Wireless Access

Reply
Moderator

Certificate - "securelogin.arubanetworks.com"

Just a heads up that next month sometime, a security researcher plans to publish the fact that he was able to extract the private key for the default "securelogin.arubanetworks.com" certificate from an ArubaOS image.  This is something we've always cautioned against (see for example http://community.arubanetworks.com/aruba/attachments/aruba/115/3996/1/customer-advisory-expiring-ssl-cert.pdf from a few years ago) but as many times as we say it, people either ignore it or don't understand it.

 

To cut to the tl;dr version:  If you are relying on the factory-default certificate to protect HTTPS communication with an Aruba product, this certificate is providing you with very little security because with the private key, an attacker can conduct a man-in-the-middle attack without you knowing it.  What can you do?  Buy a certificate from a public CA.  If you don't want to spend a lot of money, I recommend https://www.ssls.com/.

 

In the future, expect to see 'securelogin.arubanetworks.com" disappear from the product, to be replaced by a self-generated, self-signed certificate.  In the past we were persuaded by the "but certificates are too complicated - just leave the factory default cert as-is and customers who care about security can update it" argument, but I now think we're doing a disservice to customers by giving them too much rope with which to hang themselves.  I'm happy to hear arguments to the contrary, but I'm going to be pushing to torpedo this thing.

 

Any questions or concerns, please let me know!

---
Jon Green, ACMX, CISSP
Security Guy
Guru Elite

Re: Certificate - "securelogin.arubanetworks.com"

Jon - Will it also be removed from Instant and MAS around the same time?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Certificate - "securelogin.arubanetworks.com"

Totally agree with your advise. During deployments we will always try to persuade the customer to buy two SSL certificates. One certificate for the controllers, the other one for the ClearPass machines.

 

Extraction of the SSL certificate from the Aruba Instant image is also possible. Contact me if you require any details.


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
Moderator

Re: Certificate - "securelogin.arubanetworks.com"


cappalli wrote:

Jon - Will it also be removed from Instant and MAS around the same time?


That would be the goal, yes.

---
Jon Green, ACMX, CISSP
Security Guy
Moderator

Re: Certificate - "securelogin.arubanetworks.com"

Took a bit longer than I expected, but this is what I was expecting to be published back in June or July:

http://blog.sec-consult.com/2015/11/house-of-keys-industry-wide-https.html?m=1

 

 

---
Jon Green, ACMX, CISSP
Security Guy
Highlighted

Re: Certificate - "securelogin.arubanetworks.com"

Thanks Jon.

Any idea when this will be removed from AOS, Instant and MAS?
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
MVP

Re: Certificate - "securelogin.arubanetworks.com"

Thanks for the heads-up. Also thanks for re-thinking the certificate.

Certs can be confusing, but they're not all that hard once you have to learn how they work and interrelate. Dropping the pre-signed cert for a self-signed one is a great step.

 

Any thoughts on letting iAP and Controllers get certs from Airwave or Clearpass?

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it

Re: Certificate - "securelogin.arubanetworks.com"

IAPs can be pushed from Airwave. I had the same question
http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/IAP-certificate-s-per-VC-or-pushed-from-Airwave/m-p/238690#M10583
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
MVP

Re: Certificate - "securelogin.arubanetworks.com"

You're right Pasquale. Thanks for the link.

 

I was meaning more like a cert-request/CA relationship - I would feel better if each cluster had a unique certificate for the management page, I can see a universal certificate for the captive-portal though.

 

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Moderator

Re: Certificate - "securelogin.arubanetworks.com"

Bumping up this thread again, because the same group of researchers has recently re-published and expanded their work.

 

ArubaOS 8.0, by the way, generates a self-signed certificate for administrative access.  Each controller will thus use a unique self-signed certificate.  Those who want to keep using that can feel free to individually trust each of those self-signed certs.  Those who like using PKI should be installing their own certificates.

---
Jon Green, ACMX, CISSP
Security Guy
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: