Tag Archives: certificate

Enabling SSH on Dell Powerconnect 5000/6000/7000

No one is probably trying to even do this anymore due to the new Dell switching lines, but thought I would see if I could help. I had this issue the other day, and it took a good bit of googlefu before I could find my answer .

The problem I had was getting SSH enabled on a Dell PowerConnect 7048P. I created my user/passwords , and then generated my certificate, and then enabled the SSH server.. I got this error

PC-7048(config)#crypto key generate rsa

RSA key generation started, this may take a few minutes……..
RSA key generation complete.

PC-7048(config)#

PC-7048(config)#ip ssh server

SSH could not be enabled.

Hmmm… Why is that, all of my needed components are there, so why is it not working. The reason is there is no Cert to be used by SSH. These models use the Digital signature Algorithm (DSA) Certificate instead of the RSA cert. SO we need to create the DSA Cert.

PC-7048(config)#crypto key generate dsa

DSA key generation started, this may take a few minutes………………….
DSA key generation complete.

PC-7048(config)#ip ssh ser

No error!! and it works just fine.

Good reading for the comparison of RSA vs DSA: http://security.stackexchange.com/questions/5096/rsa-vs-dsa-for-ssh-authentication-keys

Advertisements

Fortigate HTTPS inspection Certificate error fixes

*Note – Most of these issues have been fixed in 5.2. By default now, if you select https inspection – Certificate inspection you will just get a blank page when you go to a https that is not allowed.

The Fortigate Web filter is amazing! I think it stands up to the best web filters out there.

But, like all webfilters SSL can be a bit tricky. Fortigate offers its own SSL Certifcate “Fortigate-CA-Proxy” to the client when it does a few things:

1. Deep packet inspection (imagine a man in the middle attack). This way the Fortigate sees all traffic that comes in the session even if it was encrypted.

2. When it sends its replacement message (Blocked) to the client.

Some problems come up with this. The cert has to be trusted by clients, this can be easily done if you have a internal CA, or you could create a Windows group policy to push the certificate into their trusted store. I know you might ask, what if I get a signed cert for this? The certificate is a CA-True certificate. That basically means you would have to get a certificate from a trusted publisher that says you are a public CA. I would say most CA’s would not give us one. But what if you want SSL inspection for Guest clients but don’t want them to see the cert error? The answer lies below friends. Something to remember is you have to have SSL inspection enabled on the firewall policy to get HTTPS inspection to work.

To have the Fortigate block the website without giving an error there are a few things that need to be done:

1. Select the webfilter to use https-url-scan to only look at the URL, not to use deep scanning

2. set the Fortigate to not respond with a replacement message. Remember it responds with a HTTPS blocked page – so  therefore you see the HTTPS cert.

As of Patch 7 this is a CLI command.

To enable HTTPS-url-scan which looks that the URL not the traffic going through:

config webfilter profile

edit default (or your profile name)

set options https-url-scan

end

To disable the HTTPS replacement message:

config webfilter profile

edit default (or your profile name)

set https-replacemsg disable

end

To give an example:

Lets say I block the category “social networking” and go to http://facebook.com it will be blocked. If I go to https://facebook.com it will show a blank screen – no error message, but will not work. Before enabling these commands I would see the error message, then after accepting the cert I would see the block page.

Note* there might be a way to have the replacement message be http, instead of https. I am looking into this.