× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.
Orbi WiFi 7 RBE973
Reply

Re: Workaround for ERR_SSL_VERSION_OR_CIPHER_MISMATCH problem for Sparc NAS (4.1.x firmware)

sonvolt99
Star

Re: Workaround for ERR_SSL_VERSION_OR_CIPHER_MISMATCH problem for Sparc NAS (4.1.x firmware)

Hi Stephen,

Its a NAS Duo V1 running the 4.1.17 mod https://community.netgear.com/t5/forums/replypage/board-id/readynas-general/message-id/47827
, which I use to backup my Unraid self built NAS. I edited virtual.conf (both) the one in etc/frontview/apache
and one in etc/default/etc/frontview/apache.
The change worked as I no longer get the error ssl msg and got the correct response when I restarted frontview.
Since I only use it as a backup it's not a bit deal as I power it on once a week run a RSYNC from my Unraid server then
power off backup NAS with a curl script. I've tried chrome/edge & firefox all the same this site can't be reached refused to connect.

Cheers
Ken

Message 26 of 84
sonvolt99
Star

Re: Workaround for ERR_SSL_VERSION_OR_CIPHER_MISMATCH problem for Sparc NAS (4.1.x firmware)

Message 27 of 84
StephenB
Guru

Re: Workaround for ERR_SSL_VERSION_OR_CIPHER_MISMATCH problem for Sparc NAS (4.1.x firmware)


@sonvolt99 wrote:

I've tried chrome/edge & firefox all the same this site can't be reached refused to connect.


Have you tried using ssh, and then looking at the logs?  Maybe also try restarting apache and see what happens.

Message 28 of 84
SamirD
Prodigy

Re: Workaround for ERR_SSL_VERSION_OR_CIPHER_MISMATCH problem for Sparc NAS (4.1.x firmware)

The easiest solution I've found for accessing older browser based devices is to simply use a portable version of the older browser it requires.  Firefox 52 ESR 32-bit has done well for me for all these including  both my Netgear NAS units.

Message 29 of 84
sonvolt99
Star

Re: Workaround for ERR_SSL_VERSION_OR_CIPHER_MISMATCH problem for Sparc NAS (4.1.x firmware)

Yes have rebooted unit,  can ssh ok, odd but since making the change my curl script to shutdown Netgear NAS stopped working.
reverted to original scripts and back to normal with SSL error bur Curl script works again , downloaded an earlier version of Firefox and enabled TLS for access to admin frontview.
Will play about to try and resolve when I have more time.
Cheers

Message 30 of 84
StephenB
Guru

Re: Workaround for ERR_SSL_VERSION_OR_CIPHER_MISMATCH problem for Sparc NAS (4.1.x firmware)


@sonvolt99 wrote:

Yes have rebooted unit,  can ssh ok, odd but since making the change my curl script to shutdown Netgear NAS stopped working.


Maybe post the curl script you are using?

 

All the change to virtual.conf does is eliminate any redirection from http to https.  If the curl script is already specifying https, then that should continue to work as before (still using https/tls). 

 

If the curlscript is using https, I guess you could try changing it to http, and see if that resolves it.

Message 31 of 84
sonvolt99
Star

Re: Workaround for ERR_SSL_VERSION_OR_CIPHER_MISMATCH problem for Sparc NAS (4.1.x firmware)

Will give it a try but wont be till next week as working all weekend,    curl script is using https 

Message 32 of 84
Sbyd
Tutor

Re: Workaround for ERR_SSL_VERSION_OR_CIPHER_MISMATCH problem for Sparc NAS (4.1.x firmware)

I am setting up disk in Windows 10 and I cannot connect to the internet on the network. Orange lights on the NAS plug are on. Browsers are blocking access. nur works offline. this is a problem with the SMB protocol and certificates. The software is up-to-date (5.3).

Message 33 of 84
efgtest
Initiate

Re: Workaround for ERR_SSL_VERSION_OR_CIPHER_MISMATCH problem for Sparc NAS (4.1.x firmware)

ReadyNAS RND2000 v?

If you do NOT have a Linux go to STEP 4, for the step by step NAS configuration.

ALWAYS  SAVE A COPY OF THE ORIGINAL FILE. 

 

Step by Step:  For those who have a Linux PC. (Fedora version) 

STEP 1: First you have to login as Root. (Open the "Terminal") and use the "su" command

at the command line: eg: [yourname@fedora~]$ su (Press Enter)

(Enter your root password. (This step is necessary because you are going to use SSH to connect to your NAS as "Root" user.) 

STEP 2: Start the SSH session :eg: root@Fedora mike ]# ssh (Enter)

The problem is : You can NOT connect with SSH because of the same problem. you will get an error like: "  

Unable to negotiate ....no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

To fix this problem first, you have to modify the SSH config file at: etc/ssh and add a new command. "a new rule"

At prompt enter : cd /etc/ssh  then open the file "ssh_config" with "vi" then add 

one commend line  WITHOUT the "hashtag" (#) KeyAlorithms  diffie-helmman etc (the bold line)

Example: (The Bold line)

 # etc....

# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
# This system is following system-wide crypto policy.
# etc ....

 

And now save the file.!!!! (Always good to save a copy of the original ssh_config file!!!!)

STEP 3: Now you can connect to the NAS via SSH

at the prompt connect to your NAS by using the SSH command

eg: root@fedora mike]# ssh 192.168.1.200 (enter)  (Enter "yes" to accept the first time key exchange)

   

== ====AND NOW YOU ARE CONNECTED TO YOUR NAS via SSH as Root user ===

The prompt will change into something like this: 

example:  name_of_your_NAS:~# 

 STEP 4: (Modify the Virtual.conf file)

Enter cd /etc/frontview/apache/ (The directory where the "Virtual.conf" file is located

use the "ls" command to view the files if necessary. 

open this file with "vi" command. (vi Virtual.conf) [with Capital "V" !!!!]

it will look like this: 

#vers=2
<VirtualHost _default_:80>
SSLEngine off
RewriteEngine on
RewriteRule ^/admin$ https://%{SERVER_NAME}/admin
RewriteRule ^/admin/(.*)$ https://%{SERVER_NAME}/admin/$1 [R,L]
</VirtualHost>

 

Make ALL the Bold lines a comment or "deactivate" them by adding the "#" 

<VirtualHost _default_:80>
SSLEngine off

#Start here

#RewriteEngine on
#RewriteRule ^/admin$ https://%{SERVER_NAME}/admin
#RewriteRule ^/admin/(.*)$ https://%{SERVER_NAME}/admin/$1 [R,L]

#end here
</VirtualHost>

 

The "Start here" and "End here" are some extra comments to help you remember what you did. 

Safe the file and reboot your NAS and now you can connect without any problem. Remember it is not a secure connection! 

 

 

I hope there will a new firmware update soon  😉

 

 

Message 34 of 84
StephenB
Guru

Re: Workaround for ERR_SSL_VERSION_OR_CIPHER_MISMATCH problem for Sparc NAS (4.1.x firmware)


@efgtest wrote:

ReadyNAS RND2000 v?

 

Step by Step:  For those who have a Linux PC. (Fedora version) 

 


Thanks for the addition about changing the ssh config on a linux PC.  FWIW, that isn't required with Windows at this point.

 

If you have a Duo v2 - which says "ReadyNAS Duo v2" on the front panel - then I suggest using an old browser version, and installing the rnxtras add-on first.  That enables TLS 1.2 on the Duo.  If you still want to eliminate the https redirection for some reason, you can proceed with doing that.

 

Step 4 is already described in the earlier step by step (other than the use of vi).

 


@efgtest wrote:

I hope there will a new firmware update soon

 


I don't think that will ever happen.  Netgear said there would be no more updates for these models in September 2016.  They did provide one more after that in response to WannaCry in May 2017. But I think it's pretty clear they are done now - it's been 9 years since they stopping manufacturing them.

 

Message 35 of 84
saudade
Guide

Re: Workaround for ERR_SSL_VERSION_OR_CIPHER_MISMATCH problem for Sparc NAS (4.1.x firmware)

Just wanted to thank everyone for their contribution. 

 

I had to bring my Duo (4.1.16) back online to backup my now EOL WD EX4.  The SSL issue was driving me NUTS!!  I could only use Firefox as it prompted me to "turn back or proceed" unlike the other browsers (Chrome, Edge, Opera).   I figured it was only a matter of time until FF went all Suzy Orman on me, DENIED!!  (look her up if you don't get it).

 

Scary part was installing the root ssh access bin file but it went smoothly.  Once I had access, the rest was easy.  I did copy/paste the text for the conf file and didn't realize it had a typo in it.  The typo was corrected in a later post but I was too anxious to get this done.  The Duo didn't like it, but reading further I found the correction, made the correction, and now it connects fine with Chrome, FF, Opera, and Edge.

 

Once again, many thanks!!!

 

S

Message 36 of 84
sonvolt99
Star

Re: Workaround for ERR_SSL_VERSION_OR_CIPHER_MISMATCH problem for Sparc NAS (4.1.x firmware)

Reapplied this change when I replaced my  1.5 TB disk with a 2TB one to match the other disk , change worked fine this time so not sure what i screwed up last time. 

Thanks again stephen

Message 37 of 84
Magnyzz
Tutor

Re: Workaround for ERR_SSL_VERSION_OR_CIPHER_MISMATCH problem for Sparc NAS (4.1.x firmware)

I have a ReadyNAS Ultra 4 with firmware 4.2.30.

In your post you say your procedure is for 4.1.x firmware ... does it work also for 4.2.30 firmware?  

(This is a reply to the first post by StephenB)

Message 38 of 84
sonvolt99
Star

Re: Workaround for ERR_SSL_VERSION_OR_CIPHER_MISMATCH problem for Sparc NAS (4.1.x firmware)

See post 2  by StephenB , there is apparently an  add-on for 4.2 systems , which would make the needed change.

Message 39 of 84
StephenB
Guru

Re: Workaround for ERR_SSL_VERSION_OR_CIPHER_MISMATCH problem for Sparc NAS (4.1.x firmware)


@Magnyzz wrote:

In your post you say your procedure is for 4.1.x firmware ... does it work also for 4.2.30 firmware?  

(This is a reply to the first post by StephenB)


I haven't tested it (my 4.2.x Pro 6 was converted to OS-6 before this issue began).  If you have a 4.2.x system that can be converted to OS-6 (not an NVX and some rackmount models), then I recommend doing that instead.  That also gives you SMB 3.0, and several other features not in 4.2.x.

 

That said, I think my procedure will work on 4.2.x also. 

 

The add-on that @sonvolt99 refers to can be found here:

Note you can do both (making the change to allow frontview access from http w/o redirection, but also allowing https with TLS 1.2 to be used).

 

Message 40 of 84
Magnyzz
Tutor

Re: Workaround for ERR_SSL_VERSION_OR_CIPHER_MISMATCH problem for Sparc NAS (4.1.x firmware)

Thanks. I managed to solve it ... at least good enough for me. This is what I did.

1) I installed an old version (ver 91) of firefox on a usb-stick. This gave me access to the readynas admin web-page.

2) I installed  https://github.com/rdynsxtrs/rn4bin/blob/main/apache2/x86/Apache2_2.2.34-x86-0.2.0.bin

as an add-on using the admin web-page. (FYI, I got an installation error at the end as somebody else also pointed out but after restarting the nas it seems ok).

After these two steps I now have access from my normal chrome-browser. 

Message 41 of 84
TMcL
Tutor

Re: Workaround for ERR_SSL_VERSION_OR_CIPHER_MISMATCH problem for Sparc NAS (4.1.x firmware)

Thank you so much. Although I can follow the general logic and would/could do it if I was dead in the water, the specific steps are beyond what my old lady brain wants to tackle. For now I'm using EDGE with IE support. I guess I will upgrade to OS 6 this summer when I am not under end of year and tax processing issues. Thanks again.

Message 42 of 84
jmzorko
Guide

Re: Workaround for ERR_SSL_VERSION_OR_CIPHER_MISMATCH problem for Sparc NAS (4.1.x firmware)

Stephen,

 

This is quite an interesting thread. I also have a ReadyNAS NV+ that still works well, and i'd quite like to update it to use TLS 1.2. However, I don't know the filename or location in the RNXtras repo for this addon. Can you illuminate me?

 

Regards,

 

John

 

Message 43 of 84
Sandshark
Sensei

Re: Workaround for ERR_SSL_VERSION_OR_CIPHER_MISMATCH problem for Sparc NAS (4.1.x firmware)

There is no SSL update for the NV+ V1 or Duo V1.  Their unique SPARC processor makes it very difficult to to compile any update today.  The only solution for those systems it to allow HTTP access to FrontView.

Message 44 of 84
givememynamebak
Luminary

Re: Workaround for ERR_SSL_VERSION_OR_CIPHER_MISMATCH problem for Sparc NAS (4.1.x firmware)

@StephenB- I think with any version of Firefox (I'm using latest to date 109.0 on a Mac) you can go to about:config and search for security.tls.version.min and change it to 1.  Then you can get to FrontView on older ReadyNAS without needing specific versions of Firefox.

Message 45 of 84
StephenB
Guru

Re: Workaround for ERR_SSL_VERSION_OR_CIPHER_MISMATCH problem for Sparc NAS (4.1.x firmware)


@givememynamebak wrote:

I think with any version of Firefox (I'm using latest to date 109.0 on a Mac) you can go to about:config and search for security.tls.version.min and change it to 1.  Then you can get to FrontView on older ReadyNAS without needing specific versions of Firefox.


That certainly is simpler than downloading an old version.  Thx for sharing.

Message 46 of 84
Sandshark
Sensei

Re: Workaround for ERR_SSL_VERSION_OR_CIPHER_MISMATCH problem for Sparc NAS (4.1.x firmware)

The only concern with that is that if FireFox is your standard browser, then you'd also be allowing SSL 1.0 for external sites, which is not a good idea.  With a separate version (which now could be a later one that previously suggested, however) that you are careful to only use for ReadyNAS access, you can more easily avoid that possibility.

 

I frankly don't understand why the browser publishers are so unaware of this problem and don't allow you to select SSL 1.0 for a specific address or range of addresses, maybe even including an easy selection of all local-only address ranges and/or limiting selection to those ranges.  ReadyNAS is not the only older device with this issue.

Message 47 of 84
StephenB
Guru

Re: Workaround for ERR_SSL_VERSION_OR_CIPHER_MISMATCH problem for Sparc NAS (4.1.x firmware)


@Sandshark wrote:

The only concern with that is that if FireFox is your standard browser, then you'd also be allowing SSL 1.0 for external sites, which is not a good idea. 


Yes that is the risk.  Personally I prefer the patch to allow normal http connections for Frontview (and not allowing internet connections to the legacy NAS).

Message 48 of 84
givememynamebak
Luminary

Re: Workaround for ERR_SSL_VERSION_OR_CIPHER_MISMATCH problem for Sparc NAS (4.1.x firmware)

@Sandshark- I agree it's a risk, but legit businesses have already been forced to upgrade.  Its still a cipher, just no longer considered strong crypto.  Nearly all sites these days are ssl/https with tls 1.2/1.3 which is mostly due to security paranoia but not all companies are transmitting data that are worthy of encryption outside of a normal login or a purchase.  Any BigIP appliance like can decode https on the fly, so... there is that.  I remember when 256bit encryption was a US only thing while 56bit was used outside the US due to US tech/crypto laws (which no-one seems to talk about anymore.)  Some encryption is better than none and I see the risk as almost non-existent for TLS 1.0 sites these days.  You're right, it doesn't seem like it would have been difficult to solve with your idea to supply an IP block. It would have been a better idea than just setting a global accept TLS 1 flag and would have worked into the future as well.  They should have that across all browsers.  The patch only works once you're into your legacy ReadyNAS for long term usage.  If you have to do a factory reset, you still have to start with a supported browser unfortunately.

 

A better option would have been for these companies to support even their legacy products and supply a patch.

Message 49 of 84
StephenB
Guru

Re: Workaround for ERR_SSL_VERSION_OR_CIPHER_MISMATCH problem for Sparc NAS (4.1.x firmware)


@givememynamebak wrote:

Its still a cipher, just no longer considered strong crypto.

Just to clarify this for others:

 

A bad actor with enough computation resources can successfully pull off a "man in the middle" attack with TLS 1.0.  For instance, it can intercept your communications with your bank, and there is no way you could tell that was happening.  It could even substitute mis-information for the info from the real bank website, and your browser could not detect that.

 

This attack was considered theoretical for a long time - but in 2017, some researchers pulled it off in practice.  It required a lot of computer resources - making it very expensive for the bad actor.  However, over time the computation cost continues to drop, so at some point it becomes affordable. I don't know what the cost would be with current cloud computers.

 

The risk of making the setting change in FireFox is that the downgrade to TLS 1.0 is (silently) allowed for every site you visit, and not just when communicating with the NAS. So you would be undefended against these attacks.

Message 50 of 84
Top Contributors
Discussion stats
Announcements