Reply

Getting ERR_SSL_KEY_USAGE_INCOMPATIBLE error when tryin to access Infoblox Management Console

New Member
Posts: 3
1164     0

Getting ERR_SSL_KEY_USAGE_INCOMPATIBLE error when tryin to access Infoblox Management Console.

 

Same behaviour when trying to access from Chrome and Edge after updating to v121

 

Can connect using older versions of the browser.

 

Infobloxerror.jpg

Re: Getting ERR_SSL_KEY_USAGE_INCOMPATIBLE error when tryin to access Infoblox Management Console

Moderator
Moderator
Posts: 321
1165     0

You can enable or disable ciphers and protocols to suit your needs. This is done at the CLI on the active grid master. SSL and SSH both use the same settings at the same time. I strongly recommend using the console port (or VMWare virtual console) to make changes, in case you accidentally lock yourself out of the SSH or web console, by disabling too much. This is detailed in the Infoblox CLI Guide.

You will need to understand what cipers and protocols your browser and the rest of your environment will need. This changes over time, settings considered save several years ago are not considered safe today.

By default we use all-default settings (kinda makes sense) so the first step is to use override settings. Run the command “setssl_tls_settings override”.

Now you can display the list of enabled and disabled cipher with the “show ssl_tls_ciphers“ command. After enabling or disabling a cipher, the order will change, so always display it again before enabling or disabling something.

192.168.1.2> show ssl_tls_ciphers
1. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 enabled
2. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 enabled
3. TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled
4. TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled
5. TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 enabled
6. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 enabled
7. TLS_RSA_WITH_AES_128_GCM_SHA256 enabled
8. TLS_RSA_WITH_AES_128_CBC_SHA enabled
9. TLS_RSA_WITH_AES_128_CBC_SHA256 enabled
10. TLS_RSA_WITH_3DES_EDE_CBC_SHA enabled
11. TLS_RSA_WITH_AES_256_GCM_SHA384 enabled
12. TLS_RSA_WITH_AES_256_CBC_SHA enabled
13. TLS_RSA_WITH_AES_256_CBC_SHA256 enabled
TLS_DHE_DSS_WITH_AES_256_CBC_SHA disabled
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA disabled
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA disabled
TLS_DHE_DSS_WITH_AES_128_CBC_SHA disabled
TLS_RSA_WITH_RC4_128_SHA disabled
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 disabled
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 disabled
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 disabled
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 disabled
192.168.1.2>


Then do, for example, “set ssl_tls_ciphers disable 6”, for example to disable that line.

To enable one, do

set ssl_tls_ciphers enable TLS_RSA_WITH_AES_128_CBC_SHA


And do “show ssl_tls_ciphers” again to get the updated list.

 

You can also adjust the SSL/TLS protocols, using the "show ssl_tls_protocols" and "set ssl_tls_protocols" commands, in a similar way

 

192.168.1.2> show ssl_tls_protocols
Current configuration for the HTTPS : TLSv1.1 TLSv1.2
Current configuration for the SAML : TLSv1.2

if you want TLSv1.2 instead of TLSv1.1, you would do:

 

192.168.1.2> show ssl_tls_protocols
Current configuration for the HTTPS : TLSv1.1
Current configuration for the SAML  : TLSv1.1


192.168.1.2> set ssl_tls_protocols enable tlsv1.2
TLSv1.2 was enabled.
Current configuration for the HTTPS : TLSv1.1 TLSv1.2
Current configuration for the SAML  : TLSv1.2
The following services need to be restarted manually: GUI


192.168.1.2> set ssl_tls_protocols disable tlsv1.1
TLSv1.1 was disabled.
Current configuration for the HTTPS : TLSv1.2
Current configuration for the SAML  : TLSv1.2
The following services need to be restarted manually: GUI
192.168.1.2>


After you’re done, log into the GUI and manually restart the GUI. Go to Grid / Grid Manager and select the grid master (or cloud member). From the far-righrt menu, select Control, and then Restart GUI.

Showing results for 
Search instead for 
Did you mean: 

Recommended for You