I next wanted to set up my hEX S the same way, but rather than follow the exact same instructions, I says to myself, "Hey self, I know, I'll use the CRS328 as my CA for the whole site!" I'm clever that way, which causes no end of trouble. 🙄
I created a certificate for the hEX on the CRS328, signed it, exported it, and uploaded it to the other router. It imports and looks fine in System → Certificates on both sides, but after applying it to the www-ssl service, I can't get any HTTPS client to connect to it, including ones that successfully connect to the CRS328.
Firefox gives a SSL_ERROR_NO_CYPHER_OVERLAP error, meaning the browser and router couldn't agree on a common cipher suite. Chrome gives its version of the same complaint, ERR_SSL_VERSION_OR_CIPHER_MISMATCH.
I therefore decided to dig deeper, asking the OpenSSL s_client tool (v1.1.1k) what it thinks:
Code: Select all
$ openssl s_client -connect 1.2.3.4:443 -tls1_2 -CAfile /path/to/my/root/ca.crt
CONNECTED(00000003)
4406840768:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1544:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 194 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1625699461
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
I believe the problem is that "Cipher is (NONE)" bit: the router is returning no cipher list, and modern HTTPS clients will refuse to negotiate a null ciphersiute.
Both routers have the service configured as:
Code: Select all
/ip service set www-ssl certificate=certname disabled=no tls-version=only-1.2
Does it matter that my CRS328 is running 7.1beta6 and my hEX S 6.48.3? I need the last stable version on the hEX for $REASONS, but I also want to play with the latest fun stuff, so that's how I've arranged it. Is the issue perhaps a lack of TLS 1.2+ in the ROS 6.x line?
I haven't tried minting a CA root cert on the hEX, since I don't see that the certificate controls what ciphersuites the HTTPS server offers. I've configured TLS before on other systems, and the two are separate areas of configuration.
I've tried both the CLI way and the WinBox way for creating and signing these certificates. I get the same symptoms either way.