Community discussions

MUM Europe 2020
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8320
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

RouterOS API over TLS

Tue May 28, 2013 6:44 pm

any success stories in that new v6.1 feature?

for me, Wireshark shows that client connects to api-ssl port, sends SSLv2 Hello, and server ACKs that packet and then keeps silence - no data from it at all

any comments, MT Support?..
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: RouterOS API over TLS

Wed May 29, 2013 3:16 pm

if you have no certificates set for api-ssl (what is default)

you can use TLSv1 client method with enabled ADH cipher.

something like this using OpenSSL:

cpp code

SSL_CTX * ctx;
SSL * ssl;
ctx = SSL_CTX_new(TLSv1_client_method());
SSL_CTX_set_cipher_list(ctx, "ADH AES256 SHA ");
ssl = SSL_new(ctx);
bio = BIO_new_socket(sock, BIO_NOCLOSE);
SSL_set_bio(ssl, bio, bio);
SSL_connect(ssl);
then you can use SSL_read/SSL_write to do your bidding. Just check if you have blocking or non-blocking socket (in example code variable "sock" that is initialized previously as TCP/IP socket fd)

if you are on linux you can use sslscan tool to get what this api-ssl in your current configuration state supports.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8320
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: RouterOS API over TLS

Wed May 29, 2013 4:19 pm

the problem is... sslscan says nothing :)

(I'm using port 443 for api-ssl so that Wireshark decode SSL data; www-ssl is disabled at that moment)
# sslscan 192.168.200.48:443
                   _
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | '_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                  Version 1.8.2
             http://www.titania.co.uk
        Copyright Ian Ventura-Whiting 2009

Testing SSL server 192.168.200.48 on port 443

  Supported Server Cipher(s):

and here it hangs too - waits for the server's answer. I generated and selected a certificate - nothing changed, it just hangs

here's the sniff attached (I don't know why RouterOS Packet Sniffer duplicated all packets :) )

p.s. with the same code of mine I can receive the response from www-ssl, and only the silence from api-ssl
You do not have the required permissions to view the files attached to this post.
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: RouterOS API over TLS

Thu May 30, 2013 11:15 am

most probably you have to try newer build, like one form today morning.

with cert set:
$ sslscan 192.168.88.1:8729 |grep Accepted
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  256 bits  CAMELLIA256-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  128 bits  SEED-SHA
    Accepted  TLSv1  128 bits  CAMELLIA128-SHA
    Accepted  TLSv1  128 bits  RC4-SHA
    Accepted  TLSv1  128 bits  RC4-MD5
    Accepted  TLSv1  56 bits   DES-CBC-SHA
without cert set:
$ sslscan 192.168.88.1:8729 |grep Accepted
    Accepted  TLSv1  256 bits  ADH-AES256-SHA
    Accepted  TLSv1  256 bits  ADH-CAMELLIA256-SHA
    Accepted  TLSv1  168 bits  ADH-DES-CBC3-SHA
    Accepted  TLSv1  128 bits  ADH-AES128-SHA
    Accepted  TLSv1  128 bits  ADH-SEED-SHA
    Accepted  TLSv1  128 bits  ADH-CAMELLIA128-SHA
    Accepted  TLSv1  128 bits  ADH-RC4-MD5
    Accepted  TLSv1  56 bits   ADH-DES-CBC-SHA
On the other hand, if you are not sending anything when SSL/TLS session is established, you are not going to have any reply. You have to adhere to API to send in commands as it expects to receive len +"/login" to initiate login sequence as there is nothing different between api and api-ssl but SSL/TLS handshake and encrypted data over communication channel.

Tip: start with simple mode without cert using ADH
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8320
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: RouterOS API over TLS

Mon Jun 03, 2013 3:35 pm

here's what I have on build from May/30/2013 09:54:26

with cert:
[root@info ~]# sslscan 192.168.200.48:8729
                   _
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | '_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                  Version 1.8.2
             http://www.titania.co.uk
        Copyright Ian Ventura-Whiting 2009

Testing SSL server 192.168.200.48 on port 8729

  Supported Server Cipher(s):
    Failed    SSLv2  168 bits  DES-CBC3-MD5
    Failed    SSLv2  128 bits  IDEA-CBC-MD5
    Failed    SSLv2  128 bits  RC2-CBC-MD5
    Failed    SSLv2  128 bits  RC4-MD5
    Failed    SSLv2  56 bits   DES-CBC-MD5
    Failed    SSLv2  40 bits   EXP-RC2-CBC-MD5
    Failed    SSLv2  40 bits   EXP-RC4-MD5
    Failed    SSLv3  256 bits  DHE-DSS-AES256-GCM-SHA384
    Failed    SSLv3  256 bits  DHE-RSA-AES256-GCM-SHA384
    Failed    SSLv3  256 bits  DHE-RSA-AES256-SHA256
    Failed    SSLv3  256 bits  DHE-DSS-AES256-SHA256
    Failed    SSLv3  256 bits  DHE-RSA-AES256-SHA
    Failed    SSLv3  256 bits  DHE-DSS-AES256-SHA
    Failed    SSLv3  256 bits  DHE-RSA-CAMELLIA256-SHA
    Failed    SSLv3  256 bits  DHE-DSS-CAMELLIA256-SHA
    Failed    SSLv3  256 bits  ADH-AES256-GCM-SHA384
    Failed    SSLv3  256 bits  ADH-AES256-SHA256
    Failed    SSLv3  256 bits  ADH-AES256-SHA
    Failed    SSLv3  256 bits  ADH-CAMELLIA256-SHA
    Failed    SSLv3  256 bits  AES256-GCM-SHA384
    Failed    SSLv3  256 bits  AES256-SHA256
    Failed    SSLv3  256 bits  AES256-SHA
    Failed    SSLv3  256 bits  CAMELLIA256-SHA
    Failed    SSLv3  256 bits  PSK-AES256-CBC-SHA
    Failed    SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
    Failed    SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
    Failed    SSLv3  168 bits  ADH-DES-CBC3-SHA
    Failed    SSLv3  168 bits  DES-CBC3-SHA
    Failed    SSLv3  168 bits  PSK-3DES-EDE-CBC-SHA
    Failed    SSLv3  168 bits  KRB5-DES-CBC3-SHA
    Failed    SSLv3  168 bits  KRB5-DES-CBC3-MD5
    Failed    SSLv3  128 bits  DHE-DSS-AES128-GCM-SHA256
    Failed    SSLv3  128 bits  DHE-RSA-AES128-GCM-SHA256
    Failed    SSLv3  128 bits  DHE-RSA-AES128-SHA256
    Failed    SSLv3  128 bits  DHE-DSS-AES128-SHA256
    Failed    SSLv3  128 bits  DHE-RSA-AES128-SHA
    Failed    SSLv3  128 bits  DHE-DSS-AES128-SHA
    Failed    SSLv3  128 bits  DHE-RSA-SEED-SHA
    Failed    SSLv3  128 bits  DHE-DSS-SEED-SHA
    Failed    SSLv3  128 bits  DHE-RSA-CAMELLIA128-SHA
    Failed    SSLv3  128 bits  DHE-DSS-CAMELLIA128-SHA
    Failed    SSLv3  128 bits  ADH-AES128-GCM-SHA256
    Failed    SSLv3  128 bits  ADH-AES128-SHA256
    Failed    SSLv3  128 bits  ADH-AES128-SHA
    Failed    SSLv3  128 bits  ADH-SEED-SHA
    Failed    SSLv3  128 bits  ADH-CAMELLIA128-SHA
    Failed    SSLv3  128 bits  AES128-GCM-SHA256
    Failed    SSLv3  128 bits  AES128-SHA256
    Failed    SSLv3  128 bits  AES128-SHA
    Failed    SSLv3  128 bits  SEED-SHA
    Failed    SSLv3  128 bits  CAMELLIA128-SHA
    Failed    SSLv3  128 bits  IDEA-CBC-SHA
    Failed    SSLv3  128 bits  PSK-AES128-CBC-SHA
    Failed    SSLv3  128 bits  KRB5-IDEA-CBC-SHA
    Failed    SSLv3  128 bits  KRB5-IDEA-CBC-MD5
    Failed    SSLv3  128 bits  ADH-RC4-MD5
    Failed    SSLv3  128 bits  RC4-SHA
    Failed    SSLv3  128 bits  RC4-MD5
    Failed    SSLv3  128 bits  PSK-RC4-SHA
    Failed    SSLv3  128 bits  KRB5-RC4-SHA
    Failed    SSLv3  128 bits  KRB5-RC4-MD5
    Failed    SSLv3  56 bits   EDH-RSA-DES-CBC-SHA
    Failed    SSLv3  56 bits   EDH-DSS-DES-CBC-SHA
    Failed    SSLv3  56 bits   ADH-DES-CBC-SHA
    Failed    SSLv3  56 bits   DES-CBC-SHA
    Failed    SSLv3  56 bits   KRB5-DES-CBC-SHA
    Failed    SSLv3  56 bits   KRB5-DES-CBC-MD5
    Failed    SSLv3  40 bits   EXP-EDH-RSA-DES-CBC-SHA
    Failed    SSLv3  40 bits   EXP-EDH-DSS-DES-CBC-SHA
    Failed    SSLv3  40 bits   EXP-ADH-DES-CBC-SHA
    Failed    SSLv3  40 bits   EXP-DES-CBC-SHA
    Failed    SSLv3  40 bits   EXP-RC2-CBC-MD5
    Failed    SSLv3  40 bits   EXP-KRB5-RC2-CBC-SHA
    Failed    SSLv3  40 bits   EXP-KRB5-DES-CBC-SHA
    Failed    SSLv3  40 bits   EXP-KRB5-RC2-CBC-MD5
    Failed    SSLv3  40 bits   EXP-KRB5-DES-CBC-MD5
    Failed    SSLv3  40 bits   EXP-ADH-RC4-MD5
    Failed    SSLv3  40 bits   EXP-RC4-MD5
    Failed    SSLv3  40 bits   EXP-KRB5-RC4-SHA
    Failed    SSLv3  40 bits   EXP-KRB5-RC4-MD5
    Failed    SSLv3  0 bits    NULL-SHA256
    Failed    SSLv3  0 bits    NULL-SHA
    Failed    SSLv3  0 bits    NULL-MD5
    Failed    TLSv1  256 bits  DHE-DSS-AES256-GCM-SHA384
    Failed    TLSv1  256 bits  DHE-RSA-AES256-GCM-SHA384
    Failed    TLSv1  256 bits  DHE-RSA-AES256-SHA256
    Failed    TLSv1  256 bits  DHE-DSS-AES256-SHA256
    Failed    TLSv1  256 bits  DHE-RSA-AES256-SHA
    Failed    TLSv1  256 bits  DHE-DSS-AES256-SHA
    Failed    TLSv1  256 bits  DHE-RSA-CAMELLIA256-SHA
    Failed    TLSv1  256 bits  DHE-DSS-CAMELLIA256-SHA
    Failed    TLSv1  256 bits  ADH-AES256-GCM-SHA384
    Failed    TLSv1  256 bits  ADH-AES256-SHA256
    Failed    TLSv1  256 bits  ADH-AES256-SHA
    Failed    TLSv1  256 bits  ADH-CAMELLIA256-SHA
    Failed    TLSv1  256 bits  AES256-GCM-SHA384
    Failed    TLSv1  256 bits  AES256-SHA256
    Failed    TLSv1  256 bits  AES256-SHA
    Failed    TLSv1  256 bits  CAMELLIA256-SHA
    Failed    TLSv1  256 bits  PSK-AES256-CBC-SHA
    Failed    TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
    Failed    TLSv1  168 bits  EDH-DSS-DES-CBC3-SHA
    Failed    TLSv1  168 bits  ADH-DES-CBC3-SHA
    Failed    TLSv1  168 bits  DES-CBC3-SHA
    Failed    TLSv1  168 bits  PSK-3DES-EDE-CBC-SHA
    Failed    TLSv1  168 bits  KRB5-DES-CBC3-SHA
    Failed    TLSv1  168 bits  KRB5-DES-CBC3-MD5
    Failed    TLSv1  128 bits  DHE-DSS-AES128-GCM-SHA256
    Failed    TLSv1  128 bits  DHE-RSA-AES128-GCM-SHA256
    Failed    TLSv1  128 bits  DHE-RSA-AES128-SHA256
    Failed    TLSv1  128 bits  DHE-DSS-AES128-SHA256
    Failed    TLSv1  128 bits  DHE-RSA-AES128-SHA
    Failed    TLSv1  128 bits  DHE-DSS-AES128-SHA
    Failed    TLSv1  128 bits  DHE-RSA-SEED-SHA
    Failed    TLSv1  128 bits  DHE-DSS-SEED-SHA
    Failed    TLSv1  128 bits  DHE-RSA-CAMELLIA128-SHA
    Failed    TLSv1  128 bits  DHE-DSS-CAMELLIA128-SHA
    Failed    TLSv1  128 bits  ADH-AES128-GCM-SHA256
    Failed    TLSv1  128 bits  ADH-AES128-SHA256
    Failed    TLSv1  128 bits  ADH-AES128-SHA
    Failed    TLSv1  128 bits  ADH-SEED-SHA
    Failed    TLSv1  128 bits  ADH-CAMELLIA128-SHA
    Failed    TLSv1  128 bits  AES128-GCM-SHA256
    Failed    TLSv1  128 bits  AES128-SHA256
    Failed    TLSv1  128 bits  AES128-SHA
    Failed    TLSv1  128 bits  SEED-SHA
    Failed    TLSv1  128 bits  CAMELLIA128-SHA
    Failed    TLSv1  128 bits  IDEA-CBC-SHA
    Failed    TLSv1  128 bits  PSK-AES128-CBC-SHA
    Failed    TLSv1  128 bits  KRB5-IDEA-CBC-SHA
    Failed    TLSv1  128 bits  KRB5-IDEA-CBC-MD5
    Failed    TLSv1  128 bits  ADH-RC4-MD5
    Failed    TLSv1  128 bits  RC4-SHA
    Failed    TLSv1  128 bits  RC4-MD5
    Failed    TLSv1  128 bits  PSK-RC4-SHA
    Failed    TLSv1  128 bits  KRB5-RC4-SHA
    Failed    TLSv1  128 bits  KRB5-RC4-MD5
    Failed    TLSv1  56 bits   EDH-RSA-DES-CBC-SHA
    Failed    TLSv1  56 bits   EDH-DSS-DES-CBC-SHA
    Failed    TLSv1  56 bits   ADH-DES-CBC-SHA
    Failed    TLSv1  56 bits   DES-CBC-SHA
    Failed    TLSv1  56 bits   KRB5-DES-CBC-SHA
    Failed    TLSv1  56 bits   KRB5-DES-CBC-MD5
    Failed    TLSv1  40 bits   EXP-EDH-RSA-DES-CBC-SHA
    Failed    TLSv1  40 bits   EXP-EDH-DSS-DES-CBC-SHA
    Failed    TLSv1  40 bits   EXP-ADH-DES-CBC-SHA
    Failed    TLSv1  40 bits   EXP-DES-CBC-SHA
    Failed    TLSv1  40 bits   EXP-RC2-CBC-MD5
    Failed    TLSv1  40 bits   EXP-KRB5-RC2-CBC-SHA
    Failed    TLSv1  40 bits   EXP-KRB5-DES-CBC-SHA
    Failed    TLSv1  40 bits   EXP-KRB5-RC2-CBC-MD5
    Failed    TLSv1  40 bits   EXP-KRB5-DES-CBC-MD5
    Failed    TLSv1  40 bits   EXP-ADH-RC4-MD5
    Failed    TLSv1  40 bits   EXP-RC4-MD5
    Failed    TLSv1  40 bits   EXP-KRB5-RC4-SHA
    Failed    TLSv1  40 bits   EXP-KRB5-RC4-MD5
    Failed    TLSv1  0 bits    NULL-SHA256
    Failed    TLSv1  0 bits    NULL-SHA
    Failed    TLSv1  0 bits    NULL-MD5

  Prefered Server Cipher(s):
[root@info ~]#
and without cert:
[root@info ~]# sslscan 192.168.200.48:8729
                   _
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | '_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                  Version 1.8.2
             http://www.titania.co.uk
        Copyright Ian Ventura-Whiting 2009

Testing SSL server 192.168.200.48 on port 8729

  Supported Server Cipher(s):
and here it hangs...
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8320
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: RouterOS API over TLS

Mon Jun 03, 2013 3:45 pm

fresh RB951-2n shows the same hanging on the latest version
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: RouterOS API over TLS

Mon Jun 03, 2013 4:28 pm

do not have that router at hand, however i have tried it against following routers:

RB2011
RB800
RB433
RB433AH
RB333
various CCR
RB1100AH

will check rb951-2n later.

with and without certificates. It is more than weird that this test tool failing everything, as half is failed and other part is rejected, here is full sample testing:


$ sslscan 192.168.88.1:8729
                   _
           ___ ___| |___  ___ __ _ _ __                   
          / __/ __| / __|/ __/ _` | '_ \                
          \__ \__ \ \__ \ (_| (_| | | | |                
          |___/___/_|___/\___\__,_|_| |_|          

                  Version 1.8.2                                                                                                  
             http://www.titania.co.uk                                                                                            
        Copyright Ian Ventura-Whiting 2009                                                                                       

Testing SSL server 192.168.88.1 on port 8729

  Supported Server Cipher(s):
    Failed    SSLv3  256 bits  ECDHE-RSA-AES256-GCM-SHA384
    Failed    SSLv3  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384
    Failed    SSLv3  256 bits  ECDHE-RSA-AES256-SHA384
    Failed    SSLv3  256 bits  ECDHE-ECDSA-AES256-SHA384
    Rejected  SSLv3  256 bits  ECDHE-RSA-AES256-SHA
    Rejected  SSLv3  256 bits  ECDHE-ECDSA-AES256-SHA
    Rejected  SSLv3  256 bits  SRP-DSS-AES-256-CBC-SHA
    Rejected  SSLv3  256 bits  SRP-RSA-AES-256-CBC-SHA
    Failed    SSLv3  256 bits  DHE-DSS-AES256-GCM-SHA384
    Failed    SSLv3  256 bits  DHE-RSA-AES256-GCM-SHA384
    Failed    SSLv3  256 bits  DHE-RSA-AES256-SHA256
    Failed    SSLv3  256 bits  DHE-DSS-AES256-SHA256
    Rejected  SSLv3  256 bits  DHE-RSA-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-DSS-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-RSA-CAMELLIA256-SHA
    Rejected  SSLv3  256 bits  DHE-DSS-CAMELLIA256-SHA
    Rejected  SSLv3  256 bits  AECDH-AES256-SHA
    Rejected  SSLv3  256 bits  SRP-AES-256-CBC-SHA
    Failed    SSLv3  256 bits  ADH-AES256-GCM-SHA384
    Failed    SSLv3  256 bits  ADH-AES256-SHA256
    Rejected  SSLv3  256 bits  ADH-AES256-SHA
    Rejected  SSLv3  256 bits  ADH-CAMELLIA256-SHA
    Failed    SSLv3  256 bits  ECDH-RSA-AES256-GCM-SHA384
    Failed    SSLv3  256 bits  ECDH-ECDSA-AES256-GCM-SHA384
    Failed    SSLv3  256 bits  ECDH-RSA-AES256-SHA384
    Failed    SSLv3  256 bits  ECDH-ECDSA-AES256-SHA384
    Rejected  SSLv3  256 bits  ECDH-RSA-AES256-SHA
    Rejected  SSLv3  256 bits  ECDH-ECDSA-AES256-SHA
    Failed    SSLv3  256 bits  AES256-GCM-SHA384
    Failed    SSLv3  256 bits  AES256-SHA256
    Rejected  SSLv3  256 bits  AES256-SHA
    Rejected  SSLv3  256 bits  CAMELLIA256-SHA
    Failed    SSLv3  256 bits  PSK-AES256-CBC-SHA
    Rejected  SSLv3  168 bits  ECDHE-RSA-DES-CBC3-SHA
    Rejected  SSLv3  168 bits  ECDHE-ECDSA-DES-CBC3-SHA
    Rejected  SSLv3  168 bits  SRP-DSS-3DES-EDE-CBC-SHA
    Rejected  SSLv3  168 bits  SRP-RSA-3DES-EDE-CBC-SHA
    Rejected  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  SSLv3  168 bits  AECDH-DES-CBC3-SHA
    Rejected  SSLv3  168 bits  SRP-3DES-EDE-CBC-SHA
    Rejected  SSLv3  168 bits  ADH-DES-CBC3-SHA
    Rejected  SSLv3  168 bits  ECDH-RSA-DES-CBC3-SHA
    Rejected  SSLv3  168 bits  ECDH-ECDSA-DES-CBC3-SHA
    Rejected  SSLv3  168 bits  DES-CBC3-SHA
    Failed    SSLv3  168 bits  PSK-3DES-EDE-CBC-SHA
    Failed    SSLv3  128 bits  ECDHE-RSA-AES128-GCM-SHA256
    Failed    SSLv3  128 bits  ECDHE-ECDSA-AES128-GCM-SHA256
    Failed    SSLv3  128 bits  ECDHE-RSA-AES128-SHA256
    Failed    SSLv3  128 bits  ECDHE-ECDSA-AES128-SHA256
    Rejected  SSLv3  128 bits  ECDHE-RSA-AES128-SHA
    Rejected  SSLv3  128 bits  ECDHE-ECDSA-AES128-SHA
    Rejected  SSLv3  128 bits  SRP-DSS-AES-128-CBC-SHA
    Rejected  SSLv3  128 bits  SRP-RSA-AES-128-CBC-SHA
    Failed    SSLv3  128 bits  DHE-DSS-AES128-GCM-SHA256
    Failed    SSLv3  128 bits  DHE-RSA-AES128-GCM-SHA256
    Failed    SSLv3  128 bits  DHE-RSA-AES128-SHA256
    Failed    SSLv3  128 bits  DHE-DSS-AES128-SHA256
    Rejected  SSLv3  128 bits  DHE-RSA-AES128-SHA
    Rejected  SSLv3  128 bits  DHE-DSS-AES128-SHA
    Rejected  SSLv3  128 bits  DHE-RSA-SEED-SHA
    Rejected  SSLv3  128 bits  DHE-DSS-SEED-SHA
    Rejected  SSLv3  128 bits  DHE-RSA-CAMELLIA128-SHA
    Rejected  SSLv3  128 bits  DHE-DSS-CAMELLIA128-SHA
    Rejected  SSLv3  128 bits  AECDH-AES128-SHA
    Rejected  SSLv3  128 bits  SRP-AES-128-CBC-SHA
    Failed    SSLv3  128 bits  ADH-AES128-GCM-SHA256
    Failed    SSLv3  128 bits  ADH-AES128-SHA256
    Rejected  SSLv3  128 bits  ADH-AES128-SHA
    Rejected  SSLv3  128 bits  ADH-SEED-SHA
    Rejected  SSLv3  128 bits  ADH-CAMELLIA128-SHA
    Failed    SSLv3  128 bits  ECDH-RSA-AES128-GCM-SHA256
    Failed    SSLv3  128 bits  ECDH-ECDSA-AES128-GCM-SHA256
    Failed    SSLv3  128 bits  ECDH-RSA-AES128-SHA256
    Failed    SSLv3  128 bits  ECDH-ECDSA-AES128-SHA256
    Rejected  SSLv3  128 bits  ECDH-RSA-AES128-SHA
    Rejected  SSLv3  128 bits  ECDH-ECDSA-AES128-SHA
    Failed    SSLv3  128 bits  AES128-GCM-SHA256
    Failed    SSLv3  128 bits  AES128-SHA256
    Rejected  SSLv3  128 bits  AES128-SHA
    Rejected  SSLv3  128 bits  SEED-SHA
    Rejected  SSLv3  128 bits  CAMELLIA128-SHA
    Failed    SSLv3  128 bits  PSK-AES128-CBC-SHA
    Rejected  SSLv3  128 bits  ECDHE-RSA-RC4-SHA
    Rejected  SSLv3  128 bits  ECDHE-ECDSA-RC4-SHA
    Rejected  SSLv3  128 bits  AECDH-RC4-SHA
    Rejected  SSLv3  128 bits  ADH-RC4-MD5
    Rejected  SSLv3  128 bits  ECDH-RSA-RC4-SHA
    Rejected  SSLv3  128 bits  ECDH-ECDSA-RC4-SHA
    Rejected  SSLv3  128 bits  RC4-SHA
    Rejected  SSLv3  128 bits  RC4-MD5
    Failed    SSLv3  128 bits  PSK-RC4-SHA
    Rejected  SSLv3  56 bits   EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3  56 bits   EDH-DSS-DES-CBC-SHA
    Rejected  SSLv3  56 bits   ADH-DES-CBC-SHA
    Rejected  SSLv3  56 bits   DES-CBC-SHA
    Rejected  SSLv3  40 bits   EXP-EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3  40 bits   EXP-EDH-DSS-DES-CBC-SHA
    Rejected  SSLv3  40 bits   EXP-ADH-DES-CBC-SHA
    Rejected  SSLv3  40 bits   EXP-DES-CBC-SHA
    Rejected  SSLv3  40 bits   EXP-RC2-CBC-MD5
    Rejected  SSLv3  40 bits   EXP-ADH-RC4-MD5
    Rejected  SSLv3  40 bits   EXP-RC4-MD5
    Rejected  SSLv3  0 bits    ECDHE-RSA-NULL-SHA
    Rejected  SSLv3  0 bits    ECDHE-ECDSA-NULL-SHA
    Rejected  SSLv3  0 bits    AECDH-NULL-SHA
    Rejected  SSLv3  0 bits    ECDH-RSA-NULL-SHA
    Rejected  SSLv3  0 bits    ECDH-ECDSA-NULL-SHA
    Failed    SSLv3  0 bits    NULL-SHA256
    Rejected  SSLv3  0 bits    NULL-SHA
    Rejected  SSLv3  0 bits    NULL-MD5
    Failed    TLSv1  256 bits  ECDHE-RSA-AES256-GCM-SHA384
    Failed    TLSv1  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384
    Failed    TLSv1  256 bits  ECDHE-RSA-AES256-SHA384
    Failed    TLSv1  256 bits  ECDHE-ECDSA-AES256-SHA384
    Rejected  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
    Rejected  TLSv1  256 bits  ECDHE-ECDSA-AES256-SHA
    Rejected  TLSv1  256 bits  SRP-DSS-AES-256-CBC-SHA
    Rejected  TLSv1  256 bits  SRP-RSA-AES-256-CBC-SHA
    Failed    TLSv1  256 bits  DHE-DSS-AES256-GCM-SHA384
    Failed    TLSv1  256 bits  DHE-RSA-AES256-GCM-SHA384
    Failed    TLSv1  256 bits  DHE-RSA-AES256-SHA256
    Failed    TLSv1  256 bits  DHE-DSS-AES256-SHA256
    Rejected  TLSv1  256 bits  DHE-RSA-AES256-SHA
    Rejected  TLSv1  256 bits  DHE-DSS-AES256-SHA
    Rejected  TLSv1  256 bits  DHE-RSA-CAMELLIA256-SHA
    Rejected  TLSv1  256 bits  DHE-DSS-CAMELLIA256-SHA
    Rejected  TLSv1  256 bits  AECDH-AES256-SHA
    Rejected  TLSv1  256 bits  SRP-AES-256-CBC-SHA
    Failed    TLSv1  256 bits  ADH-AES256-GCM-SHA384
    Failed    TLSv1  256 bits  ADH-AES256-SHA256
    Accepted  TLSv1  256 bits  ADH-AES256-SHA
    Accepted  TLSv1  256 bits  ADH-CAMELLIA256-SHA
    Failed    TLSv1  256 bits  ECDH-RSA-AES256-GCM-SHA384
    Failed    TLSv1  256 bits  ECDH-ECDSA-AES256-GCM-SHA384
    Failed    TLSv1  256 bits  ECDH-RSA-AES256-SHA384
    Failed    TLSv1  256 bits  ECDH-ECDSA-AES256-SHA384
    Rejected  TLSv1  256 bits  ECDH-RSA-AES256-SHA
    Rejected  TLSv1  256 bits  ECDH-ECDSA-AES256-SHA
    Failed    TLSv1  256 bits  AES256-GCM-SHA384
    Failed    TLSv1  256 bits  AES256-SHA256
    Rejected  TLSv1  256 bits  AES256-SHA
    Rejected  TLSv1  256 bits  CAMELLIA256-SHA
    Failed    TLSv1  256 bits  PSK-AES256-CBC-SHA
    Rejected  TLSv1  168 bits  ECDHE-RSA-DES-CBC3-SHA
    Rejected  TLSv1  168 bits  ECDHE-ECDSA-DES-CBC3-SHA
    Rejected  TLSv1  168 bits  SRP-DSS-3DES-EDE-CBC-SHA
    Rejected  TLSv1  168 bits  SRP-RSA-3DES-EDE-CBC-SHA
    Rejected  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  TLSv1  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  TLSv1  168 bits  AECDH-DES-CBC3-SHA
    Rejected  TLSv1  168 bits  SRP-3DES-EDE-CBC-SHA
    Accepted  TLSv1  168 bits  ADH-DES-CBC3-SHA
    Rejected  TLSv1  168 bits  ECDH-RSA-DES-CBC3-SHA
    Rejected  TLSv1  168 bits  ECDH-ECDSA-DES-CBC3-SHA
    Rejected  TLSv1  168 bits  DES-CBC3-SHA
    Failed    TLSv1  168 bits  PSK-3DES-EDE-CBC-SHA
    Failed    TLSv1  128 bits  ECDHE-RSA-AES128-GCM-SHA256
    Failed    TLSv1  128 bits  ECDHE-ECDSA-AES128-GCM-SHA256
    Failed    TLSv1  128 bits  ECDHE-RSA-AES128-SHA256
    Failed    TLSv1  128 bits  ECDHE-ECDSA-AES128-SHA256
    Rejected  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
    Rejected  TLSv1  128 bits  ECDHE-ECDSA-AES128-SHA
    Rejected  TLSv1  128 bits  SRP-DSS-AES-128-CBC-SHA
    Rejected  TLSv1  128 bits  SRP-RSA-AES-128-CBC-SHA
    Failed    TLSv1  128 bits  DHE-DSS-AES128-GCM-SHA256
    Failed    TLSv1  128 bits  DHE-RSA-AES128-GCM-SHA256
    Failed    TLSv1  128 bits  DHE-RSA-AES128-SHA256
    Failed    TLSv1  128 bits  DHE-DSS-AES128-SHA256
    Rejected  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Rejected  TLSv1  128 bits  DHE-DSS-AES128-SHA
    Rejected  TLSv1  128 bits  DHE-RSA-SEED-SHA
    Rejected  TLSv1  128 bits  DHE-DSS-SEED-SHA
    Rejected  TLSv1  128 bits  DHE-RSA-CAMELLIA128-SHA
    Rejected  TLSv1  128 bits  DHE-DSS-CAMELLIA128-SHA
    Rejected  TLSv1  128 bits  AECDH-AES128-SHA
    Rejected  TLSv1  128 bits  SRP-AES-128-CBC-SHA
    Failed    TLSv1  128 bits  ADH-AES128-GCM-SHA256
    Failed    TLSv1  128 bits  ADH-AES128-SHA256
    Accepted  TLSv1  128 bits  ADH-AES128-SHA
    Accepted  TLSv1  128 bits  ADH-SEED-SHA
    Accepted  TLSv1  128 bits  ADH-CAMELLIA128-SHA
    Failed    TLSv1  128 bits  ECDH-RSA-AES128-GCM-SHA256
    Failed    TLSv1  128 bits  ECDH-ECDSA-AES128-GCM-SHA256
    Failed    TLSv1  128 bits  ECDH-RSA-AES128-SHA256
    Failed    TLSv1  128 bits  ECDH-ECDSA-AES128-SHA256
    Rejected  TLSv1  128 bits  ECDH-RSA-AES128-SHA
    Rejected  TLSv1  128 bits  ECDH-ECDSA-AES128-SHA
    Failed    TLSv1  128 bits  AES128-GCM-SHA256
    Failed    TLSv1  128 bits  AES128-SHA256
    Rejected  TLSv1  128 bits  AES128-SHA
    Rejected  TLSv1  128 bits  SEED-SHA
    Rejected  TLSv1  128 bits  CAMELLIA128-SHA
    Failed    TLSv1  128 bits  PSK-AES128-CBC-SHA
    Rejected  TLSv1  128 bits  ECDHE-RSA-RC4-SHA
    Rejected  TLSv1  128 bits  ECDHE-ECDSA-RC4-SHA
    Rejected  TLSv1  128 bits  AECDH-RC4-SHA
    Accepted  TLSv1  128 bits  ADH-RC4-MD5
    Rejected  TLSv1  128 bits  ECDH-RSA-RC4-SHA
    Rejected  TLSv1  128 bits  ECDH-ECDSA-RC4-SHA
    Rejected  TLSv1  128 bits  RC4-SHA
    Rejected  TLSv1  128 bits  RC4-MD5
    Failed    TLSv1  128 bits  PSK-RC4-SHA
    Rejected  TLSv1  56 bits   EDH-RSA-DES-CBC-SHA
    Rejected  TLSv1  56 bits   EDH-DSS-DES-CBC-SHA
    Accepted  TLSv1  56 bits   ADH-DES-CBC-SHA
    Rejected  TLSv1  56 bits   DES-CBC-SHA
    Rejected  TLSv1  40 bits   EXP-EDH-RSA-DES-CBC-SHA
    Rejected  TLSv1  40 bits   EXP-EDH-DSS-DES-CBC-SHA
    Rejected  TLSv1  40 bits   EXP-ADH-DES-CBC-SHA
    Rejected  TLSv1  40 bits   EXP-DES-CBC-SHA
    Rejected  TLSv1  40 bits   EXP-RC2-CBC-MD5
    Rejected  TLSv1  40 bits   EXP-ADH-RC4-MD5
    Rejected  TLSv1  40 bits   EXP-RC4-MD5
    Rejected  TLSv1  0 bits    ECDHE-RSA-NULL-SHA
    Rejected  TLSv1  0 bits    ECDHE-ECDSA-NULL-SHA
    Rejected  TLSv1  0 bits    AECDH-NULL-SHA
    Rejected  TLSv1  0 bits    ECDH-RSA-NULL-SHA
    Rejected  TLSv1  0 bits    ECDH-ECDSA-NULL-SHA
    Failed    TLSv1  0 bits    NULL-SHA256
    Rejected  TLSv1  0 bits    NULL-SHA
    Rejected  TLSv1  0 bits    NULL-MD5

  Prefered Server Cipher(s):
    TLSv1  256 bits  ADH-AES256-SHA

  SSL Certificate:
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8320
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: RouterOS API over TLS

Mon Jun 03, 2013 5:03 pm

guys, does somebody else can check that?
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: RouterOS API over TLS

Tue Jun 04, 2013 11:59 am

tried router you named, same result.
admin@MikroTik] > sy routerboard print 
       routerboard: yes
             model: 951-2n
     serial-number: DDDDDDDDDDDD
  current-firmware: 3.02
  upgrade-firmware: 3.08
[admin@MikroTik] > sy resource print 
                   uptime: 2m52s
                  version: 6.1rc1
               build-time: May/30/2013 09:54:26
              free-memory: 9.9MiB
             total-memory: 32.0MiB
                      cpu: MIPS 24Kc V7.4
                cpu-count: 1
            cpu-frequency: 350MHz
                 cpu-load: 1%
           free-hdd-space: 108.6MiB
          total-hdd-space: 128.0MiB
  write-sect-since-reboot: 1092
         write-sect-total: 115888
               bad-blocks: 0.1%
        architecture-name: mipsbe
               board-name: RB951-2n
                 platform: MikroTik
$ sslscan 192.168.88.1:443 |grep Accepted
    Accepted  TLSv1  256 bits  ADH-AES256-SHA
    Accepted  TLSv1  256 bits  ADH-CAMELLIA256-SHA
    Accepted  TLSv1  168 bits  ADH-DES-CBC3-SHA
    Accepted  TLSv1  128 bits  ADH-AES128-SHA
    Accepted  TLSv1  128 bits  ADH-SEED-SHA
    Accepted  TLSv1  128 bits  ADH-CAMELLIA128-SHA
    Accepted  TLSv1  128 bits  ADH-RC4-MD5
    Accepted  TLSv1  56 bits   ADH-DES-CBC-SHA
if you can make this accessible over the network, i could try to connect to it or any other router.

edit:

it was updated from 5.25 to the current version, if that gives any clues.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8320
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: RouterOS API over TLS

Tue Jun 04, 2013 4:08 pm

if you can make this accessible over the network, i could try to connect to it or any other router.
yep, it would be nice :) I sent all info to support@ at 13:00 GMT, still didn't receive a reply, hope you will find it (search for 'janisk' in title :) )

UPD: Ticket 2013060466000665
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24317
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: RouterOS API over TLS

Wed Jun 05, 2013 10:54 am

Support connected to your router, and it works fine. Is that correct, Chupaka?
No answer to your question? How to write posts
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: RouterOS API over TLS

Wed Jun 05, 2013 1:19 pm

this definitely should work on api-ssl socket:
openssl s_client -host 192.168.88.1 -port 8729 -cipher ADH-AES256-SHA
and over this you can run simple RouterOS API protocol communication as could have been done via unencrypted connection.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8320
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: RouterOS API over TLS

Wed Jun 05, 2013 2:39 pm

that's making me crazy...

why all those API logins were from ipv6 addresses? that router does not have ipv6 connectivity...
10:21:09 system,info,account user admin logged in from 1000::b8b4:aa7f:f966:7877:c87a:c08 via api 
10:21:09 system,info address added by admin 
10:21:09 system,info address removed by admin 
10:21:09 system,info,account user admin logged out from 1000::b8b4:aa7f:f966:7877:c87a:c08 via api 
10:22:59 system,info filter rule added by admin 
10:23:13 system,info,account user admin logged in from 1000::b8b4:aa7f:f966:7877:e85b:1308 via api 
10:23:13 system,info address added by admin 
10:23:13 system,info address removed by admin 
10:23:13 system,info,account user admin logged out from 1000::b8b4:aa7f:f966:7877:e85b:1308 via api
also, http://www.ssltest.net/ says "The server 93.xxx.yy.z55 is responding, but does not return any SSL certificates. (sc0)"
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8320
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: RouterOS API over TLS

Wed Jun 05, 2013 2:58 pm

could you open API access for demo2.mt.lv?.. currently it's blocked by firewall
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: RouterOS API over TLS

Thu Jun 06, 2013 10:22 am

we will check what happens to IP addresses when logged into the router as they appear to be wrong in the logs.

API-SSL for now is open on demo routers. But that can change anytime.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8320
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: RouterOS API over TLS

Thu Jun 06, 2013 8:30 pm

okay

Janis, thanks for your examples, I managed to establish TLS connection from my app, the details I'll write later to support@ - it hangs with some (including default ones in Ararat Synapse library) settings, it should not be that way =)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: RouterOS API over TLS

Fri Jun 07, 2013 4:52 pm

it looks like that library can easily interface with OpenSSL. If that is the case, you should not get any problems working with API-SSL interface with either blocking or non-blocking sockets.

C++ compiled binary I used to check your router used non-blocking sockets and that added some complexity to check SSL states when communicating.
 
legrang
just joined
Posts: 22
Joined: Wed Nov 03, 2010 4:05 pm
Location: South Africa
Contact:

Re: RouterOS API over TLS

Fri Jul 05, 2013 11:54 am

I'm was having the reported trouble with sslscan when testing against a RB750G running 6.1. sslcan was hanging.

I found that passing the --tls1 parameter (i.e. not scanning ssl2 and ssl3) the scan works:
bash-3.2# sslscan --tls1 10.0.1.3:8729 | grep Accepted
    Accepted  TLSv1  256 bits  ADH-AES256-SHA
    Accepted  TLSv1  256 bits  ADH-CAMELLIA256-SHA
    Accepted  TLSv1  168 bits  ADH-DES-CBC3-SHA
    Accepted  TLSv1  128 bits  ADH-AES128-SHA
    Accepted  TLSv1  128 bits  ADH-SEED-SHA
    Accepted  TLSv1  128 bits  ADH-CAMELLIA128-SHA
    Accepted  TLSv1  128 bits  ADH-RC4-MD5
    Accepted  TLSv1  56 bits   ADH-DES-CBC-SHA
So when troubleshooting, use --tls1.
Gideon le Grange
RouterOS Java API: https://github.com/GideonLeGrange/mikrotik-java
 
User avatar
Chupaka
Forum Guru
Forum Guru
Topic Author
Posts: 8320
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: RouterOS API over TLS

Fri Jul 05, 2013 1:21 pm

Yep, that's what I wrote to support. As I can see, they won't fix that :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
legrang
just joined
Posts: 22
Joined: Wed Nov 03, 2010 4:05 pm
Location: South Africa
Contact:

Re: RouterOS API over TLS

Fri Jul 05, 2013 2:09 pm

I spoke too soon. Using -tls1 does't cause the scan to work in all cases. I intermittently have the same problem with a RB750 and Groove, both running 6.1.
Gideon le Grange
RouterOS Java API: https://github.com/GideonLeGrange/mikrotik-java
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: RouterOS API over TLS

Fri Jul 05, 2013 3:18 pm

sslscan was mentioned as a tool to get hang of TLS as such in use with RouterOS API.

If you have working tool, you can check that if even sslscan fails miserably, you still can connect fine to RouterOS API-SSL service and log-in.
 
sonyisda1
just joined
Posts: 7
Joined: Fri Aug 12, 2011 12:13 am

Re: RouterOS API over TLS

Mon Sep 16, 2019 5:53 pm

I had been struggling with getting API over SSL connection to work and this post was one of the top links in google. Since I managed to get it to work I thought I'd share some help for others and recommend some updates to the manual page (https://wiki.mikrotik.com/wiki/Manual:API-SSL):
  • Explicitly state that newer versions of OpenSSL like 1.1.x will NOT work. Needs to be 1.0.x (I used 1.0.2t successfully)
  • Should probably mention to discourage use of TLSv1 as TLS 1.2 is now strongly encouraged
  • Include example (C) project: https://github.com/octo/librouteros/tree/api-ssl

Who is online

Users browsing this forum: No registered users and 116 guests