think it's pretty clear they are done now - it's been 9 years since they stopping manufacturing them.
The ERR_SSL_VERSION_OR_CIPHER_MISMATCH error typically happens on older operating systems or browsers.
But that is not always the case. In fact, we just recently encountered a user having this issue on their WordPress site who was migrating to Kinsta from another host. We were, of course, running the latest version of Chrome, so the issue was with their SSL certificate. Chrome is actually protecting you by not letting you load it.
You might also see a variation of the error, such as:
- Error 113 (net::err_ssl_version_or_cipher_mismatch): unknown error
- The client and server don’t support a common SSL protocol version or cipher suite
bekzclz11 wrote:
The ERR_SSL_VERSION_OR_CIPHER_MISMATCH error typically happens on older operating systems or browsers.
Not true. It's happening with current Chrome/Edge/Firefox on any OS. Probably current Safari also, but I haven't checked that.
Older browsers might give cert errors, but not this particular error. This is about browsers dropping support for TLS 1.0/1.1, and requiring TLS 1.2. It has nothing to do with certs. It's because the older ReadyNAS don't have TLS 1.2.
StephenB- I think with any version of Firefox (I'm using latest to date 109.0 on a Mac) you can go to about:config and search for security.tls.version.min and change it to 1. Then you can get to FrontView on older ReadyNAS without needing specific versions of Firefox.
Implemented change okay, but now getting connection request refured, cleared cache reinstalled chrome , checked firewall all okay , any ideas I could try?
Hi Stephen,
Its a NAS Duo V1 running the 4.1.17 mod https://community.netgear.com/t5/forums/replypage/board-id/readynas-general/message-id/47827
, which I use to backup my Unraid self built NAS. I edited virtual.conf (both) the one in etc/frontview/apache
and one in etc/default/etc/frontview/apache.
The change worked as I no longer get the error ssl msg and got the correct response when I restarted frontview.
Since I only use it as a backup it's not a bit deal as I power it on once a week run a RSYNC from my Unraid server then
power off backup NAS with a curl script. I've tried chrome/edge & firefox all the same this site can't be reached refused to connect.Cheers
Ken
Just wanted to thank everyone for their contribution.
I had to bring my Duo (4.1.16) back online to backup my now EOL WD EX4. The SSL issue was driving me NUTS!! I could only use Firefox as it prompted me to "turn back or proceed" unlike the other browsers (Chrome, Edge, Opera). I figured it was only a matter of time until FF went all Suzy Orman on me, DENIED!! (look her up if you don't get it).
Scary part was installing the root ssh access bin file but it went smoothly. Once I had access, the rest was easy. I did copy/paste the text for the conf file and didn't realize it had a typo in it. The typo was corrected in a later post but I was too anxious to get this done. The Duo didn't like it, but reading further I found the correction, made the correction, and now it connects fine with Chrome, FF, Opera, and Edge.
Once again, many thanks!!!
S
Reapplied this change when I replaced my 1.5 TB disk with a 2TB one to match the other disk , change worked fine this time so not sure what i screwed up last time.
Thanks again stephen
I have a ReadyNAS Ultra 4 with firmware 4.2.30.
In your post you say your procedure is for 4.1.x firmware ... does it work also for 4.2.30 firmware?
(This is a reply to the first post by StephenB)
See post 2 by StephenB , there is apparently an add-on for 4.2 systems , which would make the needed change.
Magnyzz wrote:
In your post you say your procedure is for 4.1.x firmware ... does it work also for 4.2.30 firmware?
(This is a reply to the first post by StephenB)
I haven't tested it (my 4.2.x Pro 6 was converted to OS-6 before this issue began). If you have a 4.2.x system that can be converted to OS-6 (not an NVX and some rackmount models), then I recommend doing that instead. That also gives you SMB 3.0, and several other features not in 4.2.x.
That said, I think my procedure will work on 4.2.x also.
The add-on that sonvolt99 refers to can be found here:
Note you can do both (making the change to allow frontview access from http w/o redirection, but also allowing https with TLS 1.2 to be used).
Thanks. I managed to solve it ... at least good enough for me. This is what I did.
1) I installed an old version (ver 91) of firefox on a usb-stick. This gave me access to the readynas admin web-page.
2) I installed https://github.com/rdynsxtrs/rn4bin/blob/main/apache2/x86/Apache2_2.2.34-x86-0.2.0.bin
as an add-on using the admin web-page. (FYI, I got an installation error at the end as somebody else also pointed out but after restarting the nas it seems ok).
After these two steps I now have access from my normal chrome-browser.
Thank you so much. Although I can follow the general logic and would/could do it if I was dead in the water, the specific steps are beyond what my old lady brain wants to tackle. For now I'm using EDGE with IE support. I guess I will upgrade to OS 6 this summer when I am not under end of year and tax processing issues. Thanks again.
RNDU4000, Serial# 2DK1080G00A36
hermanfong wrote:
RNDU4000, Serial# 2DK1080G00A36
And what is your question exactly?
Are you wanting guidance on how to convert your Ultra to run OS-6?
Instructions on how to install the 4.2.x add-on for the SSL Version Error?
Something else???
This is probably a stupid question, but how do I access /etc/frontview/apache/Virtual.conf ?
larsema wrote:
This is probably a stupid question, but how do I access /etc/frontview/apache/Virtual.conf ?
Normally ssh. See post 7 of this thread.
WinSCP can be used if you aren't comfortable with the linux command line. See post 4 here for general instructions:
Hi, I came across this thread in searching for my error since plugging in my NAS for the first time since like 2021. I'm running the ReadyNAS Duo v2 on 5.3.13.
After reading though these responses, I downloaded the "Apache2_2.2.34-arm-0.0.1.bin" file from https://github.com/rdynsxtrs/r5bin/tree/master/apache2. I installed a very old verison of Firefox to get into the web interface for my device. I go to "Add-ons" tab and click new add-on. I select the BIN file but I get the error: "Invalid Update Image."
I then go to System->Settings-> and try under "Install Fireware." Same error. Any idea what I'm doing wrong?
Request_Help wrote:
I then go to System->Settings-> and try under "Install Fireware." Same error. Any idea what I'm doing wrong?
You aren't installing firmware, you are installing an add on. Look at the "Install Standalone Add-ons" section on page 77 here:
Hi, thank you for replying. As I shared in my post, following the steps for standalone add-ons also does not work:
"I installed a very old version of Firefox to get into the web interface for my device. I go to "Add-ons" tab and click new add-on. I select the BIN file but I get the error: "Invalid Update Image." "
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
