Jump to content


Photo

Barracuda SSL VPN Agent certificate expired upon launch - fixed in 2.6.2.7 EA

certificate java expired

  • Please log in to reply
9 replies to this topic

#1 drdowns

drdowns
  • Members
  • 1 posts

Posted 12 November 2016 - 08:30 AM

Seems SSL VPN users are being abandoned based on this post https://community.ba...intenance-mode/
 

That is unfortunate because I am sure the alternatives are not similarly priced.

 

As of today 11/12/2016, the code signing certificate in the VPN Agent has expired and Barracuda has not released any update (running Firmware 2.6.2.5 (2016-07-29)).

 

This is the second time I have been negatively impacted using "ssl-explorer" (the open source that was closed to become Barracuda SSL VPN).

 

It is a shame to see this and to have to learn about it via community post only found because of the expired certificate issue.

 

Can this be patched ASAP?  Are security updates going to be maintained?  For how long?

 

Thank you,

 

David



#2 Gavin Chappell

Gavin Chappell
  • Moderators
  • 434 posts
  • LocationNottingham, UK

Posted 12 November 2016 - 01:28 PM

Hi David, there is currently no end date set for the security updates but since the SSL VPN is currently still on sale with a 5 year subscription I think it is fair to assume that it would be at least 5 years - we have no intention of leaving any customer unsupported, I just wanted a statement that we could refer customers to in order to keep their expectations reasonable. If the appliance is working well for you right now, then it will continue to work as it does today; however if the SSL VPN appliance does not work well for you during a demo, then you should probably look into the NG Firewall rather than buy an SSL VPN with the expectation of your issues being fixed. However, current customers are not being abandoned.

 

I've raised this in our bug tracker with a high priority. Since the agent was also timestamped when it was signed and released, this should have meant that the agent was still valid past its expiration date as long as the binaries were unmodified, however this has clearly not worked as we intended.



#3 Matthew Kent

Matthew Kent
  • Members
  • 1 posts

Posted 13 November 2016 - 09:00 AM

Please can you post an updated firmware as a matter of urgency please with a code signing certificate that is valid as all my users have been complaining all weekend that they haven't been able to logon.

 

The current certificate has a validity period of [From: Tue Aug 13 01:00:00 BST 2013, To: Fri Nov 11 23:59:59 GMT 2016]

 

Many thanks.



#4 Gavin Chappell

Gavin Chappell
  • Moderators
  • 434 posts
  • LocationNottingham, UK

Posted 13 November 2016 - 10:11 AM

Hi Matthew, I've been working on an "emergency hotfix" for this today. Please be aware that it has only had basic testing by me at this point, but since the change only affects the packaging of the agent and not the agent code itself, this should be very minimal risk.

 

Anyone affected by this issue should make sure that their firmware is either 2.6.2.1, 2.6.2.3, or 2.6.2.5 and then contact our Support team. I've sent them instructions on how to apply the fix so they should be able to get you up and running again quickly.



#5 Kevin Beaumont

Kevin Beaumont
  • Members
  • 7 posts

Posted 15 November 2016 - 05:13 AM

Cheers Gavin.  Put in a ticket, #02337547.

 

I'll open the remote support tunnel too.

 

We're customers back from the SSL-Explorer days too, hopefully Barracuda SSL VPN keeps getting developed as there's still nothing quite like it for secure Microsoft Remote Desktop, VNC etc.  Just wish it had a HTML5 RDP client.



#6 Gavin Chappell

Gavin Chappell
  • Moderators
  • 434 posts
  • LocationNottingham, UK

Posted 17 November 2016 - 01:38 PM

The 2.6.2.7 firmware just started its slow rollout, which has the fix for this issue.



#7 ICT OLEUVEN

ICT OLEUVEN
  • Members
  • 3 posts

Posted 22 November 2016 - 11:49 AM

Hi All!

 

Since the JAVA Version 8 Update 111 update our sslvpn gives an error on launching an RDP app.

The error message Java throws is:  "the certificate used to identify this application has been expired" - Running this application might be a security risk

 

A workaround is: adding the ssl vpn url into Java's trusted locations in Java Configuration, but I find this not to be a solution. When will our applications start behaving normally?

 

output by Java launcher:

 

Certificate details:

CN="Barracuda Networks, Inc.",
 OU=Digital ID Class 3 - Microsoft Software Validation v2,
 O="Barracuda Networks, Inc.",
 L=Campbell,
 ST=California,
 C=US

 

Validity:

[From: Tue Aug 13 02:00:00 CEST 2013,
 To: Sat Nov 12 00:59:59 CET 2016]

 



#8 Gavin Chappell

Gavin Chappell
  • Moderators
  • 434 posts
  • LocationNottingham, UK

Posted 22 November 2016 - 11:52 AM

Please upgrade to 2.6.2.7



#9 Gavin Chappell

Gavin Chappell
  • Moderators
  • 434 posts
  • LocationNottingham, UK

Posted 23 November 2016 - 12:22 PM

Hi all,

 

SSLVPN 2.6.2.7 is now available as EA to 100% of our customers.

 

  • Improved ActiveSync stability under load [BNVS-6005]

  • Updated Signing Certificate for agent [BNVS-6084]

  • High severity vulnerability: persistent XSS, authenticated [BNSEC-6188 / BNVS-6046]

  • High severity vulnerability: Upgraded OpenSSL libraries to the latest versions [BNVS-6063] [BNVS-6069]

  • High severity vulnerability: NGINX configuration [BNSEC-6959 / BNVS-6070] 



#10 Steve Begley

Steve Begley
  • Members
  • 15 posts

Posted 06 December 2016 - 04:59 PM

It appears that the same issue is encountered in the SSL VPN module of 6.2.2 firmware of NG Firewall F Series as well, as I was researching this issue for a client in the F-Series board and decided to look here to see if it was a common problem.

 

Is there a fix for the SSL VPN of the F-Series?

 

My original post in F-Series:

 

It appears that with the latest update to Java, anyone using a self-signed certificate for SSL VPN on a F-Series firewall is getting a prompt in Java that it is a security issue.  It further appears that by default Java is setting itself to "Very High" in "Security" by default.

 

I have experimented with the settings in Java, and by lowering it to "High" I can connect to the SSL VPN portal.  However, the client is dealing with a large distributed base of home users that makes doing this a large undertaking.

 

Is there a work-around that does not include changing the settings or purchasing a trusted certificate?  Have others experienced this, and if so how did you overcome it?

 

I am dual posting this in F Series and also SSL VPN section of the support board.

Thanks,

 

Steve