Newer versions of Chrome, Firefox, Internet Explorer and other browser will no longer connect to servers enabled with insecure ciphers.
If your Opengear appliance is running firmware 3.16.4 or Lighthouse 4.5.5u1 and older you may see one of the following messages on your browser:
Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP
Hostname uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH
To delete RC4 ciphers from older firmware run the command below.
config -s config.https.customciphers="AES256-SHA:-aNULL:-eNULL:-EXP:-SSLv2:@STRENGTH" -a
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://hostname again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.
Login as root or an admin user on the CLI and run the following command to enable only TLS 1.2. Both TLS 1.0, and TLS 1.1 will be disabled.
config -s config.https.customciphers="ALL:-aNULL:-eNULL:-TLSv1" -a
To check if TLS 1.0 and TLS 1.1 is disabled run the command below. It's one long line.
for v in ssl2 ssl3 tls1 tls1_1 tls1_2 tls1_3; do for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do openssl s_client -connect 127.0.0.1:443 -cipher $c -$v < /dev/null > /dev/null 2>&1 && echo $v:\t$c ; done ; done
If the configuration is reset to factory default, you will need to apply the command again. Opengear strongly recommend upgrading to the latest firmware which removes insecure ciphers.
Note: If you want to revert to the default supported ciphers, you can do so with the following command:
config -d config.https.customciphers -a
Article is closed for comments.