[ngw] Firefox 92

David Krotil David.Krotil at hilo.cz
Thu Sep 16 15:51:37 UTC 2021


Marvin did you read anything from this channel ? I wrote that yesterday
.


------------------------------------------------------------------
Obsah tohoto e-mailu a všechny připojené soubory jsou důvěrné a mohou
být chráněny zákonem. Tento e-mail je určen výhradně jeho adresátovi
a jiné osoby do něj nejsou oprávněny nahlížet či s ním jakkoliv
nakládat, jinak se dopustí protiprávního jednání. V případě, že
nejste adresátem tohoto e-mailu, prosíme o jeho vymazání a o podání
e-mailové zprávy. 

The content of this e-mail and any attached files are confidential and
may be legally privileged. It is intended solely for the addressee.
Access to this e-mail by anyone else is unauthorized. If you are not the
intended recipient, any disclosure, copying, distribution or any action
taken or omitted to be taken in reliance on it, is prohibited and may be
unlawful. In this case be so kind and delete this e-mail and inform us
about it.

>>> "Marvin Huffaker" <mhuffaker at redjuju.com> 16.09.2021 16:24 >>>
Craig your GroupWise Web is using your internal self signed
certificate
not your cert from Sectico.
>>> "Craig Meads" <craigm at cwise.co.nz> 9/15/2021 2:47 PM >>>
Hi
Marvinhttps://us-east-2.protection.sophos.com?d=gwweb.cwise.co.nz:446&u=aHR0cHM6Ly9nd3dlYi5jd2lzZS5jby5uejo0NDY=&i=NjA0NDc1YzlkYWExY2IwZjUzNjc4NWM3&t=eFRmWlJpU0wxV1k5djhQTHE1NXMzaTZqV2J4NWNtMG9MV1ZGN2dzcDFXST0=&h=76f04d0e1ccd4081aa551c7cf6770bab
I only have those other ports
open while I am playing with these things.CheersCraigSent from my
Galaxy<div>
</div><div>
</div><!-- originalMessage --><div>-------- Original message
--------</div><div>From: Marvin Huffaker <mhuffaker at redjuju.com>
</div><div>Date: 16/09/21  3:02 am  (GMT+12:00) </div><div>To:
ngw at ngwlist.com </div><div>Subject: Re: [ngw] Firefox 92 </div><div>
</div>
>>> "Marvin Huffaker" <mhuffaker at redjuju.com> 09/16/2021 02:54 >>>
Craig what's the link (And port) to your GWWEB server?  None of the
links you provided seem to work.   I was able to derive a URL that
worked for GMS, and that looked like the cert was correct from what I
could see, but even Chrome threw out a Certificate warning, so
something
is amiss..

A couple observations..

- If you used a standard port 443 for gwweb, you could use a tool like
the SSL Labs to run a diagnostics.  They aren't able to test on non
standard ports.  SSL Labs with the current URL will fail because what
resolves on port 443 is your Self Signed cert for OES, not the one for
GWWEB.
- I see that OES welcome page, GroupWise admin port 9710, and GMS
Admin
port 8120 are all accessible from the public facing Internet.  I would
typically not allow those services to be exposed, especailly the admin
ones as it is usually unnecessary and creates additional risk and
exposure.

Marvin
>>> "Craig Meads" <craigm at cwise.co.nz> 9/14/2021 11:26 PM >>>
It should be now - I had taken it down to check something
>>> "David Krotil" <David.Krotil at hilo.cz> 15/09/2021 15:25 >>>
Forget the GWWEB part, I tried plain https, which is yours OES server

Tried now
https://us-east-2.protection.sophos.com?d=gwweb.cwise.co.nz:446&u=aHR0cHM6Ly9nd3dlYi5jd2lzZS5jby5uejo0NDYv&i=NjA0NDc1YzlkYWExY2IwZjUzNjc4NWM3&t=WDVLLzdtaWw3SXJtUGJQSnI2eXJqYzJ6bGdzRmtpYzRrQ0RQSG1mM2h3VT0=&h=32c79e9b845b45f88944fac91dcf307c


and it isn´t accessible.



D.


------------------------------------------------------------------
Obsah tohoto e-mailu a všechny připojené soubory jsou důvěrné a mohou
být chráněny zákonem. Tento e-mail je určen výhradně jeho adresátovi
a jiné osoby do něj nejsou oprávněny nahlížet či s ním jakkoliv
nakládat, jinak se dopustí protiprávního jednání. V případě, že
nejste adresátem tohoto e-mailu, prosíme o jeho vymazání a o podání
e-mailové zprávy. 

The content of this e-mail and any attached files are confidential and
may be legally privileged. It is intended solely for the addressee.
Access to this e-mail by anyone else is unauthorized. If you are not
the
intended recipient, any disclosure, copying, distribution or any
action
taken or omitted to be taken in reliance on it, is prohibited and may
be
unlawful. In this case be so kind and delete this e-mail and inform us
about it.

>>> "David Krotil" <David.Krotil at hilo.cz> 15.09.2021 5:21 >>>
Yeah, sorry. I overlooked the URL, I was thinking, that everything is
GMS. 

Firefox is rude to self-signed certs, you can try Edge to access
GroupWise Admin Console.

For GWWEB, there is eDirectory cert, this will not work, you need cert
from trusted CA.

David


------------------------------------------------------------------
Obsah tohoto e-mailu a všechny připojené soubory jsou důvěrné a mohou
být chráněny zákonem. Tento e-mail je určen výhradně jeho adresátovi
a jiné osoby do něj nejsou oprávněny nahlížet či s ním jakkoliv
nakládat, jinak se dopustí protiprávního jednání. V případě, že
nejste adresátem tohoto e-mailu, prosíme o jeho vymazání a o podání
e-mailové zprávy. 

The content of this e-mail and any attached files are confidential and
may be legally privileged. It is intended solely for the addressee.
Access to this e-mail by anyone else is unauthorized. If you are not
the
intended recipient, any disclosure, copying, distribution or any
action
taken or omitted to be taken in reliance on it, is prohibited and ma
y
be
unlawful. In this case be so kind and delete this e-mail and inform us
about it.

>>> "Craig Meads" <craigm at cwise.co.nz> 15.09.2021 4:57 >>>
Hi David

Thanks for looking. I'm sorry, I don't really understand what you are
saying though. Groupwise Mobility is working fine. It is the GW Web
(Docker) that has the certificate issue.

Plus now with the new Firefox, I cannot, nor can my clients, access
their Groupwise Admin console anymore, except via a Linux Chrome or
Firefox which hasn't updated to V91 or 92 yet.

Cheers

Craig
>>> "David Krotil" <David.Krotil at hilo.cz> 15/09/2021 13:43 >>>
Hi Craig,
I looked on your GMS Admin Console and your CA is GroupWise there, not
Sectigo. Sync interface has proper certificate in place. 

mobility.pem and server.pem should be same files ( certificates ),
server.pem is fine, mobility.pem should be replaced with server.pem

Review steps with
https://us-east-2.protection.sophos.com?d=microfocus.com&u=aHR0cHM6Ly9zdXBwb3J0Lm1pY3JvZm9jdXMuY29tL2tiL2RvYy5waHA_aWQ9NzAwNjkwNA==&i=NjA0NDc1YzlkYWExY2IwZjUzNjc4NWM3&t=cmNOR2R6QklXNHFvQlNteEEzWnUycW5URW42ODliVG4vVEdXTEdkV3JHRT0=&h=32c79e9b845b45f88944fac91dcf307c









David


------------------------------------------------------------------
Obsah tohoto e-mailu a všechny připojené soubory jsou dvěrné a mohou
být chráněny zákonem. Tento e-mail je určen výhradně jeho adresátovi
a jiné osoby do něj nejsou oprávněny nahlížet či s ním jakkoliv
nakládat, jinak se dopustí protiprávního jednání. V případě, že
nejste adresátem tohoto e-mailu, prosíme o jeho vymazání a o podání
e-mailové zprávy. 

The content of this e-mail and any attached files are confidential and
may be legally privileged. It is intended solely for the addressee.
Access to this e-mail by anyone else is unauthorized. If you are not
the
intended recipie
nt, any disclosure, copying, distribution or any
action
taken or omitted to be taken in reliance on it, is prohibited and may
be
unlawful. In this case be so kind and delete this e-mail and inform us
about it.

>>> "Craig Meads" <craigm at cwise.co.nz> 15.09.2021 2:12 >>>
Hi Marvin

To the best of my recollection, I used DSAPP to to create the
certificates and concatenated the Intermediates as well, from Sectigo.

The Server is called mobility.cwise. The certificate is
gwweb_cwise_co_nz

I set up a DNS record of gwweb.cwise.co.nz to find the server
(203.109.245.77) 

For example on GMS I have users going to
https://us-east-2.protection.sophos.com?d=gwweb.cwise.co.nz:447&u=aHR0cHM6Ly9nd3dlYi5jd2lzZS5jby5uejo0NDc=&i=NjA0NDc1YzlkYWExY2IwZjUzNjc4NWM3&t=YVhUTkR2azRJemxablZ0MDN3ck9mUVlkNUxmb2kwd0JWc2dEUmxSUzNXbz0=&h=32c79e9b845b45f88944fac91dcf307c








and it works fine. (I use 447 because 443 is still being used on the
OES
Server for Webaccess)

In Docker, I use port 446 for 443.

GW Web works fine, except for the certificate errors. I copied and
renamed the gwweb certificate and key to server.crt and key and
referenced it in the Docker command line. But still no joy.

For the moment the GW Web still works (you can Accept and Continue),
but the GW Admin fails and cannot be accessed.

You can see what I mean if you try and access it with
https://us-east-2.protection.sophos.com?d=gwweb.cwise.co.nz:9710&u=aHR0cHM6Ly9nd3dlYi5jd2lzZS5jby5uejo5NzEwL2d3YWRtaW4tY29uc29sZQ==&i=NjA0NDc1YzlkYWExY2IwZjUzNjc4NWM3&t=L0hOZzEwbkVPRU1sa05yUDlZdzRFcHlaN09vZnFvOFg1eDd6RkM3T3d6ST0=&h=32c79e9b845b45f88944fac91dcf307c







Cheers

Craig


>>> "Marvin Huffaker" <mhuffaker at redjuju.com> 15/09/2021 09:09 >>>
Craig, I don't use firefox so I don't know about that issue. But for
GWWEB...

For The GroupWise Web issue you may need to ensure your intermediate
certificate is included in the chain..   docker seems to really dumb
things down and that's one thing I hate, I feel like I've lost control
of things. But at the same time, there's only a few ways toThe thing
is, each device determines how strictly it enforces things..

So while your current config may work on some things it won't on other
devices that enforce stricter requirements.

What is the URL to your gwweb? I could look at it and give a better
diagnosis.

Incomplete Certificate Chain
Your certificate chain will most likely be incomplete because there is
no directive in the command line to load an Intermediate or Chain
certificate. To overcome this obstacle, you concatenate the
certificate
file and the intermediate certificate file into the same server.crt
certificate. The following command will accomplish this task:
cat My_CA_Bundle.ca-bundle >> /opt/novell/gw/certs/server.crt
Note: Substitute the actual intermediate or chain certificate from
your
commercial certificate provider in place of the
bundle file listed in
the syntax.
>>> "Craig Meads" <craigm at cwise.co.nz> 9/14/2021 12:55 AM >>>
Hi there

I see my Firefox has updated itself on Windows 10 to version 92.

Now if I want to access GW-Admin 
(https://192.168.10.1:9710/gwadmin-console) I get the lovely screen as
below:


Secure Connection Failed

An error occurred during a connection to 192.168.10.1:9710. SSL peer
had some unspecified issue with the certificate it received.

Error code: SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT

	The page you are trying to view cannot be shown because the
authenticity of the received data could not be verified.
	Please contact the website owners to inform them of this
problem.

Learn more…

You can no longer choose to press ahead and ignore this anymore.

Does anyone know how to get around this, as it is only a matter of
time
before Firefox on SLES and Chrome on Windows also do this?

I also have not been able to get GW Web to operate successfully using
a
commercial certificate yet. Mobility on IOS 13 and above works good,
but
putting the certificate and key in a separate folder and renaming to
server.crt and server.key, and refencing them in the Docker command,
just seems to be ignored by Chrome on my test Android device.

Cheers

Craig


_______________________________________________
ngw mailing list
ngw at ngwlist.com 
https://us-east-2.protection.sophos.com?d=ngwlist.com&u=aHR0cDovL25nd2xpc3QuY29tL21haWxtYW4vbGlzdGluZm8vbmd3&i=NjA0NDc1YzlkYWExY2IwZjUzNjc4NWM3&t=SGE3Y3VSaFRtVWFnMVkzc1pDY1hVREhQa3c3U21WWlQwc3BtL1NlNStiYz0=&h=32c79e9b845b45f88944fac91dcf307c







_______________________________________________
ngw mailing list
ngw at ngwlist.com 
https://us-east-2.protection.sophos.com?d=ngwlist.com&u=aHR0cDovL25nd2xpc3QuY29tL21haWxtYW4vbGlzdGluZm8vbmd3&i=NjA0NDc1YzlkYWExY2IwZjUzNjc4NWM3&t=SGE3Y3VSaFRtVWFnMVkzc1pDY1hVREhQa3c3U21WWlQwc3BtL1NlNStiYz0=&h=32c79e9b845b45f88944fac91dcf307c





____
___________________________________________
ngw mailing list
ngw at ngwlist.com 
https://us-east-2.protection.sophos.com?d=ngwlist.com&u=aHR0cDovL25nd2xpc3QuY29tL21haWxtYW4vbGlzdGluZm8vbmd3&i=NjA0NDc1YzlkYWExY2IwZjUzNjc4NWM3&t=SGE3Y3VSaFRtVWFnMVkzc1pDY1hVREhQa3c3U21WWlQwc3BtL1NlNStiYz0=&h=32c79e9b845b45f88944fac91dcf307c








More information about the ngw mailing list