Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

A5500: Howto force ssl to tls 1.x?

Gotthard_Anger
Occasional Visitor

A5500: Howto force ssl to tls 1.x?

Have A5500 switches (formerly 3com 4800g), branded to HP with latest firmware 2222P07.

I can access the switch using http, but wanted to enable the https protocol

using the steps available via docs and google

#ip https enable 

I only get the message from the browsers (FF and Chrome): unsupported protocol. In fact I have to force the switch to tls 1.x (ssl v3.1). Howto do this?  Selfsigned certificate is not the problem, as I cancelled my tests with our AD-domain and the ceriifcate server because of "untrusted ca", where also no solution in world wibe web or docs.

 

Landeskirchenamt der EKM
6 REPLIES
parnassus
Honored Contributor

Re: A5500: Howto force ssl to tls 1.x?

Hello, do you mean how to disable SSL 3.0 Switch side in order to force it to use TLS 1.0?

Gotthard_Anger
Occasional Visitor

Re: A5500: Howto force ssl to tls 1.x?

Hi

thx for fast answer.

I have no idea, whats the right way to reach my goal.

If it runs trough disabling sslv3, may be...

Gotthard

Landeskirchenamt der EKM
parnassus
Honored Contributor

Re: A5500: Howto force ssl to tls 1.x?

I asked that because I noticed that since R2221P08 a new feature was introduced: "Disabling SSL 3.0", it allows to disable SSL 3.0 on the Switch to enhance security (clearly peer devices - Web Browsers in our case - should support TLS 1.0).

The explanation given on Release Notes was:

This feature allows you to disable SSL 3.0 on a device to enhance system security.

  • An SSL server supports only TLS 1.0 after SSL 3.0 is disabled.
  • An SSL client always uses SSL 3.0 if SSL 3.0 is specified for the client policy, whether you
    disable SSL 3.0 or not.

To ensure successful establishment of an SSL connection, do not disable SSL 3.0 on a device when the peer device only supports SSL 3.0. HP recommends upgrading the peer device to support TLS 1.0 to improve security.

The system-view command is ssl version ssl3.0 disable (undo to revert to SSL 3.0, which is enabled by default).

Gotthard_Anger
Occasional Visitor

Re: A5500: Howto force ssl to tls 1.x?

Hi,

#ssl version ssl3.0 disable

don´t forget to reload https server: :-)

#undo ip https ena

#ip https ena

New error message in browser (here chrome):

ERR_SSL_BAD_RECORD_MAC_ALERT

If I check the certificate in IE, the selfsigned certificate is issued to "Comware-HTTPS...". No chance to change?

 

 

Landeskirchenamt der EKM
parnassus
Honored Contributor

Re: A5500: Howto force ssl to tls 1.x?

Can you report if that Error "ERR_SSL_BAD_RECORD_MAC_ALERT" shows up using, respectively, latest Mozilla Firefox, Google Chrome and Microsoft Internet Explorer? maybe there is an issue (TLS 1.0 not supported on Web Browser side?) at Web Browser side...

Gotthard_Anger
Occasional Visitor

Re: A5500: Howto force ssl to tls 1.x?

Hello,

Firefox 56: no connection with message similar as reported

Chrome 61: no connection with reported message 

IE 11: connects with a lot of warnings: "the certificate was issued for an other address of this website"

IMHO the FF and Chrome have disabled ssl v3 support, but should accept tls v1.0 connections.

Go

Landeskirchenamt der EKM