any success stories in that new v6.1 feature?
for me, Wireshark shows that client connects to api-ssl port, sends SSLv2 Hello, and server ACKs that packet and then keeps silence - no data from it at all
any comments, MT Support?..
if you have no certificates set for api-ssl (what is default)
you can use TLSv1 client method with enabled ADH cipher.
something like this using OpenSSL:
SSL_CTX * ctx;
SSL * ssl;
ctx = SSL_CTX_new(TLSv1_client_method());
SSL_CTX_set_cipher_list(ctx, "ADH AES256 SHA ");
ssl = SSL_new(ctx);
bio = BIO_new_socket(sock, BIO_NOCLOSE);
SSL_set_bio(ssl, bio, bio);
SSL_connect(ssl);then you can use SSL_read/SSL_write to do your bidding. Just check if you have blocking or non-blocking socket (in example code variable “sock” that is initialized previously as TCP/IP socket fd)
if you are on linux you can use sslscan tool to get what this api-ssl in your current configuration state supports.
the problem is… sslscan says nothing 
(I’m using port 443 for api-ssl so that Wireshark decode SSL data; www-ssl is disabled at that moment)
# sslscan 192.168.200.48:443
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|
Version 1.8.2
http://www.titania.co.uk
Copyright Ian Ventura-Whiting 2009
Testing SSL server 192.168.200.48 on port 443
Supported Server Cipher(s):
and here it hangs too - waits for the server’s answer. I generated and selected a certificate - nothing changed, it just hangs
here’s the sniff attached (I don’t know why RouterOS Packet Sniffer duplicated all packets )
p.s. with the same code of mine I can receive the response from www-ssl, and only the silence from api-ssl
api-ssl.pcap.zip (407 Bytes)
most probably you have to try newer build, like one form today morning.
with cert set:
$ sslscan 192.168.88.1:8729 |grep Accepted
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 256 bits CAMELLIA256-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits SEED-SHA
Accepted TLSv1 128 bits CAMELLIA128-SHA
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Accepted TLSv1 56 bits DES-CBC-SHA
without cert set:
$ sslscan 192.168.88.1:8729 |grep Accepted
Accepted TLSv1 256 bits ADH-AES256-SHA
Accepted TLSv1 256 bits ADH-CAMELLIA256-SHA
Accepted TLSv1 168 bits ADH-DES-CBC3-SHA
Accepted TLSv1 128 bits ADH-AES128-SHA
Accepted TLSv1 128 bits ADH-SEED-SHA
Accepted TLSv1 128 bits ADH-CAMELLIA128-SHA
Accepted TLSv1 128 bits ADH-RC4-MD5
Accepted TLSv1 56 bits ADH-DES-CBC-SHA
On the other hand, if you are not sending anything when SSL/TLS session is established, you are not going to have any reply. You have to adhere to API to send in commands as it expects to receive len +“/login” to initiate login sequence as there is nothing different between api and api-ssl but SSL/TLS handshake and encrypted data over communication channel.
Tip: start with simple mode without cert using ADH
here’s what I have on build from May/30/2013 09:54:26
with cert:
[root@info ~]# sslscan 192.168.200.48:8729
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|
Version 1.8.2
http://www.titania.co.uk
Copyright Ian Ventura-Whiting 2009
Testing SSL server 192.168.200.48 on port 8729
Supported Server Cipher(s):
Failed SSLv2 168 bits DES-CBC3-MD5
Failed SSLv2 128 bits IDEA-CBC-MD5
Failed SSLv2 128 bits RC2-CBC-MD5
Failed SSLv2 128 bits RC4-MD5
Failed SSLv2 56 bits DES-CBC-MD5
Failed SSLv2 40 bits EXP-RC2-CBC-MD5
Failed SSLv2 40 bits EXP-RC4-MD5
Failed SSLv3 256 bits DHE-DSS-AES256-GCM-SHA384
Failed SSLv3 256 bits DHE-RSA-AES256-GCM-SHA384
Failed SSLv3 256 bits DHE-RSA-AES256-SHA256
Failed SSLv3 256 bits DHE-DSS-AES256-SHA256
Failed SSLv3 256 bits DHE-RSA-AES256-SHA
Failed SSLv3 256 bits DHE-DSS-AES256-SHA
Failed SSLv3 256 bits DHE-RSA-CAMELLIA256-SHA
Failed SSLv3 256 bits DHE-DSS-CAMELLIA256-SHA
Failed SSLv3 256 bits ADH-AES256-GCM-SHA384
Failed SSLv3 256 bits ADH-AES256-SHA256
Failed SSLv3 256 bits ADH-AES256-SHA
Failed SSLv3 256 bits ADH-CAMELLIA256-SHA
Failed SSLv3 256 bits AES256-GCM-SHA384
Failed SSLv3 256 bits AES256-SHA256
Failed SSLv3 256 bits AES256-SHA
Failed SSLv3 256 bits CAMELLIA256-SHA
Failed SSLv3 256 bits PSK-AES256-CBC-SHA
Failed SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Failed SSLv3 168 bits EDH-DSS-DES-CBC3-SHA
Failed SSLv3 168 bits ADH-DES-CBC3-SHA
Failed SSLv3 168 bits DES-CBC3-SHA
Failed SSLv3 168 bits PSK-3DES-EDE-CBC-SHA
Failed SSLv3 168 bits KRB5-DES-CBC3-SHA
Failed SSLv3 168 bits KRB5-DES-CBC3-MD5
Failed SSLv3 128 bits DHE-DSS-AES128-GCM-SHA256
Failed SSLv3 128 bits DHE-RSA-AES128-GCM-SHA256
Failed SSLv3 128 bits DHE-RSA-AES128-SHA256
Failed SSLv3 128 bits DHE-DSS-AES128-SHA256
Failed SSLv3 128 bits DHE-RSA-AES128-SHA
Failed SSLv3 128 bits DHE-DSS-AES128-SHA
Failed SSLv3 128 bits DHE-RSA-SEED-SHA
Failed SSLv3 128 bits DHE-DSS-SEED-SHA
Failed SSLv3 128 bits DHE-RSA-CAMELLIA128-SHA
Failed SSLv3 128 bits DHE-DSS-CAMELLIA128-SHA
Failed SSLv3 128 bits ADH-AES128-GCM-SHA256
Failed SSLv3 128 bits ADH-AES128-SHA256
Failed SSLv3 128 bits ADH-AES128-SHA
Failed SSLv3 128 bits ADH-SEED-SHA
Failed SSLv3 128 bits ADH-CAMELLIA128-SHA
Failed SSLv3 128 bits AES128-GCM-SHA256
Failed SSLv3 128 bits AES128-SHA256
Failed SSLv3 128 bits AES128-SHA
Failed SSLv3 128 bits SEED-SHA
Failed SSLv3 128 bits CAMELLIA128-SHA
Failed SSLv3 128 bits IDEA-CBC-SHA
Failed SSLv3 128 bits PSK-AES128-CBC-SHA
Failed SSLv3 128 bits KRB5-IDEA-CBC-SHA
Failed SSLv3 128 bits KRB5-IDEA-CBC-MD5
Failed SSLv3 128 bits ADH-RC4-MD5
Failed SSLv3 128 bits RC4-SHA
Failed SSLv3 128 bits RC4-MD5
Failed SSLv3 128 bits PSK-RC4-SHA
Failed SSLv3 128 bits KRB5-RC4-SHA
Failed SSLv3 128 bits KRB5-RC4-MD5
Failed SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Failed SSLv3 56 bits EDH-DSS-DES-CBC-SHA
Failed SSLv3 56 bits ADH-DES-CBC-SHA
Failed SSLv3 56 bits DES-CBC-SHA
Failed SSLv3 56 bits KRB5-DES-CBC-SHA
Failed SSLv3 56 bits KRB5-DES-CBC-MD5
Failed SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Failed SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA
Failed SSLv3 40 bits EXP-ADH-DES-CBC-SHA
Failed SSLv3 40 bits EXP-DES-CBC-SHA
Failed SSLv3 40 bits EXP-RC2-CBC-MD5
Failed SSLv3 40 bits EXP-KRB5-RC2-CBC-SHA
Failed SSLv3 40 bits EXP-KRB5-DES-CBC-SHA
Failed SSLv3 40 bits EXP-KRB5-RC2-CBC-MD5
Failed SSLv3 40 bits EXP-KRB5-DES-CBC-MD5
Failed SSLv3 40 bits EXP-ADH-RC4-MD5
Failed SSLv3 40 bits EXP-RC4-MD5
Failed SSLv3 40 bits EXP-KRB5-RC4-SHA
Failed SSLv3 40 bits EXP-KRB5-RC4-MD5
Failed SSLv3 0 bits NULL-SHA256
Failed SSLv3 0 bits NULL-SHA
Failed SSLv3 0 bits NULL-MD5
Failed TLSv1 256 bits DHE-DSS-AES256-GCM-SHA384
Failed TLSv1 256 bits DHE-RSA-AES256-GCM-SHA384
Failed TLSv1 256 bits DHE-RSA-AES256-SHA256
Failed TLSv1 256 bits DHE-DSS-AES256-SHA256
Failed TLSv1 256 bits DHE-RSA-AES256-SHA
Failed TLSv1 256 bits DHE-DSS-AES256-SHA
Failed TLSv1 256 bits DHE-RSA-CAMELLIA256-SHA
Failed TLSv1 256 bits DHE-DSS-CAMELLIA256-SHA
Failed TLSv1 256 bits ADH-AES256-GCM-SHA384
Failed TLSv1 256 bits ADH-AES256-SHA256
Failed TLSv1 256 bits ADH-AES256-SHA
Failed TLSv1 256 bits ADH-CAMELLIA256-SHA
Failed TLSv1 256 bits AES256-GCM-SHA384
Failed TLSv1 256 bits AES256-SHA256
Failed TLSv1 256 bits AES256-SHA
Failed TLSv1 256 bits CAMELLIA256-SHA
Failed TLSv1 256 bits PSK-AES256-CBC-SHA
Failed TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Failed TLSv1 168 bits EDH-DSS-DES-CBC3-SHA
Failed TLSv1 168 bits ADH-DES-CBC3-SHA
Failed TLSv1 168 bits DES-CBC3-SHA
Failed TLSv1 168 bits PSK-3DES-EDE-CBC-SHA
Failed TLSv1 168 bits KRB5-DES-CBC3-SHA
Failed TLSv1 168 bits KRB5-DES-CBC3-MD5
Failed TLSv1 128 bits DHE-DSS-AES128-GCM-SHA256
Failed TLSv1 128 bits DHE-RSA-AES128-GCM-SHA256
Failed TLSv1 128 bits DHE-RSA-AES128-SHA256
Failed TLSv1 128 bits DHE-DSS-AES128-SHA256
Failed TLSv1 128 bits DHE-RSA-AES128-SHA
Failed TLSv1 128 bits DHE-DSS-AES128-SHA
Failed TLSv1 128 bits DHE-RSA-SEED-SHA
Failed TLSv1 128 bits DHE-DSS-SEED-SHA
Failed TLSv1 128 bits DHE-RSA-CAMELLIA128-SHA
Failed TLSv1 128 bits DHE-DSS-CAMELLIA128-SHA
Failed TLSv1 128 bits ADH-AES128-GCM-SHA256
Failed TLSv1 128 bits ADH-AES128-SHA256
Failed TLSv1 128 bits ADH-AES128-SHA
Failed TLSv1 128 bits ADH-SEED-SHA
Failed TLSv1 128 bits ADH-CAMELLIA128-SHA
Failed TLSv1 128 bits AES128-GCM-SHA256
Failed TLSv1 128 bits AES128-SHA256
Failed TLSv1 128 bits AES128-SHA
Failed TLSv1 128 bits SEED-SHA
Failed TLSv1 128 bits CAMELLIA128-SHA
Failed TLSv1 128 bits IDEA-CBC-SHA
Failed TLSv1 128 bits PSK-AES128-CBC-SHA
Failed TLSv1 128 bits KRB5-IDEA-CBC-SHA
Failed TLSv1 128 bits KRB5-IDEA-CBC-MD5
Failed TLSv1 128 bits ADH-RC4-MD5
Failed TLSv1 128 bits RC4-SHA
Failed TLSv1 128 bits RC4-MD5
Failed TLSv1 128 bits PSK-RC4-SHA
Failed TLSv1 128 bits KRB5-RC4-SHA
Failed TLSv1 128 bits KRB5-RC4-MD5
Failed TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Failed TLSv1 56 bits EDH-DSS-DES-CBC-SHA
Failed TLSv1 56 bits ADH-DES-CBC-SHA
Failed TLSv1 56 bits DES-CBC-SHA
Failed TLSv1 56 bits KRB5-DES-CBC-SHA
Failed TLSv1 56 bits KRB5-DES-CBC-MD5
Failed TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Failed TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA
Failed TLSv1 40 bits EXP-ADH-DES-CBC-SHA
Failed TLSv1 40 bits EXP-DES-CBC-SHA
Failed TLSv1 40 bits EXP-RC2-CBC-MD5
Failed TLSv1 40 bits EXP-KRB5-RC2-CBC-SHA
Failed TLSv1 40 bits EXP-KRB5-DES-CBC-SHA
Failed TLSv1 40 bits EXP-KRB5-RC2-CBC-MD5
Failed TLSv1 40 bits EXP-KRB5-DES-CBC-MD5
Failed TLSv1 40 bits EXP-ADH-RC4-MD5
Failed TLSv1 40 bits EXP-RC4-MD5
Failed TLSv1 40 bits EXP-KRB5-RC4-SHA
Failed TLSv1 40 bits EXP-KRB5-RC4-MD5
Failed TLSv1 0 bits NULL-SHA256
Failed TLSv1 0 bits NULL-SHA
Failed TLSv1 0 bits NULL-MD5
Prefered Server Cipher(s):
[root@info ~]#
and without cert:
[root@info ~]# sslscan 192.168.200.48:8729
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|
Version 1.8.2
http://www.titania.co.uk
Copyright Ian Ventura-Whiting 2009
Testing SSL server 192.168.200.48 on port 8729
Supported Server Cipher(s):
and here it hangs…
fresh RB951-2n shows the same hanging on the latest version
do not have that router at hand, however i have tried it against following routers:
RB2011
RB800
RB433
RB433AH
RB333
various CCR
RB1100AH
will check rb951-2n later.
with and without certificates. It is more than weird that this test tool failing everything, as half is failed and other part is rejected, here is full sample testing:
$ sslscan 192.168.88.1:8729
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|
Version 1.8.2
http://www.titania.co.uk
Copyright Ian Ventura-Whiting 2009
Testing SSL server 192.168.88.1 on port 8729
Supported Server Cipher(s):
Failed SSLv3 256 bits ECDHE-RSA-AES256-GCM-SHA384
Failed SSLv3 256 bits ECDHE-ECDSA-AES256-GCM-SHA384
Failed SSLv3 256 bits ECDHE-RSA-AES256-SHA384
Failed SSLv3 256 bits ECDHE-ECDSA-AES256-SHA384
Rejected SSLv3 256 bits ECDHE-RSA-AES256-SHA
Rejected SSLv3 256 bits ECDHE-ECDSA-AES256-SHA
Rejected SSLv3 256 bits SRP-DSS-AES-256-CBC-SHA
Rejected SSLv3 256 bits SRP-RSA-AES-256-CBC-SHA
Failed SSLv3 256 bits DHE-DSS-AES256-GCM-SHA384
Failed SSLv3 256 bits DHE-RSA-AES256-GCM-SHA384
Failed SSLv3 256 bits DHE-RSA-AES256-SHA256
Failed SSLv3 256 bits DHE-DSS-AES256-SHA256
Rejected SSLv3 256 bits DHE-RSA-AES256-SHA
Rejected SSLv3 256 bits DHE-DSS-AES256-SHA
Rejected SSLv3 256 bits DHE-RSA-CAMELLIA256-SHA
Rejected SSLv3 256 bits DHE-DSS-CAMELLIA256-SHA
Rejected SSLv3 256 bits AECDH-AES256-SHA
Rejected SSLv3 256 bits SRP-AES-256-CBC-SHA
Failed SSLv3 256 bits ADH-AES256-GCM-SHA384
Failed SSLv3 256 bits ADH-AES256-SHA256
Rejected SSLv3 256 bits ADH-AES256-SHA
Rejected SSLv3 256 bits ADH-CAMELLIA256-SHA
Failed SSLv3 256 bits ECDH-RSA-AES256-GCM-SHA384
Failed SSLv3 256 bits ECDH-ECDSA-AES256-GCM-SHA384
Failed SSLv3 256 bits ECDH-RSA-AES256-SHA384
Failed SSLv3 256 bits ECDH-ECDSA-AES256-SHA384
Rejected SSLv3 256 bits ECDH-RSA-AES256-SHA
Rejected SSLv3 256 bits ECDH-ECDSA-AES256-SHA
Failed SSLv3 256 bits AES256-GCM-SHA384
Failed SSLv3 256 bits AES256-SHA256
Rejected SSLv3 256 bits AES256-SHA
Rejected SSLv3 256 bits CAMELLIA256-SHA
Failed SSLv3 256 bits PSK-AES256-CBC-SHA
Rejected SSLv3 168 bits ECDHE-RSA-DES-CBC3-SHA
Rejected SSLv3 168 bits ECDHE-ECDSA-DES-CBC3-SHA
Rejected SSLv3 168 bits SRP-DSS-3DES-EDE-CBC-SHA
Rejected SSLv3 168 bits SRP-RSA-3DES-EDE-CBC-SHA
Rejected SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Rejected SSLv3 168 bits EDH-DSS-DES-CBC3-SHA
Rejected SSLv3 168 bits AECDH-DES-CBC3-SHA
Rejected SSLv3 168 bits SRP-3DES-EDE-CBC-SHA
Rejected SSLv3 168 bits ADH-DES-CBC3-SHA
Rejected SSLv3 168 bits ECDH-RSA-DES-CBC3-SHA
Rejected SSLv3 168 bits ECDH-ECDSA-DES-CBC3-SHA
Rejected SSLv3 168 bits DES-CBC3-SHA
Failed SSLv3 168 bits PSK-3DES-EDE-CBC-SHA
Failed SSLv3 128 bits ECDHE-RSA-AES128-GCM-SHA256
Failed SSLv3 128 bits ECDHE-ECDSA-AES128-GCM-SHA256
Failed SSLv3 128 bits ECDHE-RSA-AES128-SHA256
Failed SSLv3 128 bits ECDHE-ECDSA-AES128-SHA256
Rejected SSLv3 128 bits ECDHE-RSA-AES128-SHA
Rejected SSLv3 128 bits ECDHE-ECDSA-AES128-SHA
Rejected SSLv3 128 bits SRP-DSS-AES-128-CBC-SHA
Rejected SSLv3 128 bits SRP-RSA-AES-128-CBC-SHA
Failed SSLv3 128 bits DHE-DSS-AES128-GCM-SHA256
Failed SSLv3 128 bits DHE-RSA-AES128-GCM-SHA256
Failed SSLv3 128 bits DHE-RSA-AES128-SHA256
Failed SSLv3 128 bits DHE-DSS-AES128-SHA256
Rejected SSLv3 128 bits DHE-RSA-AES128-SHA
Rejected SSLv3 128 bits DHE-DSS-AES128-SHA
Rejected SSLv3 128 bits DHE-RSA-SEED-SHA
Rejected SSLv3 128 bits DHE-DSS-SEED-SHA
Rejected SSLv3 128 bits DHE-RSA-CAMELLIA128-SHA
Rejected SSLv3 128 bits DHE-DSS-CAMELLIA128-SHA
Rejected SSLv3 128 bits AECDH-AES128-SHA
Rejected SSLv3 128 bits SRP-AES-128-CBC-SHA
Failed SSLv3 128 bits ADH-AES128-GCM-SHA256
Failed SSLv3 128 bits ADH-AES128-SHA256
Rejected SSLv3 128 bits ADH-AES128-SHA
Rejected SSLv3 128 bits ADH-SEED-SHA
Rejected SSLv3 128 bits ADH-CAMELLIA128-SHA
Failed SSLv3 128 bits ECDH-RSA-AES128-GCM-SHA256
Failed SSLv3 128 bits ECDH-ECDSA-AES128-GCM-SHA256
Failed SSLv3 128 bits ECDH-RSA-AES128-SHA256
Failed SSLv3 128 bits ECDH-ECDSA-AES128-SHA256
Rejected SSLv3 128 bits ECDH-RSA-AES128-SHA
Rejected SSLv3 128 bits ECDH-ECDSA-AES128-SHA
Failed SSLv3 128 bits AES128-GCM-SHA256
Failed SSLv3 128 bits AES128-SHA256
Rejected SSLv3 128 bits AES128-SHA
Rejected SSLv3 128 bits SEED-SHA
Rejected SSLv3 128 bits CAMELLIA128-SHA
Failed SSLv3 128 bits PSK-AES128-CBC-SHA
Rejected SSLv3 128 bits ECDHE-RSA-RC4-SHA
Rejected SSLv3 128 bits ECDHE-ECDSA-RC4-SHA
Rejected SSLv3 128 bits AECDH-RC4-SHA
Rejected SSLv3 128 bits ADH-RC4-MD5
Rejected SSLv3 128 bits ECDH-RSA-RC4-SHA
Rejected SSLv3 128 bits ECDH-ECDSA-RC4-SHA
Rejected SSLv3 128 bits RC4-SHA
Rejected SSLv3 128 bits RC4-MD5
Failed SSLv3 128 bits PSK-RC4-SHA
Rejected SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Rejected SSLv3 56 bits EDH-DSS-DES-CBC-SHA
Rejected SSLv3 56 bits ADH-DES-CBC-SHA
Rejected SSLv3 56 bits DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-ADH-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-RC2-CBC-MD5
Rejected SSLv3 40 bits EXP-ADH-RC4-MD5
Rejected SSLv3 40 bits EXP-RC4-MD5
Rejected SSLv3 0 bits ECDHE-RSA-NULL-SHA
Rejected SSLv3 0 bits ECDHE-ECDSA-NULL-SHA
Rejected SSLv3 0 bits AECDH-NULL-SHA
Rejected SSLv3 0 bits ECDH-RSA-NULL-SHA
Rejected SSLv3 0 bits ECDH-ECDSA-NULL-SHA
Failed SSLv3 0 bits NULL-SHA256
Rejected SSLv3 0 bits NULL-SHA
Rejected SSLv3 0 bits NULL-MD5
Failed TLSv1 256 bits ECDHE-RSA-AES256-GCM-SHA384
Failed TLSv1 256 bits ECDHE-ECDSA-AES256-GCM-SHA384
Failed TLSv1 256 bits ECDHE-RSA-AES256-SHA384
Failed TLSv1 256 bits ECDHE-ECDSA-AES256-SHA384
Rejected TLSv1 256 bits ECDHE-RSA-AES256-SHA
Rejected TLSv1 256 bits ECDHE-ECDSA-AES256-SHA
Rejected TLSv1 256 bits SRP-DSS-AES-256-CBC-SHA
Rejected TLSv1 256 bits SRP-RSA-AES-256-CBC-SHA
Failed TLSv1 256 bits DHE-DSS-AES256-GCM-SHA384
Failed TLSv1 256 bits DHE-RSA-AES256-GCM-SHA384
Failed TLSv1 256 bits DHE-RSA-AES256-SHA256
Failed TLSv1 256 bits DHE-DSS-AES256-SHA256
Rejected TLSv1 256 bits DHE-RSA-AES256-SHA
Rejected TLSv1 256 bits DHE-DSS-AES256-SHA
Rejected TLSv1 256 bits DHE-RSA-CAMELLIA256-SHA
Rejected TLSv1 256 bits DHE-DSS-CAMELLIA256-SHA
Rejected TLSv1 256 bits AECDH-AES256-SHA
Rejected TLSv1 256 bits SRP-AES-256-CBC-SHA
Failed TLSv1 256 bits ADH-AES256-GCM-SHA384
Failed TLSv1 256 bits ADH-AES256-SHA256
Accepted TLSv1 256 bits ADH-AES256-SHA
Accepted TLSv1 256 bits ADH-CAMELLIA256-SHA
Failed TLSv1 256 bits ECDH-RSA-AES256-GCM-SHA384
Failed TLSv1 256 bits ECDH-ECDSA-AES256-GCM-SHA384
Failed TLSv1 256 bits ECDH-RSA-AES256-SHA384
Failed TLSv1 256 bits ECDH-ECDSA-AES256-SHA384
Rejected TLSv1 256 bits ECDH-RSA-AES256-SHA
Rejected TLSv1 256 bits ECDH-ECDSA-AES256-SHA
Failed TLSv1 256 bits AES256-GCM-SHA384
Failed TLSv1 256 bits AES256-SHA256
Rejected TLSv1 256 bits AES256-SHA
Rejected TLSv1 256 bits CAMELLIA256-SHA
Failed TLSv1 256 bits PSK-AES256-CBC-SHA
Rejected TLSv1 168 bits ECDHE-RSA-DES-CBC3-SHA
Rejected TLSv1 168 bits ECDHE-ECDSA-DES-CBC3-SHA
Rejected TLSv1 168 bits SRP-DSS-3DES-EDE-CBC-SHA
Rejected TLSv1 168 bits SRP-RSA-3DES-EDE-CBC-SHA
Rejected TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Rejected TLSv1 168 bits EDH-DSS-DES-CBC3-SHA
Rejected TLSv1 168 bits AECDH-DES-CBC3-SHA
Rejected TLSv1 168 bits SRP-3DES-EDE-CBC-SHA
Accepted TLSv1 168 bits ADH-DES-CBC3-SHA
Rejected TLSv1 168 bits ECDH-RSA-DES-CBC3-SHA
Rejected TLSv1 168 bits ECDH-ECDSA-DES-CBC3-SHA
Rejected TLSv1 168 bits DES-CBC3-SHA
Failed TLSv1 168 bits PSK-3DES-EDE-CBC-SHA
Failed TLSv1 128 bits ECDHE-RSA-AES128-GCM-SHA256
Failed TLSv1 128 bits ECDHE-ECDSA-AES128-GCM-SHA256
Failed TLSv1 128 bits ECDHE-RSA-AES128-SHA256
Failed TLSv1 128 bits ECDHE-ECDSA-AES128-SHA256
Rejected TLSv1 128 bits ECDHE-RSA-AES128-SHA
Rejected TLSv1 128 bits ECDHE-ECDSA-AES128-SHA
Rejected TLSv1 128 bits SRP-DSS-AES-128-CBC-SHA
Rejected TLSv1 128 bits SRP-RSA-AES-128-CBC-SHA
Failed TLSv1 128 bits DHE-DSS-AES128-GCM-SHA256
Failed TLSv1 128 bits DHE-RSA-AES128-GCM-SHA256
Failed TLSv1 128 bits DHE-RSA-AES128-SHA256
Failed TLSv1 128 bits DHE-DSS-AES128-SHA256
Rejected TLSv1 128 bits DHE-RSA-AES128-SHA
Rejected TLSv1 128 bits DHE-DSS-AES128-SHA
Rejected TLSv1 128 bits DHE-RSA-SEED-SHA
Rejected TLSv1 128 bits DHE-DSS-SEED-SHA
Rejected TLSv1 128 bits DHE-RSA-CAMELLIA128-SHA
Rejected TLSv1 128 bits DHE-DSS-CAMELLIA128-SHA
Rejected TLSv1 128 bits AECDH-AES128-SHA
Rejected TLSv1 128 bits SRP-AES-128-CBC-SHA
Failed TLSv1 128 bits ADH-AES128-GCM-SHA256
Failed TLSv1 128 bits ADH-AES128-SHA256
Accepted TLSv1 128 bits ADH-AES128-SHA
Accepted TLSv1 128 bits ADH-SEED-SHA
Accepted TLSv1 128 bits ADH-CAMELLIA128-SHA
Failed TLSv1 128 bits ECDH-RSA-AES128-GCM-SHA256
Failed TLSv1 128 bits ECDH-ECDSA-AES128-GCM-SHA256
Failed TLSv1 128 bits ECDH-RSA-AES128-SHA256
Failed TLSv1 128 bits ECDH-ECDSA-AES128-SHA256
Rejected TLSv1 128 bits ECDH-RSA-AES128-SHA
Rejected TLSv1 128 bits ECDH-ECDSA-AES128-SHA
Failed TLSv1 128 bits AES128-GCM-SHA256
Failed TLSv1 128 bits AES128-SHA256
Rejected TLSv1 128 bits AES128-SHA
Rejected TLSv1 128 bits SEED-SHA
Rejected TLSv1 128 bits CAMELLIA128-SHA
Failed TLSv1 128 bits PSK-AES128-CBC-SHA
Rejected TLSv1 128 bits ECDHE-RSA-RC4-SHA
Rejected TLSv1 128 bits ECDHE-ECDSA-RC4-SHA
Rejected TLSv1 128 bits AECDH-RC4-SHA
Accepted TLSv1 128 bits ADH-RC4-MD5
Rejected TLSv1 128 bits ECDH-RSA-RC4-SHA
Rejected TLSv1 128 bits ECDH-ECDSA-RC4-SHA
Rejected TLSv1 128 bits RC4-SHA
Rejected TLSv1 128 bits RC4-MD5
Failed TLSv1 128 bits PSK-RC4-SHA
Rejected TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Rejected TLSv1 56 bits EDH-DSS-DES-CBC-SHA
Accepted TLSv1 56 bits ADH-DES-CBC-SHA
Rejected TLSv1 56 bits DES-CBC-SHA
Rejected TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-ADH-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-RC2-CBC-MD5
Rejected TLSv1 40 bits EXP-ADH-RC4-MD5
Rejected TLSv1 40 bits EXP-RC4-MD5
Rejected TLSv1 0 bits ECDHE-RSA-NULL-SHA
Rejected TLSv1 0 bits ECDHE-ECDSA-NULL-SHA
Rejected TLSv1 0 bits AECDH-NULL-SHA
Rejected TLSv1 0 bits ECDH-RSA-NULL-SHA
Rejected TLSv1 0 bits ECDH-ECDSA-NULL-SHA
Failed TLSv1 0 bits NULL-SHA256
Rejected TLSv1 0 bits NULL-SHA
Rejected TLSv1 0 bits NULL-MD5
Prefered Server Cipher(s):
TLSv1 256 bits ADH-AES256-SHA
SSL Certificate:
guys, does somebody else can check that?
tried router you named, same result.
admin@MikroTik] > sy routerboard print
routerboard: yes
model: 951-2n
serial-number: DDDDDDDDDDDD
current-firmware: 3.02
upgrade-firmware: 3.08
[admin@MikroTik] > sy resource print
uptime: 2m52s
version: 6.1rc1
build-time: May/30/2013 09:54:26
free-memory: 9.9MiB
total-memory: 32.0MiB
cpu: MIPS 24Kc V7.4
cpu-count: 1
cpu-frequency: 350MHz
cpu-load: 1%
free-hdd-space: 108.6MiB
total-hdd-space: 128.0MiB
write-sect-since-reboot: 1092
write-sect-total: 115888
bad-blocks: 0.1%
architecture-name: mipsbe
board-name: RB951-2n
platform: MikroTik
$ sslscan 192.168.88.1:443 |grep Accepted
Accepted TLSv1 256 bits ADH-AES256-SHA
Accepted TLSv1 256 bits ADH-CAMELLIA256-SHA
Accepted TLSv1 168 bits ADH-DES-CBC3-SHA
Accepted TLSv1 128 bits ADH-AES128-SHA
Accepted TLSv1 128 bits ADH-SEED-SHA
Accepted TLSv1 128 bits ADH-CAMELLIA128-SHA
Accepted TLSv1 128 bits ADH-RC4-MD5
Accepted TLSv1 56 bits ADH-DES-CBC-SHA
if you can make this accessible over the network, i could try to connect to it or any other router.
edit:
it was updated from 5.25 to the current version, if that gives any clues.
yep, it would be nice I sent all info to support@ at 13:00 GMT, still didn’t receive a reply, hope you will find it (search for ‘janisk’ in title )
UPD: Ticket 2013060466000665
Support connected to your router, and it works fine. Is that correct, Chupaka?
this definitely should work on api-ssl socket:
openssl s_client -host 192.168.88.1 -port 8729 -cipher ADH-AES256-SHA
and over this you can run simple RouterOS API protocol communication as could have been done via unencrypted connection.
that’s making me crazy…
why all those API logins were from ipv6 addresses? that router does not have ipv6 connectivity…
10:21:09 system,info,account user admin logged in from 1000::b8b4:aa7f:f966:7877:c87a:c08 via api
10:21:09 system,info address added by admin
10:21:09 system,info address removed by admin
10:21:09 system,info,account user admin logged out from 1000::b8b4:aa7f:f966:7877:c87a:c08 via api
10:22:59 system,info filter rule added by admin
10:23:13 system,info,account user admin logged in from 1000::b8b4:aa7f:f966:7877:e85b:1308 via api
10:23:13 system,info address added by admin
10:23:13 system,info address removed by admin
10:23:13 system,info,account user admin logged out from 1000::b8b4:aa7f:f966:7877:e85b:1308 via api
also, http://www.ssltest.net/ says “The server 93.xxx.yy.z55 is responding, but does not return any SSL certificates. (sc0)”
could you open API access for demo2.mt.lv?.. currently it’s blocked by firewall
we will check what happens to IP addresses when logged into the router as they appear to be wrong in the logs.
API-SSL for now is open on demo routers. But that can change anytime.
okay
Janis, thanks for your examples, I managed to establish TLS connection from my app, the details I’ll write later to support@ - it hangs with some (including default ones in Ararat Synapse library) settings, it should not be that way =)
it looks like that library can easily interface with OpenSSL. If that is the case, you should not get any problems working with API-SSL interface with either blocking or non-blocking sockets.
C++ compiled binary I used to check your router used non-blocking sockets and that added some complexity to check SSL states when communicating.
I’m was having the reported trouble with sslscan when testing against a RB750G running 6.1. sslcan was hanging.
I found that passing the --tls1 parameter (i.e. not scanning ssl2 and ssl3) the scan works:
bash-3.2# sslscan --tls1 10.0.1.3:8729 | grep Accepted
Accepted TLSv1 256 bits ADH-AES256-SHA
Accepted TLSv1 256 bits ADH-CAMELLIA256-SHA
Accepted TLSv1 168 bits ADH-DES-CBC3-SHA
Accepted TLSv1 128 bits ADH-AES128-SHA
Accepted TLSv1 128 bits ADH-SEED-SHA
Accepted TLSv1 128 bits ADH-CAMELLIA128-SHA
Accepted TLSv1 128 bits ADH-RC4-MD5
Accepted TLSv1 56 bits ADH-DES-CBC-SHA
So when troubleshooting, use --tls1.
Yep, that’s what I wrote to support. As I can see, they won’t fix that
I spoke too soon. Using -tls1 does’t cause the scan to work in all cases. I intermittently have the same problem with a RB750 and Groove, both running 6.1.