Wireless Access

Reply
Moderator
Posts: 243
Registered: ‎09-12-2007

Certificate - "securelogin.arubanetworks.com"

Just a heads up that next month sometime, a security researcher plans to publish the fact that he was able to extract the private key for the default "securelogin.arubanetworks.com" certificate from an ArubaOS image.  This is something we've always cautioned against (see for example http://community.arubanetworks.com/aruba/attachments/aruba/115/3996/1/customer-advisory-expiring-ssl-cert.pdf from a few years ago) but as many times as we say it, people either ignore it or don't understand it.

 

To cut to the tl;dr version:  If you are relying on the factory-default certificate to protect HTTPS communication with an Aruba product, this certificate is providing you with very little security because with the private key, an attacker can conduct a man-in-the-middle attack without you knowing it.  What can you do?  Buy a certificate from a public CA.  If you don't want to spend a lot of money, I recommend https://www.ssls.com/.

 

In the future, expect to see 'securelogin.arubanetworks.com" disappear from the product, to be replaced by a self-generated, self-signed certificate.  In the past we were persuaded by the "but certificates are too complicated - just leave the factory default cert as-is and customers who care about security can update it" argument, but I now think we're doing a disservice to customers by giving them too much rope with which to hang themselves.  I'm happy to hear arguments to the contrary, but I'm going to be pushing to torpedo this thing.

 

Any questions or concerns, please let me know!

---
Jon Green, ACMX, CISSP
Security Guy
Guru Elite
Posts: 8,196
Registered: ‎09-08-2010

Re: Certificate - "securelogin.arubanetworks.com"

Jon - Will it also be removed from Instant and MAS around the same time?


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Highlighted
MVP
Posts: 130
Registered: ‎06-11-2013

Re: Certificate - "securelogin.arubanetworks.com"

Totally agree with your advise. During deployments we will always try to persuade the customer to buy two SSL certificates. One certificate for the controllers, the other one for the ClearPass machines.

 

Extraction of the SSL certificate from the Aruba Instant image is also possible. Contact me if you require any details.


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
Moderator
Posts: 243
Registered: ‎09-12-2007

Re: Certificate - "securelogin.arubanetworks.com"


cappalli wrote:

Jon - Will it also be removed from Instant and MAS around the same time?


That would be the goal, yes.

---
Jon Green, ACMX, CISSP
Security Guy
Moderator
Posts: 243
Registered: ‎09-12-2007

Re: Certificate - "securelogin.arubanetworks.com"

Took a bit longer than I expected, but this is what I was expecting to be published back in June or July:

http://blog.sec-consult.com/2015/11/house-of-keys-industry-wide-https.html?m=1

 

 

---
Jon Green, ACMX, CISSP
Security Guy
MVP
Posts: 1,408
Registered: ‎10-25-2011

Re: Certificate - "securelogin.arubanetworks.com"

Thanks Jon.

Any idea when this will be removed from AOS, Instant and MAS?
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
MVP
Posts: 706
Registered: ‎12-01-2010

Re: Certificate - "securelogin.arubanetworks.com"

Thanks for the heads-up. Also thanks for re-thinking the certificate.

Certs can be confusing, but they're not all that hard once you have to learn how they work and interrelate. Dropping the pre-signed cert for a self-signed one is a great step.

 

Any thoughts on letting iAP and Controllers get certs from Airwave or Clearpass?

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
MVP
Posts: 1,408
Registered: ‎10-25-2011

Re: Certificate - "securelogin.arubanetworks.com"

IAPs can be pushed from Airwave. I had the same question
http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/IAP-certificate-s-per-VC-or-pushed-from-Airwave/m-p/238690#M10583
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
MVP
Posts: 706
Registered: ‎12-01-2010

Re: Certificate - "securelogin.arubanetworks.com"

You're right Pasquale. Thanks for the link.

 

I was meaning more like a cert-request/CA relationship - I would feel better if each cluster had a unique certificate for the management page, I can see a universal certificate for the captive-portal though.

 

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Moderator
Posts: 243
Registered: ‎09-12-2007

Re: Certificate - "securelogin.arubanetworks.com"

Bumping up this thread again, because the same group of researchers has recently re-published and expanded their work.

 

ArubaOS 8.0, by the way, generates a self-signed certificate for administrative access.  Each controller will thus use a unique self-signed certificate.  Those who want to keep using that can feel free to individually trust each of those self-signed certs.  Those who like using PKI should be installing their own certificates.

---
Jon Green, ACMX, CISSP
Security Guy
Search Airheads
Showing results for 
Search instead for 
Did you mean: