Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  cannnot connect to webui using any browser

    Posted 01-01-2017 16:24

    have an SSG 520 running Screen OS 6.2. I used to be able to connect to it via webui, but now, no matter which browser I use, I cannot connect. For firefox, I get "Error code: SSL_ERROR_NO_CYPHER_OVERLAP". With Chrome, I get "x.x.x.x

    uses an unsupported protocol.
    ERR_SSL_VERSION_OR_CIPHER_MISMATCH"

     

    Internet Explorer doesn't work either. I found an article that had me run the following command:

    delete pki object-id system

     

    after this I rebooted, and the self signed cert was regenerated by the firewall. But it has not resolved the issue. How do I fix this so I can use a web browser, not sure when it stopped working, I don't manage the firewall very often but really want to get this resolved.

     

    I did  a debug ssl and see this output when I try to connect via browser

     

    get db str
    ssl server new socket. queue count(0)
    SSL master_socket(1)
    SSL accept_socket(102)
    ssl_state: sslStateCertVerified
    SSL Connection Init
    SSL set server mode
    SSL_accept:before/accept initialization
    SSL TLSv1_server_method called.
    ssl3_accept start(SSLv3 read client hello A)
    ssl3_accept loop(SSLv3 read client hello A)
    ssl3_choose_cipher: have
    SSL: cipher DES-CBC3-SHA
    ssl3_choose_cipher: prefer
    SSL: cipher RC4-MD5
    SSL: cipher RC2-CBC-MD5
    SSL: cipher IDEA-CBC-MD5
    SSL: cipher RC4-MD5
    ssl3_get_client_hello() failed, no shared cipher
    SSL3 alert write:fatal:handshake failure
    ssl3_accept end(SSLv3 read client hello C)
    SSL_accept:error in SSLv3 read client hello C
    SSL_accept:error in SSLv3 read client hello C
    handshake failed, Function(138), Reason(193)
            NO SHARED CIPHER!!!
    sslConnectionInit() refused connection
    ssl state sslStateFailedssl close socket(102)
    ssl closing accept socket(102)
        free ssl sock(102)
    ConnectionsActive: --

     

    And here is the self signed cert

     

    get pki x509 cert system (values modified)
                    CN=0156052006000053,CN=system generated,CN=self-signed,
                    Expire on 12-27-2026 12:30, Issued By:
                    CN=0156052006000053,CN=system generated,CN=self-signed,
    Serial Number: <3f68ebaa59d6546226d6c5224c9aa506>
    finger print (md5) <3245d535 0e4756fb 1f66ab82 38f7cc7d>
    finger print (sha) <ea755328 1bb8da2d 76ca1715 fa2e8136 cb74df72>
    subject name hash: <d5011b59 a915363e c1683eb8 4a6aa04b 1701931a>



  • 2.  RE: cannnot connect to webui using any browser

     
    Posted 01-01-2017 18:52

    Hello,

     

    I think the cause of the problem is here:

     

    SSL: cipher RC4-MD5
    SSL: cipher RC2-CBC-MD5
    SSL: cipher IDEA-CBC-MD5
    SSL: cipher RC4-MD5
    ssl3_get_client_hello() failed, no shared cipher

     

    Firefox or Chrome will not allow connection from weak ciphers.

     

    To resolve this, can you try to generate a self signed certificate with 3DES/SHA1 & 2048 key length and use it for ssl?

     

    Regards,

     

    Rushi



  • 3.  RE: cannnot connect to webui using any browser

    Posted 01-02-2017 03:50

    the only other option is to use very old browsers.  I end up using an old version of IE to manage these devices.

     

    In 6.3 you are able to change the cipher to 3DES SHA1 and allow the connections.  Not sure if this cipher is in 6.2 or not.

     

    set ssl encrypt 3des sha-1



  • 4.  RE: cannnot connect to webui using any browser

    Posted 01-03-2017 10:33

    changing it to "3des sha-1" did the trick. Thanks guys, appreciate it



  • 5.  RE: cannnot connect to webui using any browser

    Posted 10-21-2018 06:39

    Thanks Alot Man it worked...Kudos



  • 6.  RE: cannnot connect to webui using any browser

    Posted 10-21-2018 06:41

    Thanks Alot It work..