1181515 - Webmin interface uses a weak key

Status: RESOLVED FIXED

(Web Compatibility :: Site Reports, defect)

Description

[tech]

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0
Build ID: 20150630154324

Steps to reproduce:

I'm trying to connect to my own servers on webmin interface


Actual results:

I get the error :
Échec de la connexion sécurisée

Une erreur est survenue pendant une connexion à my.server.net:10000. The server certificate included a public key that was too weak. (Code d'erreur : ssl_error_weak_server_cert_key) 


Expected results:

I should be able to override the Firefox security either by adding an exception, either by deactivating the firefox security when I know for sure that the server is secure.

Comment 1

[tech]

The concerned servers are recorded as exceptions in my certificates repository but it is not possible to access to them.
The only solution for me is to downgrade to previous release to be able to work on my servers.

Comment 2

[Loic]

TE bug probably, due to changes in how FF handles security.

Comment 3

[Karl Dubost💡 :karlcow]

Loic,

I do not think it is an Evangelism bug. It is a feature request. 
The reporter of the bug is already the owner of the Web site which has the issue. What the bug report is about is having a way for an individual to set an exception in his browser for the domain of its choices.

Comment 4

[:Cykesiopka]

A few things to note:

1. This is fallout from Bug 1138554. Visit https://weakdh.org/ to see why <1024 bit primes are no longer considered secure.

2. The server in question is part of Webmin:
    - If the version of Webmin installed isn't the latest, try installing that
    - If Webmin defaults to a broken DH configuration, then a Tech Evangelism bug is appropriate
      - I tried playing around with Webmin a bit, but gave up after a while, so someone else more familiar will have to confirm

3. This can be worked around in at least two ways:
    - Disable the DH cipher suites in Webmin
    - Flip the "security.ssl3.dhe_rsa_aes_128_sha" and "security.ssl3.dhe_rsa_aes_256_sha" to false
      - This however means even DH with strong primes will not be used

4. The "feature request" here is a duplicate of Bug 1180526. As mentioned in Bug 1180526 comment 4, allow overrides is not possible at the Firefox level.

Comment 5

[:Cykesiopka]

tl;dr:
 - If the Webmin defaults don't have a broken DH configuration, mark this bug as a duplicate of Bug 1180526.
 - If the defaults are broken, leave this as a TE bug.

Comment 6

[Karl Dubost💡 :karlcow]

@tech
Which version of webmin are you using?

Comment 7

[Karl Dubost💡 :karlcow]

(In reply to Cykesiopka from comment #5)
> tl;dr:
>  - If the Webmin defaults don't have a broken DH configuration, mark this
> bug as a duplicate of Bug 1180526.
>  - If the defaults are broken, leave this as a TE bug.

for the second option, it would be a TE bug for Webmin, not the reporter. I'll clone it in this case. Thanks.

Comment 8

[:Cykesiopka]

Actually, it's very possible I made a mistake in my initial analysis.

tech:
Could you make sure you're on the latest version of Webmin, regenerate the cert (http://doxfer.webmin.com/Webmin/Securing_Webmin#SSL_Encryption looks like it would work), and see if you can connect again on Firefox 39 or above?

Thanks!

Comment 9

[:Cykesiopka]

Or see http://forums.mozillazine.org/viewtopic.php?p=14231639&sid=e0e4df63325a8ee3b4a9756b7952cc15#p14231639, which includes screenshots of how to regenerate the cert.

Comment 10

[tech]

It's ok, I have updated the webmin certificates of all my servers and now I can connect using Firefox 39.
The only problem is that as I couldn't open Webmin with Firefox in order to make the update, I have used Seamonkey to be able to access to webmin.

Comment 11

[:Cykesiopka]

Comment 4, updated for correctness:
1. This is fallout from Bug 1138554. As part of the work there, <1023 bit RSA certs are no longer accepted.

2. The server in question is part of Webmin:
    - Modern versions of Webmin appear to default to a 2048 bit cert, so Webmin shouldn't need to change anything.

3. The requirement currently can't be worked around, and isn't necessary for this case anyways.
    - See comment 9 and comment 10 - this can be easily fixed.

4. This check can't currently be overridden.

Comment 12

[:Cykesiopka]

(In reply to tech from comment #10)
> It's ok, I have updated the webmin certificates of all my servers and now I
> can connect using Firefox 39.
> The only problem is that as I couldn't open Webmin with Firefox in order to
> make the update, I have used Seamonkey to be able to access to webmin.

Thanks, that's good to know.
Resolving as fixed, since it looks like this has become a TE bug targeted at an individual.

Comment 13

[Sergio Callegari]

Please, reopen.

The config screen of some Linksys products is unaccessible from Firefox because of this issue.

Comment 14

[Sergio Callegari]

See also 1180526

Comment 15

[Hallvord R. M. Steen [:hallvors]]

We should reach out to Linksys

Comment 16

[Hallvord R. M. Steen [:hallvors]]

Could someone who has this issue check the properties of the certificate (click the padlock in Firefox's URL bar if you get as far as seeing a padlock at all) and paste some details like issuer and expiration date here?

Comment 17

[:Cykesiopka]

Reopening this bug for something non-Webmin related is confusing - let's use (or re-purpose) a more appropriate bug like Bug 1182742 instead. Webmin has been doing the correct thing, and the reporter of this bug has resolved their issue for months now.

Comment 18

[Hallvord R. M. Steen [:hallvors]]

Oops, sorry. For a moment I thought Linksys was responsible for the Webmin thing.
Thanks for closing it again :-]

Comment 19

[blist.networks.dsg]

this error is not just for webmin, im having this same error when i try to access my servers throwght ipkvm whit a self signed cert.
google chrome is the only way i find to access my servers, firefox and IE error.
also i try to download this cert and manualy install on my pc as gpo directive whit no sussess..
i think this is a bug on firefox security.

Comment 20

[purduephotog@gmail.com]

This error is present with a HighPoint Web RAID Management- local card in local machine, FireFox will no longer accept the hardware's certificate.  Old hardware, true.  Still ought to be able to override somehow.

Comment 21

[romerom]

Why is Firefox not allowing users to bypass security warnings? Is Firefox becoming our "nanny" ? There are several devices already mentioned in this ticket which use certificates that Firefox is actively blocking without allowing users to bypass the security warning.  The solution is not to reach out to every specific vendor and wait for each of them to provide a fix, the issue is that the Firefox browser is now treating its users like children by not just warning them of security risks (which is acceptable and recommended), but by completely blocking them from accessing the content they're trying to reach, without providing a solution for how they can reach their content outside of telling them to use another browser.  

Do you really want us to use another browser? 

Do the right thing, and return the ability for users to bypass security warnings.

Comment 22

[caiblack]

(In reply to romerom from comment #21)
> Why is Firefox not allowing users to bypass security warnings? Is Firefox
> becoming our "nanny" ? There are several devices already mentioned in this
> ticket which use certificates that Firefox is actively blocking without
> allowing users to bypass the security warning.  The solution is not to reach
> out to every specific vendor and wait for each of them to provide a fix, the
> issue is that the Firefox browser is now treating its users like children by
> not just warning them of security risks (which is acceptable and
> recommended), but by completely blocking them from accessing the content
> they're trying to reach, without providing a solution for how they can reach
> their content outside of telling them to use another browser.  
> 
> Do you really want us to use another browser? 
> 
> Do the right thing, and return the ability for users to bypass security
> warnings.

I agree completely. There are some internal systems that I admin, and, for one reason or another, an older (more forgiving) version of FF permits me to override its notice about weak security.

The truly sad thing is that Chrome ditched support for Java, so I may be stuck with Safari, Opera, or [ugh] IE.

Comment 23

[caiblack]

BTW, issue remains in current version: 45.0.2

Comment 24

[Jeffry R Fisher]

This is not resolved in the latest Firefox (45.0.2). It still can't connect to my own router inside my own home. The security tab of the options dialog does not have a control for this. Firefox help could not even find the error code (SSL_ERROR_WEAK_SERVER_CERT_KEY).

So there's no fix, no override, and no help. Please roll back the status.

My hardware is what it is, so I can't update its web interface to use a big certificate. Firefox needs to accommodate legacy hardware, at least on its own subnet(s). Please fix this for real, and add a security control if optional, and provide a help paragraph that can be found using the error code. Only then will the bug be resolved.

Comment 25

[:Cykesiopka]

(Changing summary, since clearly it hasn't been clear that this bug is specific to Webmin.)

(In reply to Jeffry R Fisher from comment #24)
> This is not resolved in the latest Firefox (45.0.2).

As noted in Bug 1182742 comment 18, the general fix has landed for Firefox 48. Typically, a bug is marked FIXED as soon as the changes land in a development branch.