QNAP NAS Community Forum

[eskdale]

If I purchase an SSL certificate (say from "verisign" or a cheaper version from "go-daddy") for my NAS TS-209 is it possible for me to install it or is the certificate built into the firmware?

Thanks

Jon

[eskdale]

Hi,

Is there anyone that can help me with this

Thanks

Jon

[happyguy]

I'd be interested in this too..we have our own signed certificate & wouldn't mind using ours instead of QNAP's (since QNAP's certificate isn't even signed).

[QNAPAndy]

Hi Guys,

Yes, if you are going to purchase one and wanting to find out how to install it to the NAS, here's the howto:

1. copy the certificate file to the Public share on your NAS via samba or FTP
and rename it to stunnel.pem then log in to the NAS via SSH.

(for single disk)

Code: Select all

# mkdir -p /share/HDA_DATA/sslcert
# cp /share/Public/stunnel.pem /share/HDA_DATA/sslcert

(for 2 disks running RAID)

Code: Select all

# mkdir -p /share/MD0_DATA/sslcert
# cp /share/Public/stunnel.pem /share/MD0_DATA/sslcert

2. mount the flash drive to edit autorun.sh

Code: Select all

# mount -t ext2 /dev/mtdblock5 /tmp

3. edit the autorun.sh to add the following lines to it

Code: Select all

# vi /tmp/autorun.sh

(for single disk)
cp -af /share/HDA_DATA/sslcert/stunnel.pem /etc/stunnel

(for 2 disks running RAID)
cp -af /share/MD0_DATA/sslcert/stunnel.pem /etc/stunnel

Then save and escape out vi

Code: Select all

ESC
:wq
ENTER

Code: Select all

# chmod +x /tmp/autorun.sh

# cd /

# umount /tmp

# reboot

Upon the reboot system will install it over the default certificate.

Andy

[silverfile]

Following QNAPAndy's instructions, I found that I had to restart the stunnel service after stunnel.pem is copied in autorun. You can do this by adding the following line to autorun.sh:

Code: Select all

/etc/init.d/stunnel.sh restart

also make sure your cert doesn't have a passphrase/key on it if you want it to start without any intervention.

[Stefano]

Hi Guys,
Yes, if you are going to purchase one ...
Andy

Yeah, but it's still not fixed and we purchased the TS already. Why do we have to spend money again to get a secure device?

[Q]

Yeah, but it's still not fixed and we purchased the TS already.

Because a SSL certificate for that usage (and integrated in the browsers) does not come for free, it costs several hundred USD per year and per server. I think you'll agree that this can't be included in the TS price Even the fee for one year costs most likely more than a whole TS-209. Also such a certificate needs to be personalised for every user, so it's impossible for QNAP to issue it. The best you can get is an EV certificate, check http://en.wikipedia.org/wiki/Extended_V ... ertificate.

[Stefano]

Because a SSL certificate for that usage (and integrated in the browsers) does not come for free, it costs several hundred USD per year and per server. I think you'll agree that this can't be included in the TS price

Then stop advertising the Turbostation products as safe. It is advertised as:

Code: Select all

TS-109 is definitely one of the most powerful and safest repository to ensure all of your precious digital files be stored securely

http://www.qnap.com/pro_detail_feature.asp?p_id=78

[Stefano]

Because a SSL certificate for that usage (and integrated in the browsers) does not come for free, it costs several hundred USD per year and per server. I think you'll agree that this can't be included in the TS price

Then stop advertising the Turbostation products as safe!

It is advertised as:
"TS-109 is definitely one of the most powerful and safest repository to ensure all of your precious digital files be stored securely"
http://www.qnap.com/pro_detail_feature.asp?p_id=78

[Q]

you must be joking...

what qnap delivers is secure regarding encrypting the communication. that works very well. only the authentication part is useless so it doesn't help against a man-in-the-middle-attack.

you can also create a own free certificate and import, so at least it's not the same as all other certificates. however this still can't protect you from man-in-the-middle. if you want to have that, there is no other way than buy an expensive certificate. this is how the world works, qnap can't change that. as nobody other can. security rarely comes for free, often it either costs usability or money. that's life.

as some wise guy said once

Don't forget that it's not the SSL that protects you, it's your password. The SSL just protects your password (which is important enough).

and safe means much more than a ssl certificate... and the meaning of safe isn't restricted to network security. there are many different points at information security, you may want to read http://en.wikipedia.org/wiki/Information_security. also safe can be meant regarding Backup (http://en.wikipedia.org/wiki/Backup).

qnap implemented many different approaches to offer a very safe product regarding many points. qnap even will implent a enhanced ip filter with auto ban function soon (already existing in 509). however a server can never be the only part of a security strategy. there are also other points like a firewall, antivirus, company policies, backup strategies, etc.

and what most people forget: you can implement as much security as you want, at the end there is still the user which is causing the majority of security breaches. so teaching people is a very effective way also for a company (or teach yourself if you're not a company) to reduce risks too.

every competitor - even with much much less stuff implemented - advertises their product as safe. it's just ridicoulous that you say qnap, while really delivering a safe product in most regards, should not advertise it like this