Issue
Microsoft has released a critical update as of August 14, 2012, which will end support for certificates using the RSA algorithm that has key lengths less than 1024 bits. Shorter keys have been deemed more vulnerable to brute force attacks due to continued advances in computer processing capabilities. After applying Microsoft’s update, all certificates with key lengths less than 1024 bits will be treated as invalid. This update does not apply to Windows 8, 8.1 or Windows Server 2012 because these operating systems already include the functionality to block the use of weak RSA keys that are less than 1024 bits long.
Users will likely experience a security certificate warning and then the browser will not be able to "Continue to this website anyway" or be sent to an error about "Page cannot be displayed."
Update: In October 2014, Mozilla Firefox v33 has begun to block keys less than 1024 bits in length too. Security related release notes for Firefox v33 refer to RSA certificates using weak signatures less than 1024-bit are no longer accepted section once you access the link. Users will see an error such as "The key does not support the requested operation. (Error code: sec_error_invalid_key)."
Product Lines
The following products Network Management Card devices and product lines are affected.
Environment
All Network Management Card 1 devices listed above currently configured for HTTPS mode using the default 768 bit auto-generated self-signed SSL certificate.
Cause
All Schneider Electric Network Management Card 1 products have the capability of supporting SSL for secure web connections. All products listed above with any firmware version, auto-generates self-signed SSL Certificates 768 bits in length when HTTPS mode is enabled unless another user certificate has been pre-loaded.
Please note: Network Management Card 2 products are not affected.
Resolution
Refer to the currently available workaround options listed below:
Microsoft has released a critical update as of August 14, 2012, which will end support for certificates using the RSA algorithm that has key lengths less than 1024 bits. Shorter keys have been deemed more vulnerable to brute force attacks due to continued advances in computer processing capabilities. After applying Microsoft’s update, all certificates with key lengths less than 1024 bits will be treated as invalid. This update does not apply to Windows 8, 8.1 or Windows Server 2012 because these operating systems already include the functionality to block the use of weak RSA keys that are less than 1024 bits long.
Users will likely experience a security certificate warning and then the browser will not be able to "Continue to this website anyway" or be sent to an error about "Page cannot be displayed."
Update: In October 2014, Mozilla Firefox v33 has begun to block keys less than 1024 bits in length too. Security related release notes for Firefox v33 refer to RSA certificates using weak signatures less than 1024-bit are no longer accepted section once you access the link. Users will see an error such as "The key does not support the requested operation. (Error code: sec_error_invalid_key)."
Product Lines
The following products Network Management Card devices and product lines are affected.
Product | NMC AOS Version |
AP9617 | All Versions (1.X, 2.X, 3.X) |
AP9618 | All Versions (1.X, 2.X, 3.X) |
AP9619 | All Versions (1.X, 2.X, 3.X) |
Rack PDU (AP78XX, AP79XX) | All Versions (1.X, 2.X, 3.X) |
Rack ATS (AP77XX) | All Versions (1.X, 2.X, 3.X) |
Environmental Products (AP9320, AP9340, NetBotz 200) | All Versions (1.X, 2.X, 3.X) |
S20/S20BLK A/V Power Conditioner with Battery Back Up | All Versions (1.X, 2.X, 3.X) |
Other NMC1 product groups not listed | All Versions (1.X, 2.X, 3.X) |
Environment
All Network Management Card 1 devices listed above currently configured for HTTPS mode using the default 768 bit auto-generated self-signed SSL certificate.
Cause
All Schneider Electric Network Management Card 1 products have the capability of supporting SSL for secure web connections. All products listed above with any firmware version, auto-generates self-signed SSL Certificates 768 bits in length when HTTPS mode is enabled unless another user certificate has been pre-loaded.
Please note: Network Management Card 2 products are not affected.
Resolution
Refer to the currently available workaround options listed below:
- Upload a 1024 bit SSL Certificate to the affected products - the aforementioned products all allow the user to create and upload their own 1024 bit SSL Certificate with the help of the APC Security Wizard tool, available on apc.com for download with the part number SFNMCSECWIZ104. A step by step guide is available in the Network Management Card 1's Security Handbook
- Use a different web browser (such as Chrome, Firefox, etc)
- Update: In October 2014, Mozilla Firefox v33 has begun to block keys less than 1024 bits in length, too. Security related release notes for Firefox v33 refer to RSA certificates using weak signatures less than 1024-bit are no longer accepted section. One possible option is to downgrade Firefox.
- Uninstall the patch
- Do not apply the patch