SSL issues

Anonymous user · ‎2021-06-27

Having gone through the ordeal of upgrading the firmware on our AP7900 rack-mount PDUs so that they actually work with modern browsers, I am now attempting to upload proper SSL certificates, and am unable to get past the error code -32 on your software. The certificate is being issued from OpenSSL, and I've tried removing anything beyond the very basic stuff (subjectAltName, etc.)

It's become clear that the SSL implementation on these devices is a fragile hack job, and it would be nice to see a detailed list of things that will cause it problems posted somewhere. I'll paste the signed certificate below and would appreciate any feedback on what could be "wrong."

Benji_apc · ‎2021-06-27

I can just chime in.

Please APC, finally fix your SSL issues, we have 2016!

See Answer In Context

Terry_Kennedy_apc · ‎2021-06-27

I don't think the APC stuff is particularly fragile, just very unusual (and in the case of the Security Wizard, unpleasant). Remember, the CPU in that generation of management card is rather underpowered for SSL in general and modern ciphers in particular. That is presumably what caused the design decision to do everything in a PC utility (the APC Security Wizard) instead of the more usual "generate a CSR on the device itself".

I assume the error -32 you mention is from the Security Wizard? If you're getting any sort of error on the device itself, it is usually from either loading a certificate with a longer-than-1024 key length or trying to give it something that hasn't been pre-digested by the Security Wizard.

Can you describe the exact order of steps you went through to generate the error?

Anonymous user · ‎2021-06-27

For a product purchased 2 years ago, I'm very unimpressed with that CPU and the lack of modern crypto support.

Not dealing with the device yet, just trying to get through the software. I've downloaded the CSR and signed it in OpenSSL as I've done with literally hundreds of other devices. Now getting the error when I try to put the signed certificate back into the APC software.

Terry_Kennedy_apc · ‎2021-06-27

The limitations of the CPU were probably known going back to when those cards were designed. But the world was a different place and there was less emphasis on SSL then, and certainly the broswer authors weren't in a race to see who could break the most features in the shortest amount of time back then, either.

If the hundreds of other devices weren't APC, then you've never dealt with the APC Security Wizard. I have attached 3 short videos showing the creation of a CSR from the Security Wizard, creating the certificate on a Unix box with OpenSSL, then using the Security Wizard to import it and create the .p15 file the APC device wants. Note that you can't just type text into the "File name" text box as I do halfway through the second SecWiz video - you have to enter it in the Browse picker box or things won't work right.

I use an IP address as the CN, since these NMC cards will rewrite http ://ups.example.com to https://192.168.100.117 if they have SSL enabled, so using the actual FQDN as the common name will give you "issued to a different server" SSL warnings in your browser.

Anonymous user · ‎2021-06-27

I know how it's supposed to work, it just isn't. Posting here is a last resort, I can assure you I did my homework beforehand. Using the software to generate a CSR, signing it with my OpenSSL CA, trying to import it back into the software. It doesn't like something about the certificate, and it would be nice if it told me what.

I think we'll just stick with SSH and plan to replace these devices. The state of security "back then" is no excuse for the fact that these devices are sold today with 15-year-old encryption standards.

Benji_apc · ‎2021-06-27

I can just chime in.

Please APC, finally fix your SSL issues, we have 2016!

BillP · ‎2021-06-27

We are listening and working on a few things including a new, updated Security Wizard and a Wizard version that supports mass creation of CSR as well as mass import of signed certs through a CLI version of the wizard which can be scripted.

Anonymous user · ‎2021-06-27

Hey all,
Because installing private SSL's on NMC is a reoccurring theme, I decided to create a discussion after some progress was made during a support chat.

https://forums.apc.com/spaces/7/ups-management-devices-powerchute-software/forums/general/95305/uplo...