One thing I've been trying to configure the web server to use a SSL Certificate using an actual (not self-signed) certificate purchased from a CA and I just can't figure it out.
Managed to get a CSR generated, a cert procured by the CA, loaded (I think) into the switch, and applied to the web service as you can see below:
Code: Select all
> /ip service print
Flags: X - disabled, I - invalid
# NAME PORT ADDRESS CERTIFICATE
0 XI telnet 23
1 XI ftp 21
2 www 80
3 ssh 22
4 www-ssl 443 sw01_cert
5 XI api 8728
6 winbox 8291
7 XI api-ssl 8729 none
sslscan against my switch's IP
Code: Select all
% sslscan 10.0.0.x
Version: 2.0.9-static
OpenSSL 1.1.1k 25 Mar 2021
Connected to 10.0.0.x
Testing SSL server 10.0.0.x on port 443 using SNI name 10.0.0.x
SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 disabled
TLSv1.1 disabled
TLSv1.2 disabled
TLSv1.3 disabled
TLS Fallback SCSV:
Connection failed - unable to determine TLS Fallback SCSV support
TLS renegotiation:
Session renegotiation not supported
TLS Compression:
OpenSSL version does not support compression
Rebuild with zlib1g-dev package for zlib support
Heartbleed:
Supported Server Cipher(s):
Certificate information cannot be retrieved.
Code: Select all
curl -svo /dev/null https://10.0.0.x/
* Trying 10.0.0.x...
* TCP_NODELAY set
* Connected to 10.0.0.x (10.0.0.x) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [205 bytes data]
* TLSv1.2 (IN), TLS alert, handshake failure (552):
{ [2 bytes data]
* error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure
* Closing connection 0