topic Re: HP SIM / SSL Vulnerabilities in Server Management - Systems Insight Manager

HP SIM / SSL Vulnerabilities

Marc Sonnenberg — Wed, 21 Sep 2005 15:12:25 GMT

This seems to apply more to the system management homepage, but I'll start here. Many of the vulnerability scanning tools available point to issues with the SSL implementation behind SIM / SMH. They refer to many flaws in SSLv2, which I believe these use. Recommendations are to either disable SSL or go to SSLv3. Any comments on this? I like to use SIM and SMH, but are being scrutinized for security reasons. Thank you for your input!!!

Re: HP SIM / SSL Vulnerabilities

Rich Purvis — Fri, 23 Sep 2005 07:51:30 GMT

If you believe SSLV2 is an issue, then do not use it - SMH supports SSLV3. Because this apparently is a concern for a number of people the SMH team is looking at adding a switch to let customers with this concern disable the SSLV2 support. However, due to varying release cycles and other intangibles I cannot say if and when that will be available, just that it is being looked at now.

-Rich

Re: HP SIM / SSL Vulnerabilities

Marc Sonnenberg — Fri, 23 Sep 2005 15:13:24 GMT

Any idea on how to change the SMH from v2 to v3? I've been checking manuals and such on that but haven't found much. It would appear that you'd have to change it both on the managed server and on the management server.

Re: HP SIM / SSL Vulnerabilities

Rich Purvis — Sat, 24 Sep 2005 03:49:10 GMT

Right now there is no way to stop it from trying to accept an SSLV2 connection as that is what the user initiated switch would be for. The SMH does not initiate a connection - that is done by you using your browser to connect to SMH - you can set your browser to *not* use SSLV2. If you use SSLV3 to connect to SMH everything should work fine and you won't be using SSLV2. If your problem is that the SMH *can* accept an SSLV2 connection then that currently cannot be changed.

-Rich