SSL concerns

uki545 · January 17, 2014, 7:14am

Hi everyone,

I have some questions and concerns regarding the Peplink Balance product. I love device and have deployed over 40 of these myself.

Is there a way to install public SSL certificate to replace the one used for management over HTTPS?
While doing a vulnerability assessment against Peplink Balance firmware 5.4.9 we came across a vulnerability where port tcp/32015, which is used for SpeedFusion is presenting a self signed certificate that is yet different from the one presented over HTTPS management. The certificate presented over tcp/32015 has CN=Peplink OU=Peplink, O=Peplink, L=Hong_Kong, ST=Hong_Kong, C=HK. Is there a way to replace this certificate with a publicly signed one?
The SSL server on port tcp/32015 used for SpeedFusion also supports DES(56) as a supported cipher. Can this be disabled in a future release?

Thank you

Keith · January 17, 2014, 11:09am

Hi, 1) is already supported in Firmware 6.1 which is going public next week.

We will come back with comments for the rest in the next few days. Thanks.

Jonan_Santiago · January 19, 2014, 5:24pm

Hello,

Both the VPN and Web management certificates are configurable in version 6.1. Item #3 is scheduled to be disabled in next release.

Thanks,
-Jonan
-Peplink