[j-nsp] Issue with support.juniper.net TLS
Chris Adams
cma at cmadams.net
Tue Jan 12 19:54:48 EST 2021
Anybody have a way to contact the support.juniper.net web server admins?
Due to a misconfiguration, it can't be accessed from clients with modern
security requirements. Firefox on Fedora Linux 33 just gives an error
SSL_ERROR_NO_CYPHER_OVERLAP, and OpenSSL's s_client mode just
disconnects.
I _think_ this is due to the server sending too many intermediate
certificates - a couple of them are root certs that are either going to
be in a client's trust store, or just not trusted at all. The issue
with that is the last one of them is signed with RSA+SHA1, and SHA1 is
deprecated. Fedora has already disabled it, and all the browsers are
going to do the same soon.
OpenSSL can't even negotiate a connection, because it won't offer
RSA+SHA1. It looks like some clients/libraries connect, get the cert
chain, and then fail. Some still work, because they stop following the
chain when they get to the root that's in their trust store (but it's
bad form to send more).
I first opened a JTAC case, but was directed to customercare at juniper.net
since it wasn't a device issue, but that just opened a new case and
again someone asked about my device. It's not a problem with my device,
it's a problem with Juniper's.
--
Chris Adams <cma at cmadams.net>
More information about the juniper-nsp
mailing list