Anybody have a way to contact the support.juniper.net web server admins? Due to a misconfiguration, it can't be accessed from clients with modern security requirements. Firefox on Fedora Linux 33 just gives an error SSL_ERROR_NO_CYPHER_OVERLAP, and OpenSSL's s_client mode just disconnects.
I _think_ this is due to the server sending too many intermediate certificates - a couple of them are root certs that are either going to be in a client's trust store, or just not trusted at all. The issue with that is the last one of them is signed with RSA+SHA1, and SHA1 is deprecated. Fedora has already disabled it, and all the browsers are going to do the same soon. OpenSSL can't even negotiate a connection, because it won't offer RSA+SHA1. It looks like some clients/libraries connect, get the cert chain, and then fail. Some still work, because they stop following the chain when they get to the root that's in their trust store (but it's bad form to send more). I first opened a JTAC case, but was directed to [email protected] since it wasn't a device issue, but that just opened a new case and again someone asked about my device. It's not a problem with my device, it's a problem with Juniper's. -- Chris Adams <[email protected]> _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
