any success stories in that new v6.1 feature?
for me, Wireshark shows that client connects to api-ssl port, sends SSLv2 Hello, and server ACKs that packet and then keeps silence - no data from it at all
any comments, MT Support?..
RouterOS API over TLS
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!
For every complex problem, there is a solution that is simple, neat, and wrong.
MikroTik. Your life. Your routing.
For every complex problem, there is a solution that is simple, neat, and wrong.
MikroTik. Your life. Your routing.
Re: RouterOS API over TLS
if you have no certificates set for api-ssl (what is default)
you can use TLSv1 client method with enabled ADH cipher.
something like this using OpenSSL:
if you are on linux you can use sslscan tool to get what this api-ssl in your current configuration state supports.
you can use TLSv1 client method with enabled ADH cipher.
something like this using OpenSSL:
cpp code
SSL_CTX * ctx; SSL * ssl; ctx = SSL_CTX_new(TLSv1_client_method()); SSL_CTX_set_cipher_list(ctx, "ADH AES256 SHA "); ssl = SSL_new(ctx); bio = BIO_new_socket(sock, BIO_NOCLOSE); SSL_set_bio(ssl, bio, bio); SSL_connect(ssl);then you can use SSL_read/SSL_write to do your bidding. Just check if you have blocking or non-blocking socket (in example code variable "sock" that is initialized previously as TCP/IP socket fd)
if you are on linux you can use sslscan tool to get what this api-ssl in your current configuration state supports.
Re: RouterOS API over TLS
the problem is... sslscan says nothing 
(I'm using port 443 for api-ssl so that Wireshark decode SSL data; www-ssl is disabled at that moment)
and here it hangs too - waits for the server's answer. I generated and selected a certificate - nothing changed, it just hangs
here's the sniff attached (I don't know why RouterOS Packet Sniffer duplicated all packets )
p.s. with the same code of mine I can receive the response from www-ssl, and only the silence from api-ssl
(I'm using port 443 for api-ssl so that Wireshark decode SSL data; www-ssl is disabled at that moment)
Code: Select all
# sslscan 192.168.200.48:443
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|
Version 1.8.2
http://www.titania.co.uk
Copyright Ian Ventura-Whiting 2009
Testing SSL server 192.168.200.48 on port 443
Supported Server Cipher(s):
here's the sniff attached (I don't know why RouterOS Packet Sniffer duplicated all packets
)p.s. with the same code of mine I can receive the response from www-ssl, and only the silence from api-ssl
You do not have the required permissions to view the files attached to this post.
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!
For every complex problem, there is a solution that is simple, neat, and wrong.
MikroTik. Your life. Your routing.
For every complex problem, there is a solution that is simple, neat, and wrong.
MikroTik. Your life. Your routing.
Re: RouterOS API over TLS
most probably you have to try newer build, like one form today morning.
with cert set:
without cert set:
On the other hand, if you are not sending anything when SSL/TLS session is established, you are not going to have any reply. You have to adhere to API to send in commands as it expects to receive len +"/login" to initiate login sequence as there is nothing different between api and api-ssl but SSL/TLS handshake and encrypted data over communication channel.
Tip: start with simple mode without cert using ADH
with cert set:
Code: Select all
$ sslscan 192.168.88.1:8729 |grep Accepted
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 256 bits CAMELLIA256-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits SEED-SHA
Accepted TLSv1 128 bits CAMELLIA128-SHA
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Accepted TLSv1 56 bits DES-CBC-SHACode: Select all
$ sslscan 192.168.88.1:8729 |grep Accepted
Accepted TLSv1 256 bits ADH-AES256-SHA
Accepted TLSv1 256 bits ADH-CAMELLIA256-SHA
Accepted TLSv1 168 bits ADH-DES-CBC3-SHA
Accepted TLSv1 128 bits ADH-AES128-SHA
Accepted TLSv1 128 bits ADH-SEED-SHA
Accepted TLSv1 128 bits ADH-CAMELLIA128-SHA
Accepted TLSv1 128 bits ADH-RC4-MD5
Accepted TLSv1 56 bits ADH-DES-CBC-SHATip: start with simple mode without cert using ADH
Re: RouterOS API over TLS
here's what I have on build from May/30/2013 09:54:26
with cert:
and without cert:
and here it hangs...
with cert:
Code: Select all
[root@info ~]# sslscan 192.168.200.48:8729
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|
Version 1.8.2
http://www.titania.co.uk
Copyright Ian Ventura-Whiting 2009
Testing SSL server 192.168.200.48 on port 8729
Supported Server Cipher(s):
Failed SSLv2 168 bits DES-CBC3-MD5
Failed SSLv2 128 bits IDEA-CBC-MD5
Failed SSLv2 128 bits RC2-CBC-MD5
Failed SSLv2 128 bits RC4-MD5
Failed SSLv2 56 bits DES-CBC-MD5
Failed SSLv2 40 bits EXP-RC2-CBC-MD5
Failed SSLv2 40 bits EXP-RC4-MD5
Failed SSLv3 256 bits DHE-DSS-AES256-GCM-SHA384
Failed SSLv3 256 bits DHE-RSA-AES256-GCM-SHA384
Failed SSLv3 256 bits DHE-RSA-AES256-SHA256
Failed SSLv3 256 bits DHE-DSS-AES256-SHA256
Failed SSLv3 256 bits DHE-RSA-AES256-SHA
Failed SSLv3 256 bits DHE-DSS-AES256-SHA
Failed SSLv3 256 bits DHE-RSA-CAMELLIA256-SHA
Failed SSLv3 256 bits DHE-DSS-CAMELLIA256-SHA
Failed SSLv3 256 bits ADH-AES256-GCM-SHA384
Failed SSLv3 256 bits ADH-AES256-SHA256
Failed SSLv3 256 bits ADH-AES256-SHA
Failed SSLv3 256 bits ADH-CAMELLIA256-SHA
Failed SSLv3 256 bits AES256-GCM-SHA384
Failed SSLv3 256 bits AES256-SHA256
Failed SSLv3 256 bits AES256-SHA
Failed SSLv3 256 bits CAMELLIA256-SHA
Failed SSLv3 256 bits PSK-AES256-CBC-SHA
Failed SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Failed SSLv3 168 bits EDH-DSS-DES-CBC3-SHA
Failed SSLv3 168 bits ADH-DES-CBC3-SHA
Failed SSLv3 168 bits DES-CBC3-SHA
Failed SSLv3 168 bits PSK-3DES-EDE-CBC-SHA
Failed SSLv3 168 bits KRB5-DES-CBC3-SHA
Failed SSLv3 168 bits KRB5-DES-CBC3-MD5
Failed SSLv3 128 bits DHE-DSS-AES128-GCM-SHA256
Failed SSLv3 128 bits DHE-RSA-AES128-GCM-SHA256
Failed SSLv3 128 bits DHE-RSA-AES128-SHA256
Failed SSLv3 128 bits DHE-DSS-AES128-SHA256
Failed SSLv3 128 bits DHE-RSA-AES128-SHA
Failed SSLv3 128 bits DHE-DSS-AES128-SHA
Failed SSLv3 128 bits DHE-RSA-SEED-SHA
Failed SSLv3 128 bits DHE-DSS-SEED-SHA
Failed SSLv3 128 bits DHE-RSA-CAMELLIA128-SHA
Failed SSLv3 128 bits DHE-DSS-CAMELLIA128-SHA
Failed SSLv3 128 bits ADH-AES128-GCM-SHA256
Failed SSLv3 128 bits ADH-AES128-SHA256
Failed SSLv3 128 bits ADH-AES128-SHA
Failed SSLv3 128 bits ADH-SEED-SHA
Failed SSLv3 128 bits ADH-CAMELLIA128-SHA
Failed SSLv3 128 bits AES128-GCM-SHA256
Failed SSLv3 128 bits AES128-SHA256
Failed SSLv3 128 bits AES128-SHA
Failed SSLv3 128 bits SEED-SHA
Failed SSLv3 128 bits CAMELLIA128-SHA
Failed SSLv3 128 bits IDEA-CBC-SHA
Failed SSLv3 128 bits PSK-AES128-CBC-SHA
Failed SSLv3 128 bits KRB5-IDEA-CBC-SHA
Failed SSLv3 128 bits KRB5-IDEA-CBC-MD5
Failed SSLv3 128 bits ADH-RC4-MD5
Failed SSLv3 128 bits RC4-SHA
Failed SSLv3 128 bits RC4-MD5
Failed SSLv3 128 bits PSK-RC4-SHA
Failed SSLv3 128 bits KRB5-RC4-SHA
Failed SSLv3 128 bits KRB5-RC4-MD5
Failed SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Failed SSLv3 56 bits EDH-DSS-DES-CBC-SHA
Failed SSLv3 56 bits ADH-DES-CBC-SHA
Failed SSLv3 56 bits DES-CBC-SHA
Failed SSLv3 56 bits KRB5-DES-CBC-SHA
Failed SSLv3 56 bits KRB5-DES-CBC-MD5
Failed SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Failed SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA
Failed SSLv3 40 bits EXP-ADH-DES-CBC-SHA
Failed SSLv3 40 bits EXP-DES-CBC-SHA
Failed SSLv3 40 bits EXP-RC2-CBC-MD5
Failed SSLv3 40 bits EXP-KRB5-RC2-CBC-SHA
Failed SSLv3 40 bits EXP-KRB5-DES-CBC-SHA
Failed SSLv3 40 bits EXP-KRB5-RC2-CBC-MD5
Failed SSLv3 40 bits EXP-KRB5-DES-CBC-MD5
Failed SSLv3 40 bits EXP-ADH-RC4-MD5
Failed SSLv3 40 bits EXP-RC4-MD5
Failed SSLv3 40 bits EXP-KRB5-RC4-SHA
Failed SSLv3 40 bits EXP-KRB5-RC4-MD5
Failed SSLv3 0 bits NULL-SHA256
Failed SSLv3 0 bits NULL-SHA
Failed SSLv3 0 bits NULL-MD5
Failed TLSv1 256 bits DHE-DSS-AES256-GCM-SHA384
Failed TLSv1 256 bits DHE-RSA-AES256-GCM-SHA384
Failed TLSv1 256 bits DHE-RSA-AES256-SHA256
Failed TLSv1 256 bits DHE-DSS-AES256-SHA256
Failed TLSv1 256 bits DHE-RSA-AES256-SHA
Failed TLSv1 256 bits DHE-DSS-AES256-SHA
Failed TLSv1 256 bits DHE-RSA-CAMELLIA256-SHA
Failed TLSv1 256 bits DHE-DSS-CAMELLIA256-SHA
Failed TLSv1 256 bits ADH-AES256-GCM-SHA384
Failed TLSv1 256 bits ADH-AES256-SHA256
Failed TLSv1 256 bits ADH-AES256-SHA
Failed TLSv1 256 bits ADH-CAMELLIA256-SHA
Failed TLSv1 256 bits AES256-GCM-SHA384
Failed TLSv1 256 bits AES256-SHA256
Failed TLSv1 256 bits AES256-SHA
Failed TLSv1 256 bits CAMELLIA256-SHA
Failed TLSv1 256 bits PSK-AES256-CBC-SHA
Failed TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Failed TLSv1 168 bits EDH-DSS-DES-CBC3-SHA
Failed TLSv1 168 bits ADH-DES-CBC3-SHA
Failed TLSv1 168 bits DES-CBC3-SHA
Failed TLSv1 168 bits PSK-3DES-EDE-CBC-SHA
Failed TLSv1 168 bits KRB5-DES-CBC3-SHA
Failed TLSv1 168 bits KRB5-DES-CBC3-MD5
Failed TLSv1 128 bits DHE-DSS-AES128-GCM-SHA256
Failed TLSv1 128 bits DHE-RSA-AES128-GCM-SHA256
Failed TLSv1 128 bits DHE-RSA-AES128-SHA256
Failed TLSv1 128 bits DHE-DSS-AES128-SHA256
Failed TLSv1 128 bits DHE-RSA-AES128-SHA
Failed TLSv1 128 bits DHE-DSS-AES128-SHA
Failed TLSv1 128 bits DHE-RSA-SEED-SHA
Failed TLSv1 128 bits DHE-DSS-SEED-SHA
Failed TLSv1 128 bits DHE-RSA-CAMELLIA128-SHA
Failed TLSv1 128 bits DHE-DSS-CAMELLIA128-SHA
Failed TLSv1 128 bits ADH-AES128-GCM-SHA256
Failed TLSv1 128 bits ADH-AES128-SHA256
Failed TLSv1 128 bits ADH-AES128-SHA
Failed TLSv1 128 bits ADH-SEED-SHA
Failed TLSv1 128 bits ADH-CAMELLIA128-SHA
Failed TLSv1 128 bits AES128-GCM-SHA256
Failed TLSv1 128 bits AES128-SHA256
Failed TLSv1 128 bits AES128-SHA
Failed TLSv1 128 bits SEED-SHA
Failed TLSv1 128 bits CAMELLIA128-SHA
Failed TLSv1 128 bits IDEA-CBC-SHA
Failed TLSv1 128 bits PSK-AES128-CBC-SHA
Failed TLSv1 128 bits KRB5-IDEA-CBC-SHA
Failed TLSv1 128 bits KRB5-IDEA-CBC-MD5
Failed TLSv1 128 bits ADH-RC4-MD5
Failed TLSv1 128 bits RC4-SHA
Failed TLSv1 128 bits RC4-MD5
Failed TLSv1 128 bits PSK-RC4-SHA
Failed TLSv1 128 bits KRB5-RC4-SHA
Failed TLSv1 128 bits KRB5-RC4-MD5
Failed TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Failed TLSv1 56 bits EDH-DSS-DES-CBC-SHA
Failed TLSv1 56 bits ADH-DES-CBC-SHA
Failed TLSv1 56 bits DES-CBC-SHA
Failed TLSv1 56 bits KRB5-DES-CBC-SHA
Failed TLSv1 56 bits KRB5-DES-CBC-MD5
Failed TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Failed TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA
Failed TLSv1 40 bits EXP-ADH-DES-CBC-SHA
Failed TLSv1 40 bits EXP-DES-CBC-SHA
Failed TLSv1 40 bits EXP-RC2-CBC-MD5
Failed TLSv1 40 bits EXP-KRB5-RC2-CBC-SHA
Failed TLSv1 40 bits EXP-KRB5-DES-CBC-SHA
Failed TLSv1 40 bits EXP-KRB5-RC2-CBC-MD5
Failed TLSv1 40 bits EXP-KRB5-DES-CBC-MD5
Failed TLSv1 40 bits EXP-ADH-RC4-MD5
Failed TLSv1 40 bits EXP-RC4-MD5
Failed TLSv1 40 bits EXP-KRB5-RC4-SHA
Failed TLSv1 40 bits EXP-KRB5-RC4-MD5
Failed TLSv1 0 bits NULL-SHA256
Failed TLSv1 0 bits NULL-SHA
Failed TLSv1 0 bits NULL-MD5
Prefered Server Cipher(s):
[root@info ~]#
Code: Select all
[root@info ~]# sslscan 192.168.200.48:8729
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|
Version 1.8.2
http://www.titania.co.uk
Copyright Ian Ventura-Whiting 2009
Testing SSL server 192.168.200.48 on port 8729
Supported Server Cipher(s):
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!
For every complex problem, there is a solution that is simple, neat, and wrong.
MikroTik. Your life. Your routing.
For every complex problem, there is a solution that is simple, neat, and wrong.
MikroTik. Your life. Your routing.
Re: RouterOS API over TLS
fresh RB951-2n shows the same hanging on the latest version
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!
For every complex problem, there is a solution that is simple, neat, and wrong.
MikroTik. Your life. Your routing.
For every complex problem, there is a solution that is simple, neat, and wrong.
MikroTik. Your life. Your routing.
Re: RouterOS API over TLS
do not have that router at hand, however i have tried it against following routers:
RB2011
RB800
RB433
RB433AH
RB333
various CCR
RB1100AH
will check rb951-2n later.
with and without certificates. It is more than weird that this test tool failing everything, as half is failed and other part is rejected, here is full sample testing:
RB2011
RB800
RB433
RB433AH
RB333
various CCR
RB1100AH
will check rb951-2n later.
with and without certificates. It is more than weird that this test tool failing everything, as half is failed and other part is rejected, here is full sample testing:
Code: Select all
$ sslscan 192.168.88.1:8729
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|
Version 1.8.2
http://www.titania.co.uk
Copyright Ian Ventura-Whiting 2009
Testing SSL server 192.168.88.1 on port 8729
Supported Server Cipher(s):
Failed SSLv3 256 bits ECDHE-RSA-AES256-GCM-SHA384
Failed SSLv3 256 bits ECDHE-ECDSA-AES256-GCM-SHA384
Failed SSLv3 256 bits ECDHE-RSA-AES256-SHA384
Failed SSLv3 256 bits ECDHE-ECDSA-AES256-SHA384
Rejected SSLv3 256 bits ECDHE-RSA-AES256-SHA
Rejected SSLv3 256 bits ECDHE-ECDSA-AES256-SHA
Rejected SSLv3 256 bits SRP-DSS-AES-256-CBC-SHA
Rejected SSLv3 256 bits SRP-RSA-AES-256-CBC-SHA
Failed SSLv3 256 bits DHE-DSS-AES256-GCM-SHA384
Failed SSLv3 256 bits DHE-RSA-AES256-GCM-SHA384
Failed SSLv3 256 bits DHE-RSA-AES256-SHA256
Failed SSLv3 256 bits DHE-DSS-AES256-SHA256
Rejected SSLv3 256 bits DHE-RSA-AES256-SHA
Rejected SSLv3 256 bits DHE-DSS-AES256-SHA
Rejected SSLv3 256 bits DHE-RSA-CAMELLIA256-SHA
Rejected SSLv3 256 bits DHE-DSS-CAMELLIA256-SHA
Rejected SSLv3 256 bits AECDH-AES256-SHA
Rejected SSLv3 256 bits SRP-AES-256-CBC-SHA
Failed SSLv3 256 bits ADH-AES256-GCM-SHA384
Failed SSLv3 256 bits ADH-AES256-SHA256
Rejected SSLv3 256 bits ADH-AES256-SHA
Rejected SSLv3 256 bits ADH-CAMELLIA256-SHA
Failed SSLv3 256 bits ECDH-RSA-AES256-GCM-SHA384
Failed SSLv3 256 bits ECDH-ECDSA-AES256-GCM-SHA384
Failed SSLv3 256 bits ECDH-RSA-AES256-SHA384
Failed SSLv3 256 bits ECDH-ECDSA-AES256-SHA384
Rejected SSLv3 256 bits ECDH-RSA-AES256-SHA
Rejected SSLv3 256 bits ECDH-ECDSA-AES256-SHA
Failed SSLv3 256 bits AES256-GCM-SHA384
Failed SSLv3 256 bits AES256-SHA256
Rejected SSLv3 256 bits AES256-SHA
Rejected SSLv3 256 bits CAMELLIA256-SHA
Failed SSLv3 256 bits PSK-AES256-CBC-SHA
Rejected SSLv3 168 bits ECDHE-RSA-DES-CBC3-SHA
Rejected SSLv3 168 bits ECDHE-ECDSA-DES-CBC3-SHA
Rejected SSLv3 168 bits SRP-DSS-3DES-EDE-CBC-SHA
Rejected SSLv3 168 bits SRP-RSA-3DES-EDE-CBC-SHA
Rejected SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Rejected SSLv3 168 bits EDH-DSS-DES-CBC3-SHA
Rejected SSLv3 168 bits AECDH-DES-CBC3-SHA
Rejected SSLv3 168 bits SRP-3DES-EDE-CBC-SHA
Rejected SSLv3 168 bits ADH-DES-CBC3-SHA
Rejected SSLv3 168 bits ECDH-RSA-DES-CBC3-SHA
Rejected SSLv3 168 bits ECDH-ECDSA-DES-CBC3-SHA
Rejected SSLv3 168 bits DES-CBC3-SHA
Failed SSLv3 168 bits PSK-3DES-EDE-CBC-SHA
Failed SSLv3 128 bits ECDHE-RSA-AES128-GCM-SHA256
Failed SSLv3 128 bits ECDHE-ECDSA-AES128-GCM-SHA256
Failed SSLv3 128 bits ECDHE-RSA-AES128-SHA256
Failed SSLv3 128 bits ECDHE-ECDSA-AES128-SHA256
Rejected SSLv3 128 bits ECDHE-RSA-AES128-SHA
Rejected SSLv3 128 bits ECDHE-ECDSA-AES128-SHA
Rejected SSLv3 128 bits SRP-DSS-AES-128-CBC-SHA
Rejected SSLv3 128 bits SRP-RSA-AES-128-CBC-SHA
Failed SSLv3 128 bits DHE-DSS-AES128-GCM-SHA256
Failed SSLv3 128 bits DHE-RSA-AES128-GCM-SHA256
Failed SSLv3 128 bits DHE-RSA-AES128-SHA256
Failed SSLv3 128 bits DHE-DSS-AES128-SHA256
Rejected SSLv3 128 bits DHE-RSA-AES128-SHA
Rejected SSLv3 128 bits DHE-DSS-AES128-SHA
Rejected SSLv3 128 bits DHE-RSA-SEED-SHA
Rejected SSLv3 128 bits DHE-DSS-SEED-SHA
Rejected SSLv3 128 bits DHE-RSA-CAMELLIA128-SHA
Rejected SSLv3 128 bits DHE-DSS-CAMELLIA128-SHA
Rejected SSLv3 128 bits AECDH-AES128-SHA
Rejected SSLv3 128 bits SRP-AES-128-CBC-SHA
Failed SSLv3 128 bits ADH-AES128-GCM-SHA256
Failed SSLv3 128 bits ADH-AES128-SHA256
Rejected SSLv3 128 bits ADH-AES128-SHA
Rejected SSLv3 128 bits ADH-SEED-SHA
Rejected SSLv3 128 bits ADH-CAMELLIA128-SHA
Failed SSLv3 128 bits ECDH-RSA-AES128-GCM-SHA256
Failed SSLv3 128 bits ECDH-ECDSA-AES128-GCM-SHA256
Failed SSLv3 128 bits ECDH-RSA-AES128-SHA256
Failed SSLv3 128 bits ECDH-ECDSA-AES128-SHA256
Rejected SSLv3 128 bits ECDH-RSA-AES128-SHA
Rejected SSLv3 128 bits ECDH-ECDSA-AES128-SHA
Failed SSLv3 128 bits AES128-GCM-SHA256
Failed SSLv3 128 bits AES128-SHA256
Rejected SSLv3 128 bits AES128-SHA
Rejected SSLv3 128 bits SEED-SHA
Rejected SSLv3 128 bits CAMELLIA128-SHA
Failed SSLv3 128 bits PSK-AES128-CBC-SHA
Rejected SSLv3 128 bits ECDHE-RSA-RC4-SHA
Rejected SSLv3 128 bits ECDHE-ECDSA-RC4-SHA
Rejected SSLv3 128 bits AECDH-RC4-SHA
Rejected SSLv3 128 bits ADH-RC4-MD5
Rejected SSLv3 128 bits ECDH-RSA-RC4-SHA
Rejected SSLv3 128 bits ECDH-ECDSA-RC4-SHA
Rejected SSLv3 128 bits RC4-SHA
Rejected SSLv3 128 bits RC4-MD5
Failed SSLv3 128 bits PSK-RC4-SHA
Rejected SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Rejected SSLv3 56 bits EDH-DSS-DES-CBC-SHA
Rejected SSLv3 56 bits ADH-DES-CBC-SHA
Rejected SSLv3 56 bits DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-ADH-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-RC2-CBC-MD5
Rejected SSLv3 40 bits EXP-ADH-RC4-MD5
Rejected SSLv3 40 bits EXP-RC4-MD5
Rejected SSLv3 0 bits ECDHE-RSA-NULL-SHA
Rejected SSLv3 0 bits ECDHE-ECDSA-NULL-SHA
Rejected SSLv3 0 bits AECDH-NULL-SHA
Rejected SSLv3 0 bits ECDH-RSA-NULL-SHA
Rejected SSLv3 0 bits ECDH-ECDSA-NULL-SHA
Failed SSLv3 0 bits NULL-SHA256
Rejected SSLv3 0 bits NULL-SHA
Rejected SSLv3 0 bits NULL-MD5
Failed TLSv1 256 bits ECDHE-RSA-AES256-GCM-SHA384
Failed TLSv1 256 bits ECDHE-ECDSA-AES256-GCM-SHA384
Failed TLSv1 256 bits ECDHE-RSA-AES256-SHA384
Failed TLSv1 256 bits ECDHE-ECDSA-AES256-SHA384
Rejected TLSv1 256 bits ECDHE-RSA-AES256-SHA
Rejected TLSv1 256 bits ECDHE-ECDSA-AES256-SHA
Rejected TLSv1 256 bits SRP-DSS-AES-256-CBC-SHA
Rejected TLSv1 256 bits SRP-RSA-AES-256-CBC-SHA
Failed TLSv1 256 bits DHE-DSS-AES256-GCM-SHA384
Failed TLSv1 256 bits DHE-RSA-AES256-GCM-SHA384
Failed TLSv1 256 bits DHE-RSA-AES256-SHA256
Failed TLSv1 256 bits DHE-DSS-AES256-SHA256
Rejected TLSv1 256 bits DHE-RSA-AES256-SHA
Rejected TLSv1 256 bits DHE-DSS-AES256-SHA
Rejected TLSv1 256 bits DHE-RSA-CAMELLIA256-SHA
Rejected TLSv1 256 bits DHE-DSS-CAMELLIA256-SHA
Rejected TLSv1 256 bits AECDH-AES256-SHA
Rejected TLSv1 256 bits SRP-AES-256-CBC-SHA
Failed TLSv1 256 bits ADH-AES256-GCM-SHA384
Failed TLSv1 256 bits ADH-AES256-SHA256
Accepted TLSv1 256 bits ADH-AES256-SHA
Accepted TLSv1 256 bits ADH-CAMELLIA256-SHA
Failed TLSv1 256 bits ECDH-RSA-AES256-GCM-SHA384
Failed TLSv1 256 bits ECDH-ECDSA-AES256-GCM-SHA384
Failed TLSv1 256 bits ECDH-RSA-AES256-SHA384
Failed TLSv1 256 bits ECDH-ECDSA-AES256-SHA384
Rejected TLSv1 256 bits ECDH-RSA-AES256-SHA
Rejected TLSv1 256 bits ECDH-ECDSA-AES256-SHA
Failed TLSv1 256 bits AES256-GCM-SHA384
Failed TLSv1 256 bits AES256-SHA256
Rejected TLSv1 256 bits AES256-SHA
Rejected TLSv1 256 bits CAMELLIA256-SHA
Failed TLSv1 256 bits PSK-AES256-CBC-SHA
Rejected TLSv1 168 bits ECDHE-RSA-DES-CBC3-SHA
Rejected TLSv1 168 bits ECDHE-ECDSA-DES-CBC3-SHA
Rejected TLSv1 168 bits SRP-DSS-3DES-EDE-CBC-SHA
Rejected TLSv1 168 bits SRP-RSA-3DES-EDE-CBC-SHA
Rejected TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Rejected TLSv1 168 bits EDH-DSS-DES-CBC3-SHA
Rejected TLSv1 168 bits AECDH-DES-CBC3-SHA
Rejected TLSv1 168 bits SRP-3DES-EDE-CBC-SHA
Accepted TLSv1 168 bits ADH-DES-CBC3-SHA
Rejected TLSv1 168 bits ECDH-RSA-DES-CBC3-SHA
Rejected TLSv1 168 bits ECDH-ECDSA-DES-CBC3-SHA
Rejected TLSv1 168 bits DES-CBC3-SHA
Failed TLSv1 168 bits PSK-3DES-EDE-CBC-SHA
Failed TLSv1 128 bits ECDHE-RSA-AES128-GCM-SHA256
Failed TLSv1 128 bits ECDHE-ECDSA-AES128-GCM-SHA256
Failed TLSv1 128 bits ECDHE-RSA-AES128-SHA256
Failed TLSv1 128 bits ECDHE-ECDSA-AES128-SHA256
Rejected TLSv1 128 bits ECDHE-RSA-AES128-SHA
Rejected TLSv1 128 bits ECDHE-ECDSA-AES128-SHA
Rejected TLSv1 128 bits SRP-DSS-AES-128-CBC-SHA
Rejected TLSv1 128 bits SRP-RSA-AES-128-CBC-SHA
Failed TLSv1 128 bits DHE-DSS-AES128-GCM-SHA256
Failed TLSv1 128 bits DHE-RSA-AES128-GCM-SHA256
Failed TLSv1 128 bits DHE-RSA-AES128-SHA256
Failed TLSv1 128 bits DHE-DSS-AES128-SHA256
Rejected TLSv1 128 bits DHE-RSA-AES128-SHA
Rejected TLSv1 128 bits DHE-DSS-AES128-SHA
Rejected TLSv1 128 bits DHE-RSA-SEED-SHA
Rejected TLSv1 128 bits DHE-DSS-SEED-SHA
Rejected TLSv1 128 bits DHE-RSA-CAMELLIA128-SHA
Rejected TLSv1 128 bits DHE-DSS-CAMELLIA128-SHA
Rejected TLSv1 128 bits AECDH-AES128-SHA
Rejected TLSv1 128 bits SRP-AES-128-CBC-SHA
Failed TLSv1 128 bits ADH-AES128-GCM-SHA256
Failed TLSv1 128 bits ADH-AES128-SHA256
Accepted TLSv1 128 bits ADH-AES128-SHA
Accepted TLSv1 128 bits ADH-SEED-SHA
Accepted TLSv1 128 bits ADH-CAMELLIA128-SHA
Failed TLSv1 128 bits ECDH-RSA-AES128-GCM-SHA256
Failed TLSv1 128 bits ECDH-ECDSA-AES128-GCM-SHA256
Failed TLSv1 128 bits ECDH-RSA-AES128-SHA256
Failed TLSv1 128 bits ECDH-ECDSA-AES128-SHA256
Rejected TLSv1 128 bits ECDH-RSA-AES128-SHA
Rejected TLSv1 128 bits ECDH-ECDSA-AES128-SHA
Failed TLSv1 128 bits AES128-GCM-SHA256
Failed TLSv1 128 bits AES128-SHA256
Rejected TLSv1 128 bits AES128-SHA
Rejected TLSv1 128 bits SEED-SHA
Rejected TLSv1 128 bits CAMELLIA128-SHA
Failed TLSv1 128 bits PSK-AES128-CBC-SHA
Rejected TLSv1 128 bits ECDHE-RSA-RC4-SHA
Rejected TLSv1 128 bits ECDHE-ECDSA-RC4-SHA
Rejected TLSv1 128 bits AECDH-RC4-SHA
Accepted TLSv1 128 bits ADH-RC4-MD5
Rejected TLSv1 128 bits ECDH-RSA-RC4-SHA
Rejected TLSv1 128 bits ECDH-ECDSA-RC4-SHA
Rejected TLSv1 128 bits RC4-SHA
Rejected TLSv1 128 bits RC4-MD5
Failed TLSv1 128 bits PSK-RC4-SHA
Rejected TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Rejected TLSv1 56 bits EDH-DSS-DES-CBC-SHA
Accepted TLSv1 56 bits ADH-DES-CBC-SHA
Rejected TLSv1 56 bits DES-CBC-SHA
Rejected TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-ADH-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-RC2-CBC-MD5
Rejected TLSv1 40 bits EXP-ADH-RC4-MD5
Rejected TLSv1 40 bits EXP-RC4-MD5
Rejected TLSv1 0 bits ECDHE-RSA-NULL-SHA
Rejected TLSv1 0 bits ECDHE-ECDSA-NULL-SHA
Rejected TLSv1 0 bits AECDH-NULL-SHA
Rejected TLSv1 0 bits ECDH-RSA-NULL-SHA
Rejected TLSv1 0 bits ECDH-ECDSA-NULL-SHA
Failed TLSv1 0 bits NULL-SHA256
Rejected TLSv1 0 bits NULL-SHA
Rejected TLSv1 0 bits NULL-MD5
Prefered Server Cipher(s):
TLSv1 256 bits ADH-AES256-SHA
SSL Certificate:Re: RouterOS API over TLS
guys, does somebody else can check that?
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!
For every complex problem, there is a solution that is simple, neat, and wrong.
MikroTik. Your life. Your routing.
For every complex problem, there is a solution that is simple, neat, and wrong.
MikroTik. Your life. Your routing.
Re: RouterOS API over TLS
tried router you named, same result.
if you can make this accessible over the network, i could try to connect to it or any other router.
edit:
it was updated from 5.25 to the current version, if that gives any clues.
Code: Select all
admin@MikroTik] > sy routerboard print
routerboard: yes
model: 951-2n
serial-number: DDDDDDDDDDDD
current-firmware: 3.02
upgrade-firmware: 3.08Code: Select all
[admin@MikroTik] > sy resource print
uptime: 2m52s
version: 6.1rc1
build-time: May/30/2013 09:54:26
free-memory: 9.9MiB
total-memory: 32.0MiB
cpu: MIPS 24Kc V7.4
cpu-count: 1
cpu-frequency: 350MHz
cpu-load: 1%
free-hdd-space: 108.6MiB
total-hdd-space: 128.0MiB
write-sect-since-reboot: 1092
write-sect-total: 115888
bad-blocks: 0.1%
architecture-name: mipsbe
board-name: RB951-2n
platform: MikroTik
Code: Select all
$ sslscan 192.168.88.1:443 |grep Accepted
Accepted TLSv1 256 bits ADH-AES256-SHA
Accepted TLSv1 256 bits ADH-CAMELLIA256-SHA
Accepted TLSv1 168 bits ADH-DES-CBC3-SHA
Accepted TLSv1 128 bits ADH-AES128-SHA
Accepted TLSv1 128 bits ADH-SEED-SHA
Accepted TLSv1 128 bits ADH-CAMELLIA128-SHA
Accepted TLSv1 128 bits ADH-RC4-MD5
Accepted TLSv1 56 bits ADH-DES-CBC-SHAedit:
it was updated from 5.25 to the current version, if that gives any clues.
Re: RouterOS API over TLS
yep, it would be niceif you can make this accessible over the network, i could try to connect to it or any other router.
I sent all info to support@ at 13:00 GMT, still didn't receive a reply, hope you will find it (search for 'janisk' in title )UPD: Ticket 2013060466000665
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!
For every complex problem, there is a solution that is simple, neat, and wrong.
MikroTik. Your life. Your routing.
For every complex problem, there is a solution that is simple, neat, and wrong.
MikroTik. Your life. Your routing.
Re: RouterOS API over TLS
Support connected to your router, and it works fine. Is that correct, Chupaka?
No answer to your question? How to write posts
Re: RouterOS API over TLS
this definitely should work on api-ssl socket:
and over this you can run simple RouterOS API protocol communication as could have been done via unencrypted connection.
Code: Select all
openssl s_client -host 192.168.88.1 -port 8729 -cipher ADH-AES256-SHARe: RouterOS API over TLS
that's making me crazy...
why all those API logins were from ipv6 addresses? that router does not have ipv6 connectivity...
also, http://www.ssltest.net/ says "The server 93.xxx.yy.z55 is responding, but does not return any SSL certificates. (sc0)"
why all those API logins were from ipv6 addresses? that router does not have ipv6 connectivity...
Code: Select all
10:21:09 system,info,account user admin logged in from 1000::b8b4:aa7f:f966:7877:c87a:c08 via api
10:21:09 system,info address added by admin
10:21:09 system,info address removed by admin
10:21:09 system,info,account user admin logged out from 1000::b8b4:aa7f:f966:7877:c87a:c08 via api
10:22:59 system,info filter rule added by admin
10:23:13 system,info,account user admin logged in from 1000::b8b4:aa7f:f966:7877:e85b:1308 via api
10:23:13 system,info address added by admin
10:23:13 system,info address removed by admin
10:23:13 system,info,account user admin logged out from 1000::b8b4:aa7f:f966:7877:e85b:1308 via apiRussian-speaking forum: https://forum.mikrotik.by/. Welcome!
For every complex problem, there is a solution that is simple, neat, and wrong.
MikroTik. Your life. Your routing.
For every complex problem, there is a solution that is simple, neat, and wrong.
MikroTik. Your life. Your routing.
Re: RouterOS API over TLS
could you open API access for demo2.mt.lv?.. currently it's blocked by firewall
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!
For every complex problem, there is a solution that is simple, neat, and wrong.
MikroTik. Your life. Your routing.
For every complex problem, there is a solution that is simple, neat, and wrong.
MikroTik. Your life. Your routing.
Re: RouterOS API over TLS
we will check what happens to IP addresses when logged into the router as they appear to be wrong in the logs.
API-SSL for now is open on demo routers. But that can change anytime.
API-SSL for now is open on demo routers. But that can change anytime.
Re: RouterOS API over TLS
okay
Janis, thanks for your examples, I managed to establish TLS connection from my app, the details I'll write later to support@ - it hangs with some (including default ones in Ararat Synapse library) settings, it should not be that way =)
Janis, thanks for your examples, I managed to establish TLS connection from my app, the details I'll write later to support@ - it hangs with some (including default ones in Ararat Synapse library) settings, it should not be that way =)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!
For every complex problem, there is a solution that is simple, neat, and wrong.
MikroTik. Your life. Your routing.
For every complex problem, there is a solution that is simple, neat, and wrong.
MikroTik. Your life. Your routing.
Re: RouterOS API over TLS
it looks like that library can easily interface with OpenSSL. If that is the case, you should not get any problems working with API-SSL interface with either blocking or non-blocking sockets.
C++ compiled binary I used to check your router used non-blocking sockets and that added some complexity to check SSL states when communicating.
C++ compiled binary I used to check your router used non-blocking sockets and that added some complexity to check SSL states when communicating.
Re: RouterOS API over TLS
I'm was having the reported trouble with sslscan when testing against a RB750G running 6.1. sslcan was hanging.
I found that passing the --tls1 parameter (i.e. not scanning ssl2 and ssl3) the scan works:
So when troubleshooting, use --tls1.
I found that passing the --tls1 parameter (i.e. not scanning ssl2 and ssl3) the scan works:
Code: Select all
bash-3.2# sslscan --tls1 10.0.1.3:8729 | grep Accepted
Accepted TLSv1 256 bits ADH-AES256-SHA
Accepted TLSv1 256 bits ADH-CAMELLIA256-SHA
Accepted TLSv1 168 bits ADH-DES-CBC3-SHA
Accepted TLSv1 128 bits ADH-AES128-SHA
Accepted TLSv1 128 bits ADH-SEED-SHA
Accepted TLSv1 128 bits ADH-CAMELLIA128-SHA
Accepted TLSv1 128 bits ADH-RC4-MD5
Accepted TLSv1 56 bits ADH-DES-CBC-SHA
Gideon le Grange
RouterOS Java API: https://github.com/GideonLeGrange/mikrotik-java
RouterOS Java API: https://github.com/GideonLeGrange/mikrotik-java
Re: RouterOS API over TLS
Yep, that's what I wrote to support. As I can see, they won't fix that
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!
For every complex problem, there is a solution that is simple, neat, and wrong.
MikroTik. Your life. Your routing.
For every complex problem, there is a solution that is simple, neat, and wrong.
MikroTik. Your life. Your routing.
Re: RouterOS API over TLS
I spoke too soon. Using -tls1 does't cause the scan to work in all cases. I intermittently have the same problem with a RB750 and Groove, both running 6.1.
Gideon le Grange
RouterOS Java API: https://github.com/GideonLeGrange/mikrotik-java
RouterOS Java API: https://github.com/GideonLeGrange/mikrotik-java
Re: RouterOS API over TLS
sslscan was mentioned as a tool to get hang of TLS as such in use with RouterOS API.
If you have working tool, you can check that if even sslscan fails miserably, you still can connect fine to RouterOS API-SSL service and log-in.
If you have working tool, you can check that if even sslscan fails miserably, you still can connect fine to RouterOS API-SSL service and log-in.
Re: RouterOS API over TLS
I had been struggling with getting API over SSL connection to work and this post was one of the top links in google. Since I managed to get it to work I thought I'd share some help for others and recommend some updates to the manual page (https://wiki.mikrotik.com/wiki/Manual:API-SSL):
- Explicitly state that newer versions of OpenSSL like 1.1.x will NOT work. Needs to be 1.0.x (I used 1.0.2t successfully)
- Should probably mention to discourage use of TLSv1 as TLS 1.2 is now strongly encouraged
- Include example (C) project: https://github.com/octo/librouteros/tree/api-ssl
Who is online
Users browsing this forum: Bing [Bot] and 197 guests