topic SSL Server Has SSLv2 Enabled Vulnerability in Server Management - Systems Insight Manager

SSL Server Has SSLv2 Enabled Vulnerability

Dave K. — Fri, 28 Dec 2012 02:28:41 GMT

SSL Server Has SSLv2 Enabled Vulnerability port 2381/tcp over SSL

Is the a way to mitigate this by going to SSLv3? I assume this is referring to Systems Manager.

Thanks

P.S. This thread has been moved from ITRC server mgmt (Insight Manager 7) Forum to ITRC HP Systems Insight Manager Forum - HP Forums Moderator

Re: SSL Server Has SSLv2 Enabled Vulnerability

Rich Purvis — Tue, 16 Aug 2005 11:06:05 GMT

The software on port 2381 supports both SSLv2 and SSLv3.

-Rich

Re: SSL Server Has SSLv2 Enabled Vulnerability

Dave K. — Tue, 16 Aug 2005 11:12:20 GMT

How do you disable v2 so that only v3 is enabled?

Re: SSL Server Has SSLv2 Enabled Vulnerability

Josef Roth_2 — Mon, 05 Sep 2005 13:39:29 GMT

I have the following security vulnerabilities on several hundred proliant servers.

- SSL Server Supports Weak Encryption
- SSL Server Uses Weak Encryption
- SSL Server Has SSLv2 Enabled
- SSL Certificate - Signature Verification Failed
- SSL Certificate - Self-Signed Certificate
- SSL Certificate - Subject Common Name Does Not Match Server FQDN

All of them are caused by the HP System Management Homepage (v2.0.1.104) which listens on SSL port 2381. Is there a way to enable SSLv3 and turn-off SSLv2 and also restrict access to strong encryption only?

I got stuck and it seams it is not possible to disable v2. My attempts to change the config file "C:\hp\hpsmh\conf\smhpd.confâ was without success. The file gets dumped when the SysMgmtHP service starts up. Therefore, I assume configuration settings are hard coded somewhere.

A look at the SSLCipherSuite entry shows that v2 is enabled.
SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:RC4+RSA:+HIGH:+MEDIUM:+SSLv2:+EXP:-LOW:+eNULL

This should be changed to:
SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:RC4+RSA:+HIGH:+MEDIUM:-SSLv2:+SSLv3:+EXP:-LOW:+eNULL

Thanks

Re: SSL Server Has SSLv2 Enabled Vulnerability

ekonop — Mon, 04 Dec 2006 10:22:37 GMT

I get the same SSLv2 Enabled Vulnerability. How can this be mitigated? This is in reference to the HP System Management Homepage. When I disable this service the SSLv2 vulnerability is removed, the only problem is that we use the system management homepage. Thanks

Re: SSL Server Has SSLv2 Enabled Vulnerability

Rich Purvis — Wed, 06 Dec 2006 17:15:22 GMT

Latest versions of System Mangement Homepage have SSL V2 disabled by default. I would suggest you upgrade to the latest version.

-Rich