Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > Secure Shell

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 05-12-2014, 02:52 PM
Saken Saken is offline
Registered User
 
Join Date: May 2014
Posts: 6
Telnet/SSL

I am having difficulties with this. I am using SecureCRT 6.7 and I am trying to connect to a device using SSL/TLS on port 992.

I generated a CSR on the end device, signed it, and TFTP'd it back.

My problem is, I keep getting "Failed to complete SSL negotiation because the server requires a client certificate."

I created a Self signed certificate using my IIS manager and pointed SecureCRT to it but it tells me that it is invalid (.pfx). I wouldn't think the SSH2 portion of this would have any bearing on what I am attempting to do but I could be wrong.

If someone could point me to some info on the correct way to configure SecureCRT for use with SSL, I would appreciate it.
Reply With Quote
  #2  
Old 05-12-2014, 03:56 PM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,636
Hello Saken,

SecureCRT does not currently support client-side certificates. Disabling this checking on the server side is the suggested workaround.

I have added this thread to a feature request in our product enhancement database for an option to support client-side certificates (Telnet/SSL, mutual authentication). Should a future release of SecureCRT include this feature, notification will be posted here.

If you prefer direct e-mail notification, contact support@vandyke.com and include "Feature Request - Forum Thread #11503" in the subject line.
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #3  
Old 05-13-2014, 06:32 AM
Saken Saken is offline
Registered User
 
Join Date: May 2014
Posts: 6
Does it support the .pfx and .p12 containers? It gives me the option to create a csr under SSL in global options. Does SSL in global options affect Telnet/SSL?
Reply With Quote
  #4  
Old 05-13-2014, 06:46 AM
Saken Saken is offline
Registered User
 
Join Date: May 2014
Posts: 6
Thanks for the reply.

Does SecureCRT support the .p12 and .pfx extension for use with SSL?

Under global options>SSL, if I point that location to a .p12 or .pfx, is that used for Telnet/SSL?
Reply With Quote
  #5  
Old 05-13-2014, 09:51 AM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,636
Hello Saken,

In light of mutual authentication not being supported, I am not sure what you are trying to accomplish.

Do you want anonymous authentication support?
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #6  
Old 05-13-2014, 10:03 AM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,636
Hello Saken,

Perhaps you are confusing configuration options that are relevant to SecureFX with what is possible in SecureCRT.

If you have used the integrated installer then some of the items appear in Global Options because both applications use Global Options, but some specific config items are applicable only to SecureCRT and some are applicable only to SecureFX.

The sub-categories under File Transfer (and including File Transfer) in Global Options are relevant only to SecureFX.
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #7  
Old 05-13-2014, 10:16 AM
Saken Saken is offline
Registered User
 
Join Date: May 2014
Posts: 6
I apologize for the confusion and I am certainly not knowledgeable when it comes to TLS/SSL.

SecureCRT has an option to create a Telnet/SSL link to a device. I specify an IP address to the device I want to connect to and select connect. It tells me that the server needs a client certificate. I have two certificates, a .p12 and a .pfx.

Under, global options > ssh2 I select to pull from the CAPI (Personal store).

I install the .pfx, which was created using IIS 6.1, into my personal store and it still tells me that I need a client certificate.

I install the .p12, which someone gave me, into my personal store and I am able to SSL to the end device but I must disable certificate validation in order to do so (makes sense because I don't have their CA.cer).

You are right, if I turn mutual authentication off I can connect with no certificate loaded but I am pretty sure that is not the point of Telnet/SSL.

Again, I have very little knowledge on this particular subject but I cant believe turning mutual authentication off would be a fix. It seems like it would be a security violation.
Reply With Quote
  #8  
Old 05-13-2014, 10:21 AM
Saken Saken is offline
Registered User
 
Join Date: May 2014
Posts: 6
Quote:
Originally Posted by bgagnon View Post
Hello Saken,

Perhaps you are confusing configuration options that are relevant to SecureFX with what is possible in SecureCRT.

If you have used the integrated installer then some of the items appear in Global Options because both applications use Global Options, but some specific config items are applicable only to SecureCRT and some are applicable only to SecureFX.

The sub-categories under File Transfer (and including File Transfer) in Global Options are relevant only to SecureFX.
Yeah, through trial and error I discovered that the SSL option under File Transfer had nothing to do with what I was trying to accomplish.
Reply With Quote
  #9  
Old 05-13-2014, 11:23 AM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,636
Hi Saken,

The protocol (TLS/SSL) still provides encryption of the connection. Encryption is established before the server authenticates the client.

Instead of authenticating with a certificate, you would authenticate with a username/password.

Quote:
Again, I have very little knowledge on this particular subject but I cant believe turning mutual authentication off would be a fix. It seems like it would be a security violation.
If your security policy requires clients to authenticate with certificates, then yes, this would be a violation of your organization's security policy.
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #10  
Old 05-13-2014, 11:45 AM
Saken Saken is offline
Registered User
 
Join Date: May 2014
Posts: 6
So then SSL is not designed to use public and private keys to create a secure session between server and client? SSL is only for encryption?
Reply With Quote
  #11  
Old 05-13-2014, 12:43 PM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 4,636
Hello Saken,

Correct, SSL stands for Secure Sockets Layer.

I think if you can provide Trace Options output of a connection that works (using the file provided by your colleague) vs the connection that does not (file you generated), then we may be able to clear up the mystery.

To enable trace options output:
  • First, open SecureCRT's main File pull-down menu and select Trace Options. If you open the File pull down menu again you should see a checkmark next to Trace Options, indicating that troubleshooting output is now enabled.
  • Next, connect to the remote machine. With trace options enabled, you will notice debugging information displayed in the terminal window that isn't normally there by default when SecureCRT is attempting to establish a connection, and at certain times throughout the lifetime of the connection.
  • Once the problem occurs, please right-click inside the terminal window and choose Select All, then right-click again and choose Copy to transfer the information to the clipboard.
  • Finally, open a text editor, paste the information from the clipboard into the editor program, and save it as a text file.
Since trace options can contain sensitive information, feel free to send it as an attachment via email to support@vandyke.com. Please reference "Attn Brenda - Forum Thread #11503" in the subject line.
NOTICE: The requested troubleshooting data may include sensitive information (usernames, passwords, publicly-accessible host names or IP addresses, etc.).

Please redact sensitive information that would not be appropriate for a public forum prior to posting the requested information.

If there is sensitive information that must be conveyed in order to provide a complete picture of the scenario you're facing, please let us know and we will set up a secure upload mechanism that can be used.
Attached Files
File Type: pdf X.509 Certificates and VanDyke Software Products.pdf (200.6 KB, 1637 views)
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 07:49 PM.