ITRC Systems Insight Manager Forum
Showing results for 
Search instead for 
Do you mean 

SSL Server Has SSLv2 Enabled Vulnerability

Highlighted
Occasional Visitor

SSL Server Has SSLv2 Enabled Vulnerability

[ Edited ]

SSL Server Has SSLv2 Enabled Vulnerability port 2381/tcp over SSL

Is the a way to mitigate this by going to SSLv3? I assume this is referring to Systems Manager.

Thanks

 

 

P.S. This thread has been moved from ITRC server mgmt (Insight Manager 7) Forum to ITRC HP Systems Insight Manager Forum - HP Forums Moderator

5 REPLIES
Honored Contributor Honored Contributor

Re: SSL Server Has SSLv2 Enabled Vulnerability

The software on port 2381 supports both SSLv2 and SSLv3.

-Rich
Why does my tivo keep recording Nickelodeon?
Occasional Visitor

Re: SSL Server Has SSLv2 Enabled Vulnerability

How do you disable v2 so that only v3 is enabled?
Occasional Visitor

Re: SSL Server Has SSLv2 Enabled Vulnerability

I have the following security vulnerabilities on several hundred proliant servers.

- SSL Server Supports Weak Encryption
- SSL Server Uses Weak Encryption
- SSL Server Has SSLv2 Enabled
- SSL Certificate - Signature Verification Failed
- SSL Certificate - Self-Signed Certificate
- SSL Certificate - Subject Common Name Does Not Match Server FQDN

All of them are caused by the HP System Management Homepage (v2.0.1.104) which listens on SSL port 2381. Is there a way to enable SSLv3 and turn-off SSLv2 and also restrict access to strong encryption only?

I got stuck and it seams it is not possible to disable v2. My attempts to change the config file "C:\hp\hpsmh\conf\smhpd.confâ was without success. The file gets dumped when the SysMgmtHP service starts up. Therefore, I assume configuration settings are hard coded somewhere.

A look at the SSLCipherSuite entry shows that v2 is enabled.
SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:RC4+RSA:+HIGH:+MEDIUM:+SSLv2:+EXP:-LOW:+eNULL

This should be changed to:
SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:RC4+RSA:+HIGH:+MEDIUM:-SSLv2:+SSLv3:+EXP:-LOW:+eNULL

Thanks
Occasional Visitor

Re: SSL Server Has SSLv2 Enabled Vulnerability

I get the same SSLv2 Enabled Vulnerability. How can this be mitigated? This is in reference to the HP System Management Homepage. When I disable this service the SSLv2 vulnerability is removed, the only problem is that we use the system management homepage. Thanks
Honored Contributor Honored Contributor

Re: SSL Server Has SSLv2 Enabled Vulnerability

Latest versions of System Mangement Homepage have SSL V2 disabled by default. I would suggest you upgrade to the latest version.

-Rich
Why does my tivo keep recording Nickelodeon?