I have Snap and upgrade our FTP server yesterday from 15.3.0 to 15.3.1
now https is no more working.
ftp01.tsiss.com uses an unsupported protocol.
I can't lie... I am a bit apprehensive to install this until I see the forum is ok with patching. The last patch 4 months ago broke our environment. The Hotfix DID fix it but it was a major issue and had to work over the weekend to get it back up and running.
Is anyone else reporting issue from installing upgrade 15.3.1? Thank you in advance.
Is this reported to support yet?
I saw this but only in for one certificate, everything else was fine. We ended up reissuing the certificate from a different provider and it was fine. Not sure what would cause that but maybe 15.3.1 doesnt support some specific certs?
@ivodlouhy do you know if a change to OpenSSL in 15.3.1 may be the reason for this error with specific certs?
That is normally an issue between the server and client where they do not have matching ciphers / SSL or TLS verisons. You may need to enable older or newer SSL/TLS versions in your browser. If the site is public facing the you could use https://www.ssllabs.com/ssltest/ to check the SSL/TLS versions supported and what ciphers are in use.
Thanks @tjones2019, yes I did that exact check and SSL Labs simply said it could not connect. Think by default TLS1.1 is no longer supported in 15.3.1 so I wonder if certain certificates if they are old dont have capability to work with TLS1.2 or 1.3, seems odd but thats the only explanation I could think of?
Odd, not seen certificates tied to TLS versions. I wonder if duing the upgrade it lost the private key to the certificate? Not used the Serv-U software so just guessing. When you got it re-issued did you generate a new CSR from the server and send this to the supplier?
It was from a new CSR, so maybe it's the old private key format that was not supported?
Has anyone reported this to support? I really do not want to go through what we did with the last upgrade with our Serv-U instance being behind a load balancer..
Could someone from support comment on this? Is anyone else experiencing issues after installing the hotfix?
Thank you all in advance,
I doubt Support are here much, what this with HotFix? We are talking about full release 5.3.1 here not 5.3.0 plus HF1.
Full new release or not, I am not installing this until I know for certain it will not break our current environment (Serv-U 15.3.0.1375)
Same. I'm also waiting for some additional feedback from the forum before we install. I already entered a ticket for clarity on "Removal of DSA 2048 and 4096 SSH private keys" just to ensure that won't impact any partners using DSA keys connecting to us. I'm pretty sure it won't but better safe than sorry.
When I remove the certs.. of course it's unsecured but it's working as soon I put back the cert key it goes down ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Got it working !
our .pem had info not needed. clean it and it's working
When you say clean it do you mean it had sections which are not required so just removed with a Text Editor? If so which section(s)?
So i have update on the weekend and got the same issue, did someone know the real workarround?
If you need to get back up and running, recreate your CSR and private key for the SSL certificate and it should resolve it. I've only seen it once and it appears to be to do with this, an old cert or key format and creating a new one resolved it. I would recommend you raise it with Solarwinds Support though as they may be able to tell you exactly what the issue is?
Just to clarify, you'll need to get the cert re-signed or issue a self-signed one once you create a new CSR and key, as the old cert wont match.
I would recommend to check whether the certificate size is bigger then 4kB. There is known issue with higher sizes. If this is your root cause, there is BuddyDrop you could receive through support.
Otherwise, reach to SWI support and provide appropriate info for investigation, if possible.
Upgrade of OpenSSL touched security settings of most parts of Serv-U.
There is high chance, that old certificate - especially signed with low encryption methods may not be accepted anymore.
Your way to get a new and secure certificate is one of the best options you could do.
Has ANYONE just installed it and it worked correctly? I am still not comfortable just "hoping for the best" if I attempt to install this version. I have yet to hear anything from the support team about this (unless I have missed something somewhere) and I want to make sure that they are aware of all the issues posted above.
Support has been really good in the past so I just want to make sure they were aware.
I really appreciate all the input under the forum post.
Thank you
I can confirm it is known 15.3.1 issue - certificates and private keys that are bigger than 4096 bytes are not accepted. There is BD support can provide based on request. Fix will be in code of next release. We also recommend to check current TLS setting in Serv-U management Console if Serv-U 15.3.1 installed.
Thank you.
Is there a certain setting within the TLS settings in Serv-U management we should be checking? What should this be set at according to support?
Thank you for your support. I just want to be aware BEFORE I make any attempt to install this release. I may just wait on the next release just to be on the same side.
Much appreciated.
