HPE Community
Server Management - Remote Server Management
1751963 Members
4532 Online
108783 Solutions
New Discussion юеВ

ILO2 TLS upgrade

 
Snakiej
Visitor

тАО06-20-2016 03:56 AM

тАО06-20-2016 03:56 AM

ILO2 TLS upgrade

Dear all,

https://blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compliance/

As per the above link TLS 1.0 is no longer accepted, and is already blocked by Google Chrome.

ERR_SSL_BAD_RECORD_MAC_ALERT

The question is: are there any plans of HP to release a version of iLO 2 with TLS > 1.2 backed in? 

Or has support ended for these kind of machines? 

And is there anything we - as users - can do to mitigate this issue - appart from using Internet Explorer, which is bound to fail in the future too.

0 Kudos
Reply
4 REPLIES 4
Oscar A. Perez
Honored Contributor

тАО06-30-2016 10:59 AM - edited тАО06-30-2016 01:16 PM

тАО06-30-2016 10:59 AM - edited тАО06-30-2016 01:16 PM

Re: ILO2 TLS upgrade

Unfortunately, iLO2 has a version of the RSA SSL library that only supports SSLv3 and TLS 1.0 protocols.   Remember that iLO2 was released more than 10 years ago, when the entire World used the SSLv3 protocol and TLS 1.1/1.2 did not even exist.

Also, iLO2 is already out or RAM space so, even if we had a license of a newer SSL library with TLS 1.2 support,  we wouldn't be able to build the firmware.  At least not without removing important functionality from iLO2 in order to make room for the new library.

Finally, Google Chrome has never been officially supported by iLO2.  You get a popup screen warning you about unsupported browser every time you use Chrome to browse into iLO2.  




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
Reply
SteveNewcomb
New Member

тАО11-22-2016 12:16 PM

тАО11-22-2016 12:16 PM

Re: ILO2 TLS upgrade

I have discovered that Chrome can be forced to *connect* to iLO2 (see how below) but it still can't do the remote console thing because there's no JVM.  Better than nothing, though.  Enough to reboot, anyway.

Having stopped all chrome processes, use the command line (your installed location of the chrome executable may be different):

/opt/google/chrome/chrome --ssl-version-min=tls1 --ssl-version-max=tls1 -ignore-certificate-errors

 

0 Kudos
Reply
TSDMichael
New Member

тАО12-19-2016 03:36 PM

тАО12-19-2016 03:36 PM

Re: ILO2 TLS upgrade

And you can access ILO 2 with Firefox and IE 11 without problems.

Should be able to do virtual console as well as these browsers support Java still.

0 Kudos
Reply
Psyfer
Occasional Visitor

тАО01-20-2017 11:13 PM

тАО01-20-2017 11:13 PM

Re: ILO2 TLS upgrade

Using the reverse proxy feature on my Synology DiskStation along with my free domain name through Synology, I was able to wrap the old iLO2 HTTPS connection. I still get an error about the SSL and have to click procced, but it works in Chrome since it sees the DiskStation certificate instead of the iLO's. You may be able to do something similar with some router settings. I think DD-WRT may have something like that but not sure.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.