3 minutes reading time (643 words)

SSLv3 and Embedded Devices

SSLv3 and Embedded Devices

Since the revelations about weak implementations of SSL there has been a rush to move away from it and a dash by website operators to renew certificates supporting TLS. Even while this was going on most browsers still supported SSLv3 and depending on the browser displayed various cryptic messages before proceeding. However, as of Safari 9.0 and Chrome 45 and Firefox 40 or thereabouts, SSLv3 has been disabled permanently with no apparent way to enable it. 

Let's look at what the following browsers give back to the end user when trying to open a secure SSLv3 Page: 

Chrome            ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Firefox because it uses SSLv3, a broken security protocol
Safari because Safari can't establish a secure connection to the server

For everything else there's MasterCard. 

Anyway, back to the issue in hard; why would you want to enable it anyway? its weak and broken right? Well, Kinda. It is weak and it is broken, but SSL isn't just used by websites, its been embedded into just about every router, switch, access point, embedded devices, concentrators, IP Phones and so on, many of which rely on SSL for their configuration pages. 

Some devices (e.g. Siemens IP Phones)  won't talk to you unless its via SSL, and yes, many manufacturers have released firmware updates that fix this, but (a) how do you get it on the device if you can no longer talk to it, and (b) some manufacturers (you know who you are) like to charge customers for firmware and refuse to support 'obsolete' equipment. 

So what can you do? Well, forget Safari, Chrome and Firefox and rather surprisingly turn to Microsoft Internet Explorer. I know, Internet Explorer. In IE 11 (and probably earlier versions) if you go into settings and then into advanced and scroll down you'll find you can enable and disable SSLv3 which is just perfect for talking to your hardware.

If that still gives some stupid message, then go into settings, Then Internet Options, Then Security and click on Trusted sites (the Green Tick), Then click the Sites button and another dialogue window will open with the URL already in there of your device (if not, then add it in) and click ADD. Then close. OK and try again. This time it will work even if it bitches about it. It makes sense to switch support for SSLv3 off again when you've done but that's just as easy. So top marks Microsoft for thinking that perhaps someone somewhere might have an embedded device that still has an SSLv3 certificate. 

(If anyone finds a way to turn on SSLv3 in Safari, Chrome or Firefox then let me know and I'll add it to the article.)

So far the list of devices I've encountered (which is by no means exhaustive) either directly or through support requests logged on our system which still have SSLv3 certificates are: 

  • Draytek Routers, Access Points and switches (Updates freely available)
  • Cisco Routers and various other hardware (Updates either not available for require a support contract)
  • Juniper switches, accelerators and security appliances (Updates either not available or requires some form of support contract)
  • Linksys routers, switches, IP telephony (Updates available for some but not for most)
  • Some older Bluecoat hardware (Updates not available - jump through hoops to try and get access to support then find its obsolete and there is no support)
  • Siemens Openstage Phones (Updates not available online - have to get from distributer - PIA)
  • AASTRA DECT Solutions (Updates hard to find online- unintelligible versioning and hard work to update)

(In fact a lot of phones including Grandstream, AAStra (now MITEL) have SSLv3 issues)

So in summary, when you think your device is down or isn't talking to you and your getting one of the errors above, its fine and its just your browser being an arse. Use IE, update the firmware if you can and continue on with your life :)

E&OE. 

 

 

The Evolution of Business Communications with Giga...
OS X El Capitan
 

Comments 1

Guest - Rich on Thursday, 01 October 2015 18:05

How about an embedded serial server? Yup same gotcha! no firmware update, no way to fix it but no real risk leaving it as its LAN only.

How about an embedded serial server? Yup same gotcha! no firmware update, no way to fix it but no real risk leaving it as its LAN only.
Already Registered? Login Here
Guest
Thursday, 03 December 2020
If you'd like to register, please fill in the username, password and name fields.

Captcha Image