[Spce-user] Can't connect to 127.0.0.1:1442 (certificate verify failed)

[Alex Lutay]

Hi all,

On 06/06/2016 12:46 PM, Alexander Griesser wrote:

> It's removed on the server side, yes - but the warning message indicates that the client is trying to connect with SSLv3 - shouldn't be a big deal, but still...

Ah... I am not sure here. I believe library is trying to connect
using all the possible protocols it support, so the last one was SSLv3.

As a server have support for TLS only, I do not see bit issue here,
SSLv3 will be removed from the libraries by their maintainers.

> This system is running on mr4.3.1 and the Qualys check just finished
> with a B - only problem is the weak DH param, but that's what you
> already mentioned; I'm just afraid of manually adding the required
> configuration to nginx, don't want to break something during the next
> upgrade then, or will that work even if the parameter is already there then?

You can generate DH key yourself using:
  CERT_PATH="/etc/ngcp-config/ssl"
  openssl dhparam -out "${CERT_PATH}/dhparam.pem" 4096
  chown root:ssl-cert "${CERT_PATH}/dhparam.pem"
  chmod 640 "${CERT_PATH}/dhparam.pem"

ngcp-upgrade will NOT overwrite it.

Then you have to create customtt for nginx ssl_params file
and add one line:

  ssl_dhparam /etc/ngcp-config/ssl/dhparam.pem;

It should do the job, please ensure you have A+ on SSLLabs.

P.S. Do NOT forget to remove customtt before the next upgrade to mr4.4.1.

-- 
Alex Lutay

Meet us @ ANGACOM: Hall 10.1 / booth N10
Exhibition and Congress for Broadband,
Cable & Satellite: 07 – 09 June, 2016 in Cologne