× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.
Orbi WiFi 7 RBE973
Reply

Re: ReadyNAS NV+ TLS Support; may not be able to access soon

irae
Guide

ReadyNAS NV+ V2 TLS Support; may not be able to access soon

Hi

 

I have a ReadyNAS NV+ V2 which I have been using for many years. Just did some digging and I purchased it October 2012!

 

The problem I have is that it only support TLS V1.0. I managed to login today (using Firefox) and adding an exception but soon Firefox (and other browsers) will block TLS V1.0 entirely. Is there any way to get this device to support later TLS versions?

 

I'm running RAIDiator 5.3.13 which appears to be the latest version.

 

Thanks in advance

Ian

 

 

Model: RND4000v2|ReadyNAS NV+ v2 Chassis only
Message 1 of 14

Accepted Solutions
irae
Guide

Re: ReadyNAS NV+ V2 TLS Support; may not be able to access soon

OK, so I think I have a solution.

 

After a bit of noseying around on the NAS drive over ssh, I found the config files in /etc/frontview/apache; there is an Apache config over in /etc/apache2/ but that one seems un-used. I've done the following

  • backed up the contents of that folder (/etc/frontview/apache) to the a backup folder under the root user (/root/conf_backup/)
  • edited Virtual.conf; this had rewrite rules from http to https (not convinced that's the most elegant way to implement https, but never mind)
  • edit httpd.conf to remove any SSL references

I've done a couple of re-boots and the admin console apprears to be working fine over http; so I'm happy again.

 

Virtual.conf edits:

root@server:/etc/frontview/apache# diff Virtual.conf ~/conf_backup/
1,3d0
< #
< # edited by Ian on 13-April-2020
< #
5d1
< #edit by Ian; 13-Apr-2020
8,11c4,7
< #   RewriteEngine on
< #   RewriteRule ^/admin/(.*)$ https://%{SERVER_NAME}/admin/$1 [R,L]
< #   RewriteRule ^/admin$ https://%{SERVER_NAME}/admin
< #   RewriteRule ^(cgi-bin) - [L]
---
>   RewriteEngine on
>   RewriteRule ^/admin/(.*)$ https://%{SERVER_NAME}/admin/$1 [R,L]
>   RewriteRule ^/admin$ https://%{SERVER_NAME}/admin
>   RewriteRule ^(cgi-bin) - [L]
root@nas-BE-AB-2D:/etc/frontview/apache#

 

httpd.conf edits:

root@server:/etc/frontview/apache# diff httpd.conf ~/conf_backup/
1d0
< # edited by Ian; 13-Apr-2020 at 17:38
178,190c177,185
< #Edited by Ian on 13-April-2020
< #
< # Listen 443
< # SSLEngine On
< # SSLSessionCache dbm:/ramfs/gcache.db
< # SSLSessionCacheTimeout 600
< # SSLCACertificatePath /etc/frontview/apache
< # SSLCertificateFile /etc/frontview/apache/apache.pem
< # SSLProtocol all -SSLv2 -SSLv3
< # SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
< # SSLHonorCipherOrder on
< #
< # End of Edit
---
> Listen 443
> SSLEngine On
> SSLSessionCache dbm:/ramfs/gcache.db
> SSLSessionCacheTimeout 600
> SSLCACertificatePath /etc/frontview/apache
> SSLCertificateFile /etc/frontview/apache/apache.pem
> SSLProtocol all -SSLv2 -SSLv3
> SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> SSLHonorCipherOrder on
305,312c300,303
< # Edited by Ian on 13-April-2020
< #
< # # For APPGENIE
< # SSLProxyEngine on
< # SSLProxyCheckPeerCN on
< # SSLProxyCheckPeerExpire on
< #
< # End of edit
---
> # For APPGENIE
> SSLProxyEngine on
> SSLProxyCheckPeerCN on
> SSLProxyCheckPeerExpire on
root@nas-BE-AB-2D:/etc/frontview/apache#

 

It does seem a bit, well backward, to push the console down to http in 2020 but it's working. This device is on my home network and I'm using as a backup to my main NAS now so it's safe enough.

 

Hope this solution is of use to others.

 

Thanks for the input.

Ian

 

 

 

 

View solution in original post

Message 6 of 14

All Replies
Marc_V
NETGEAR Employee Retired

Re: ReadyNAS NV+ V2 TLS Support; may not be able to access soon

@irae

 

Welcome to the Community!

 

ON OS4 and OS5 it does only support TLS1.0 and unfortunately, there's no way we can get the latest versions supported and no plans on doing any update for the legacy FW.

 

HTH

 

Regards

Message 2 of 14
irae
Guide

Re: ReadyNAS NV+ V2 TLS Support; may not be able to access soon

Thanks Marc for the response

 

It's a shame but was what I suspected. Annoyingly I can't "just" access over http either since the NAS 301's the request to the https equivalent URL. The NAS is running an Apache httpd server I think; thinking out loud, is there a way to ssh onto the NAS and edit the httpd.conf file and disable that 301 behaviour?

 

Ian

Message 3 of 14
StephenB
Guru

Re: ReadyNAS NV+ V2 TLS Support; may not be able to access soon


@irae wrote:

 

It's a shame but was what I suspected. Annoyingly I can't "just" access over http either since the NAS 301's the request to the https equivalent URL. The NAS is running an Apache httpd server I think; thinking out loud, is there a way to ssh onto the NAS and edit the httpd.conf file and disable that 301 behaviour?

 


That might be possible, but might not be sticky (the config change might not survive reboots).  Ideally you'd disable https, so you could connect to admin page with http.

Message 4 of 14
Sandshark
Sensei

Re: ReadyNAS NV+ V2 TLS Support; may not be able to access soon

On an OS 5.x system, you can access shares over HTTP, but not the admin page.  Unlike on some other OS versions, there is no way to enable admin access over HTTP that I have found (save going in via SSH and modifying Virtual.conf) and one cannot turn off HTTPS (hoping that would also enable admin access over HTTP).

 

I've not tried editing Virtual.conf on a 5.x system, but I know it does get overwritten on other OS's.  httpd.conf calls addons.conf after Virtual.conf, and (as best I can tell) addons.conf appears to be there for addon packages to use so the OS does not overwrite anything the addons add.  So, anything in addons.conf should override Virtual.conf and not get overwritten, but I'm not sure how to override the admin page HTTPS re-direct outside of Virtual.conf itself.

 

If you do find something that works, please share it with the forum.

Message 5 of 14
irae
Guide

Re: ReadyNAS NV+ V2 TLS Support; may not be able to access soon

OK, so I think I have a solution.

 

After a bit of noseying around on the NAS drive over ssh, I found the config files in /etc/frontview/apache; there is an Apache config over in /etc/apache2/ but that one seems un-used. I've done the following

  • backed up the contents of that folder (/etc/frontview/apache) to the a backup folder under the root user (/root/conf_backup/)
  • edited Virtual.conf; this had rewrite rules from http to https (not convinced that's the most elegant way to implement https, but never mind)
  • edit httpd.conf to remove any SSL references

I've done a couple of re-boots and the admin console apprears to be working fine over http; so I'm happy again.

 

Virtual.conf edits:

root@server:/etc/frontview/apache# diff Virtual.conf ~/conf_backup/
1,3d0
< #
< # edited by Ian on 13-April-2020
< #
5d1
< #edit by Ian; 13-Apr-2020
8,11c4,7
< #   RewriteEngine on
< #   RewriteRule ^/admin/(.*)$ https://%{SERVER_NAME}/admin/$1 [R,L]
< #   RewriteRule ^/admin$ https://%{SERVER_NAME}/admin
< #   RewriteRule ^(cgi-bin) - [L]
---
>   RewriteEngine on
>   RewriteRule ^/admin/(.*)$ https://%{SERVER_NAME}/admin/$1 [R,L]
>   RewriteRule ^/admin$ https://%{SERVER_NAME}/admin
>   RewriteRule ^(cgi-bin) - [L]
root@nas-BE-AB-2D:/etc/frontview/apache#

 

httpd.conf edits:

root@server:/etc/frontview/apache# diff httpd.conf ~/conf_backup/
1d0
< # edited by Ian; 13-Apr-2020 at 17:38
178,190c177,185
< #Edited by Ian on 13-April-2020
< #
< # Listen 443
< # SSLEngine On
< # SSLSessionCache dbm:/ramfs/gcache.db
< # SSLSessionCacheTimeout 600
< # SSLCACertificatePath /etc/frontview/apache
< # SSLCertificateFile /etc/frontview/apache/apache.pem
< # SSLProtocol all -SSLv2 -SSLv3
< # SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
< # SSLHonorCipherOrder on
< #
< # End of Edit
---
> Listen 443
> SSLEngine On
> SSLSessionCache dbm:/ramfs/gcache.db
> SSLSessionCacheTimeout 600
> SSLCACertificatePath /etc/frontview/apache
> SSLCertificateFile /etc/frontview/apache/apache.pem
> SSLProtocol all -SSLv2 -SSLv3
> SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> SSLHonorCipherOrder on
305,312c300,303
< # Edited by Ian on 13-April-2020
< #
< # # For APPGENIE
< # SSLProxyEngine on
< # SSLProxyCheckPeerCN on
< # SSLProxyCheckPeerExpire on
< #
< # End of edit
---
> # For APPGENIE
> SSLProxyEngine on
> SSLProxyCheckPeerCN on
> SSLProxyCheckPeerExpire on
root@nas-BE-AB-2D:/etc/frontview/apache#

 

It does seem a bit, well backward, to push the console down to http in 2020 but it's working. This device is on my home network and I'm using as a backup to my main NAS now so it's safe enough.

 

Hope this solution is of use to others.

 

Thanks for the input.

Ian

 

 

 

 

Message 6 of 14
StephenB
Guru

Re: ReadyNAS NV+ V2 TLS Support; may not be able to access soon

Thx for sharing this.

Message 7 of 14
ajwh1
Aspirant

Re: ReadyNAS NV+ TLS Support; may not be able to access soon

I have the same problem...

I'm not into Unix so I assume I'll lose access to the admin page.

Will I also lose network (Win10 /Retrospect) access to the shares?

 

Andrew

 

Firmware:RAIDiator 4.1.15 [1.00a043] 
Model: ReadyNAS-NV+|ReadyNAS NV+
Message 8 of 14
Sandshark
Sensei

Re: ReadyNAS NV+ TLS Support; may not be able to access soon

Just be sure to keep a copy in case your edits get overwritten.  A long time ago, I made changes in Virtual.conf on an NV+, for WebDAV, if memory serves.  If I remember correctly, any time I added or deleted a share, it re-created Virtual.conf, erasing my edits.  There may have been other instances as well.

Message 9 of 14
irae
Guide

Re: ReadyNAS NV+ TLS Support; may not be able to access soon

This problem just impacts the admin page Andrew. So it's still your NAS NV is still valuable as back up device, just that you'll lose access to the admin page.

 

You might be able to download an old browser version (maybe an old version of IE for example) which woud allow access, I've not tried that approach since I don't want old browsers on my system, but I'd advise only ever using that brower for your NAS admin and not for general internest usage.

 

 

Message 10 of 14
irae
Guide

Re: ReadyNAS NV+ TLS Support; may not be able to access soon

Good point.

I have kept a backup of my edits in the root user's home directory, not sure if that's wiped as you describe. And, of course, I can come back to this page to d/l the patch.

 

Message 11 of 14
ajwh1
Aspirant

Re: ReadyNAS NV+ TLS Support; may not be able to access soon

Thanks - that's what I was hoping....

Message 12 of 14
FlorinC
Fledgling

Re: ReadyNAS NV+ V2 TLS Support; may not be able to access soon

Hello,

 

This solution can be detailed for biginers in Netorking?

 

Regards Florin

Message 13 of 14
StephenB
Guru

Re: ReadyNAS NV+ V2 TLS Support; may not be able to access soon


@FlorinC wrote:

This solution can be detailed for biginers in Netorking?


https://community.netgear.com/t5/New-ReadyNAS-Users-General/Workaround-for-ERR-SSL-VERSION-OR-CIPHER...

 

Once you have access (either with IE or an old version of firefox), you can install the add-on for the NV+ v2 from rnxtras.

 

Note that if the front panel says ReadyNAS NV+ v2 then the add-on is compatible. 

 

If it just says ReadyNAS NV+, then you have the original NV+ (called a v1 here).  In that case the add-on won't work.

Message 14 of 14
Top Contributors
Discussion stats
  • 13 replies
  • 11016 views
  • 3 kudos
  • 6 in conversation
Announcements