HTTPS: Create self-signed certificate with unique serial

Veit
Veit Posts: 21  Freshman Member
First Anniversary 10 Comments Friend Collector
edited August 2022 in Switch
Hi guys,

I have got a bug report/feature request:

When generating a self-signed certificate for HTTPS, the switch always uses its MAC address as serial number, which is not permissible and causes Browsers to reject connecting to the device when a certificate with the same serial is already known.

For example in Firefox, one needs to shut down the browser and delete the file cert8.db in the Firefox profile to make it work again.

This could be resolved generating a serial by appending a random string to the MAC address.

Regards,
// Veit

Comments

  • Zyxel_JonasTan
    Zyxel_JonasTan Posts: 94  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @Veit,

    Thanks for the information.

    I've made a local test using XGS2210-28HP version 4.50 and Firefox version 59.0.2.
    In the beginning, accessing the switch via Https will pop-out a warning message "Your connection is not secure". But after I added the switch IP in the "Add Exception" list, the switch can be successfully accessed and didn't need to delete the file cert8.db in the Firefox file.

    May I know if you could share your operating system version, Firefox version and procedure how did you encounter the issue? 


    Thanks.


    Jonas
  • Veit
    Veit Posts: 21  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Hi @Zyxel_Jonas,

    thank you for your reply.

    This issue does NOT involve 2 switches, but it happened with several switches (all XGS2210-28 FW 4.50, upgraded from 4.40) for me during my tests and automatic (re)configuration. I could invest time to reproduce the issue, if that really helps, but I'd be glad if you tried it first following the following steps.

    These are the steps to reproduce:

    Prerequisites: Firefox 59.0.2 and a switch XGS2210-28, FW 4.50, let's say its MAC address is 11:22:33:44:55:66.

    1. Boot the switch. On first boot it will generate a new self-signed certificate, I assume.
    2. Access the switch via https using Firefox.
    3. Firefox will ask you to add an exception for the self-signed cert issued for "XGS2210 112233445566".
    3. In Firefox click the Padlock symbol next to the URL bar, then ">" button, then the "More information" button.
    4. A new window will appear, click "View certificate".
    5. A new window will appear, in the first tab you will see that the seriel number of the certificate is the switch's MAC address, so for this hypothetical device "11:22:33:44:55:66".
    6. Perform a factory reset using the reset button -- I assume that other methods will work, too. During this process, the switch will generate a new certificate.
    7. Perform steps 1 and 2 again. You will likely assert that you will not be able to access the switch as another certificate from the same CA with the same serial number is already known to Firefox.
    8. Close Firefox, remove your Firefox profile's cert8.db, start Firefox again.
    9. Perform steps 1 to 5 again. You will find out that the new certificate has the same serial as the one before, which is illegitimate and causes the problem described above.

    I tested and reproduced this issue with the following browsers:
    * Firefox 59.0.2 on Linux
    * Firefox 52.7.3 ESR on Linux x86_64

    Best regards,
    // Veit
  • Zyxel_JonasTan
    Zyxel_JonasTan Posts: 94  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @veit,

    Sorry for my late response.
    I had successfully reproduced the symptoms on my XGS2210-28 using Linux and Windows OS.
    Our internal is already verifying the root cause and will make an update once I've got the result.
    For the meantime, kindly delete the cert8.db or cert9.db file as a workaround.

    Sorry for the inconvenience.

    Thanks.
    Jonas