cancel
Showing results for 
Search instead for 
Did you mean: 
wbocash
New Contributor

Clients create Self-signed CA Certificate

Is there a way to stop clients from creating a self-signed CA certificate. Problem is that they are not publically trusted so we are inundated with security vulnerabilties.

1 ACCEPTED SOLUTION

Accepted Solutions
GlennD
GoTo Manager

Re: Clients create Self-signed CA Certificate

The self signed certificate in LogMeIn is used in these cases:
 

  • host credentials are encrypted by the host's public key and saved on the clients or in the browser for:
  • autologin
  • One2Many tasks (Central)

Since encrypted with the hosts public key (prior saving it) only the host can decrypt them with its own private key.
 

  • for end-to-end encryption between the native client (Remote Control, File Manager) and the host. The client receives the host's cert in a secure channel, so it can trust it even it is self signed.

The port 2002 is used only locally in LogMeIn. The host service accepts connection from the system tray icon applet and provides some information about the state of the service

 

Glenn is a member of the GoTo Community Care Team.

Was your question answered? Please mark it as an Accepted Solution.
Was a post helpful or informative? Give it a Kudo!.

Free new user and admin training

View solution in original post

11 REPLIES 11
AshC
Retired GoTo Contributor

Re: Clients create Self-signed CA Certificate

@wbocash  Hi there,

Could you elaborate on what kind of issues the self-signed CA is causing your clients?  What scans and URLs come up vulnerable exactly?


Ash is a member of the LastPass Community Care Team.

Was your question answered? Please mark it as an Accepted Solution.
Was a post helpful or informative? Give it a Kudo!
wbocash
New Contributor

Re: Clients create Self-signed CA Certificate

We use Tenable Nessus for vulnerability scanning, but I'd assume any scanner would detect a self-signed CA certificate as a vulnerability. Here are more details on the vulnerability:

The following certificate was found at the top of the certificate chain sent by the remote host, but is self-signed and was not found in the list of known certificate authorities. This nullifies the use of SSL as anyone could establish a man-in-the-middle attack against the remote host. Thanks!

Vince_NCM
New Member

Re: Clients create Self-signed CA Certificate

Following... Nessus is giving us fits with this
Amelie745
New Contributor

Re: Clients create Self-signed CA Certificate

Use the client's private key to generate a cert request. Issue the client certificate using the cert request and the CA cert/key prepaidgiftbalance.

MRicker
New Contributor

Re: Clients create Self-signed CA Certificate

It's been a few years since this was posted but I'm running into the same thing.

Was a solution ever found? My security team is showing that the TLS/SSL certificate is signed by an unknown/untrusted CA for all of our workstations that have the Log Me In client installed.

How would I check what certificate is being used to verify if it is self-signed or just a CA that the scanning application does not recognize?

GlennD
GoTo Manager

Re: Clients create Self-signed CA Certificate

Hi @MRicker, welcome to the community.  

 

I am going to open a support ticket for you and I will private message you a zip file with a registry file that will fully enable the Debug mode of your Central client. Once the file is run, reboot the PC and it will start to generate the required log files (LogMeIn.log) that will be saved in C:\programdata\LogMeIn

 

Glenn is a member of the GoTo Community Care Team.

Was your question answered? Please mark it as an Accepted Solution.
Was a post helpful or informative? Give it a Kudo!.

Free new user and admin training
MRicker
New Contributor

Re: Clients create Self-signed CA Certificate

Found this command which I believe confirms the cert being used is self signed.

What is port 2002 used for? Is there a way to apply a locally signed cert to this or what are my other options for locking this down?

C:\Users\mricker>openssl s_client -connect Computer IP:2002
CONNECTED(00000164)
Can't use SSL_get_servername
depth=1 C = US, CN = Default CA
verify error:num=19:self-signed certificate in certificate chain
verify return:1
depth=1 C = US, CN = Default CA
verify return:1
depth=0 CN = Computer Name
verify return:1
---
Certificate chain
 0 s:CN = Computer Name
   i:C = US, CN = Default CA
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 10 02:39:50 2022 GMT; NotAfter: May  9 02:39:50 2027 GMT
 1 s:C = US, CN = Default CA
   i:C = US, CN = Default CA
   a:PKEY: rsaEncryption, 1024 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 10 02:39:49 2022 GMT; NotAfter: May  8 02:39:49 2031 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDazCCAtSgAwIBAgIICHzm51qoC88wDQYJKoZIhvcNAQELBQAwIjELMAkGA1UE
GlennD
GoTo Manager

Re: Clients create Self-signed CA Certificate

@MRicker I'm researching the self certs and use of Port 2002, I should have a more detailed response tomorrow. What I have found out so far is the certificates and Port 2002 are not used externally, we use other SSL certificates for the external connections through Ports 80 and 443.

 

Glenn is a member of the GoTo Community Care Team.

Was your question answered? Please mark it as an Accepted Solution.
Was a post helpful or informative? Give it a Kudo!.

Free new user and admin training
MRicker
New Contributor

Re: Clients create Self-signed CA Certificate

@GlennD thanks for the update.

Look forward to hearing what you find out. I'm hoping we can just add this as an exception when we know why the port is open and that it isn't an actual vulnerability.