The GoTo Community is currently experiencing some technical issues affecting new posts and comments. You may need to reload the page you are on before you can post a comment. We are actively working with our service provider and apologize for the frustration.
Forum Discussion
Solved
Clients create Self-signed CA Certificate
Is there a way to stop clients from creating a self-signed CA certificate. Problem is that they are not publically trusted so we are inundated with security vulnerabilties.
The self signed certificate in LogMeIn is used in these cases:
- host credentials are encrypted by the host's public key and saved on the clients or in the browser for:
- autologin
- One2Many tasks (Central)
Since encrypted with the hosts public key (prior saving it) only the host can decrypt them with its own private key.
- for end-to-end encryption between the native client (Remote Control, File Manager) and the host. The client receives the host's cert in a secure channel, so it can trust it even it is self signed.
The port 2002 is used only locally in LogMeIn. The host service accepts connection from the system tray icon applet and provides some information about the state of the service
Found this command which I believe confirms the cert being used is self signed.
What is port 2002 used for? Is there a way to apply a locally signed cert to this or what are my other options for locking this down?
C:\Users\mricker>openssl s_client -connectComputer IP:2002 CONNECTED(00000164) Can't use SSL_get_servername depth=1 C = US, CN = Default CA verify error:num=19:self-signed certificate in certificate chain verify return:1 depth=1 C = US, CN = Default CA verify return:1 depth=0 CN =Computer Nameverify return:1 --- Certificate chain 0 s:CN =Computer Namei:C = US, CN = Default CA a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: May 10 02:39:50 2022 GMT; NotAfter: May 9 02:39:50 2027 GMT 1 s:C = US, CN = Default CA i:C = US, CN = Default CA a:PKEY: rsaEncryption, 1024 (bit); sigalg: RSA-SHA256 v:NotBefore: May 10 02:39:49 2022 GMT; NotAfter: May 8 02:39:49 2031 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIIDazCCAtSgAwIBAgIICHzm51qoC88wDQYJKoZIhvcNAQELBQAwIjELMAkGA1UE
MRicker I'm researching the self certs and use of Port 2002, I should have a more detailed response tomorrow. What I have found out so far is the certificates and Port 2002 are not used externally, we use other SSL certificates for the external connections through Ports 80 and 443.
GlennD thanks for the update.
Look forward to hearing what you find out. I'm hoping we can just add this as an exception when we know why the port is open and that it isn't an actual vulnerability.
The self signed certificate in LogMeIn is used in these cases:
- host credentials are encrypted by the host's public key and saved on the clients or in the browser for:
- autologin
- One2Many tasks (Central)
Since encrypted with the hosts public key (prior saving it) only the host can decrypt them with its own private key.
- for end-to-end encryption between the native client (Remote Control, File Manager) and the host. The client receives the host's cert in a secure channel, so it can trust it even it is self signed.
The port 2002 is used only locally in LogMeIn. The host service accepts connection from the system tray icon applet and provides some information about the state of the service
- Thanks for this post. Following a security test I completed, TCP 2002 was returning an unexpected response with TLS1.2 and a certificate. Having looked into this I believe this is the reason!
