- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- Unable to perform HP 2530 hardening (HTTPS and SSH...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2015 07:19 AM - edited 06-30-2015 12:27 AM
06-29-2015 07:19 AM - edited 06-30-2015 12:27 AM
Unable to perform HP 2530 hardening (HTTPS and SSH)
We would like to perform HP 2530 hardening, but some options seems to be missing in current firmware.
For HTTPS we were unable to:
1. Disable all protocols except TLSv1.2.
2. Enable forward secrecy key exchange: ECDHE (with P-521 or Curve25519) or DHE with 4096 dhparam instead of non-FS RSA key exchange.
3. Disable 3DES_EDE_CBC cipher (grade C in Qualys SSL Server Test).
4. Enable AEAD ciphers like AES_256_GCM, AES_128_GCM or CHACHA20_POLY1305.
5. Disable Secure Client-Initiated Renegotiation.
For SSH we were unable to:
1. Replace diffie-hellman-group14-sha1 and diffie-hellman-group1-sha1 with diffie-hellman-group-exchange-sha256.
2. Replace existing MACs with hmac-sha2-256.
Firmware used: YA.15.16.0008.
Can we expect support for modern cipher suites will appear in HP products?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2015 05:48 PM
06-29-2015 05:48 PM
Re: Unable to perform HP 2530 hardening (HTTPS and SSH)
The 2530 switch shouldn't be terminating any connections relevant to secure card payments.
The hardening you refer to needs to be carried out on the applications and on the firewalls & routers that secure them.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-30-2015 12:20 AM
06-30-2015 12:20 AM
Re: Unable to perform HP 2530 hardening (HTTPS and SSH)
Vince: at some point you need to connect to the switch to manage it, and that connection should be secure. If someone decided to support HTTPS and SSH protocols in this model, then it should be implemented properly.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-30-2015 08:06 AM
06-30-2015 08:06 AM
Re: Unable to perform HP 2530 hardening (HTTPS and SSH)
There were updates to the protocols in the 15.17 builds. I have a 2920 that is running 15.17.0005 and it is using TLS 1.2. I am not sure how to test the switch to see the full list of enabled algorithms. If you can provide details on the test you are using, I would be willing to run it and see what returns.
There is an update for the 2530: YA.15.17.0007: https://h10145.www1.hp.com/Downloads/SoftwareReleases.aspx?ProductNumber=J9853A&lang=en,en&cc=us,us&prodSeriesId=5333803
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-19-2020 01:29 PM
09-19-2020 01:29 PM
Re: Unable to perform HP 2530 hardening (HTTPS and SSH)
HW 2530-48 ver YB.16.10.0010
1. Disable all protocols except TLSv1.2
# tls application all lowest-version tls1.2
Do you want to terminate the existing TLS or SSL sessions (y/n)? y
3. Disable 3DES_EDE_CBC cipher (grade C in Qualys SSL Server Test)
# tls application all lowest-version tls1.2 disable-cipher des3-cbc-sha
Do you want to terminate the existing TLS or SSL sessions (y/n)? y
# tls application all lowest-version tls1.2 disable-cipher ecdh-ecdsa-des-cbc3-sha
Do you want to terminate the existing TLS or SSL sessions (y/n)? y
# tls application all lowest-version tls1.2 disable-cipher ecdh-rsa-des-cbc3-sha
Do you want to terminate the existing TLS or SSL sessions (y/n)? y
# tls application all lowest-version tls1.2 disable-cipher ecdhe-ecdsa-des-cbc3-sha
Do you want to terminate the existing TLS or SSL sessions (y/n)? y
# tls application all lowest-version tls1.2 disable-cipher ecdhe-rsa-des-cbc3-sha
Do you want to terminate the existing TLS or SSL sessions (y/n)? y
4. Enable AEAD ciphers like AES_256_GCM, AES_128_GCM or CHACHA20_POLY1305
only these available
# tls application all lowest-version tls1.2 cipher
aes128-gcm-sha256 Specify the cipher suite TLS_RSA_WITH_AES_128_GCM_SHA256
aes128-sha Specify the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA
aes128-sha256 Specify the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256
aes256-gcm-sha384 Specify the cipher suite TLS_RSA_WITH_AES_256_GCM_SHA384
aes256-sha Specify the cipher suite TLS_RSA_WITH_AES_256_CBC_SHA
aes256-sha256 Specify the cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256