- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Re: HPE FlexFabric 5700 - Disabling SSL ciphers
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-09-2021 02:16 AM - last edited on тАО09-12-2021 04:02 AM by support_s
тАО09-09-2021 02:16 AM - last edited on тАО09-12-2021 04:02 AM by support_s
I am trying to disable a specific set of ciphers on an HPE FlexFabric 5700 JG896A with firmware version 2432P06.
The reason is to silence several vulnerability warnings from our GVM vulnerability scanner, among them these 2 from HPE:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05349499
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05336888
As per the HPE FlexFabric 5700 Switch Series Security Configuration Guide I have done:
ssl server-policy "specific-ciphersuites"
ciphersuite dhe_rsa_aes_128_cbc_sha dhe_rsa_aes_128_cbc_sha256 dhe_rsa_aes_256_cbc_sha dhe_rsa_aes_256_cbc_sha256 ecdhe_ecdsa_aes_128_cbc_sha256 ecdhe_ecdsa_aes_128_gcm_sha256 ecdhe_ecdsa_aes_256_cbc_sha384 ecdhe_ecdsa_aes_256_gcm_sha384 ecdhe_rsa_aes_128_cbc_sha256 ecdhe_rsa_aes_128_gcm_sha256 ecdhe_rsa_aes_256_cbc_sha384 ecdhe_rsa_aes_256_gcm_sha384 rsa_aes_128_cbc_sha rsa_aes_128_cbc_sha256 rsa_aes_256_cbc_sha rsa_aes_256_cbc_sha256
quit
undo ip https enable
ip https ssl-server-policy "specific-ciphersuites"
ip https enable
This should remove the following ciphers:
exp_rsa_des_cbc_sha
exp_rsa_rc2_md5
exp_rsa_rc4_md5
rsa_3des_ede_cbc_sha
rsa_rc4_128_md5
rsa_rc4_128_sha
rsa_des_cbc_sha
But this results in a ERR_SSL_VERSION_OR_CIPHER_MISMATCH when attempting to open the https site in Edge and similar message in Internet Explorer.
If I undo the change:
undo ip https enable
undo ip https ssl-server-policy
ip https enable
Then I can open the https site again.
Even just testing one ciphersuite enabled:
ssl server-policy testing
ciphersuite rsa_aes_128_cbc_sha
quit
undo ip https enable
ip https ssl-server-policy testing
ip https enable
Gives the same ERR_SSL_VERSION_OR_CIPHER_MISMATCH.
I have already succesfully disabled SSL 3.0, TLS 1.0, and TLS 1.1 with:
ssl version ssl3.0 tls1.0 tls1.1 disable
undo ip https enable
ip https enable
I have found a few posts in the HPE Community forum about ciphers on Commware switches, but none of the ones I found show a working config sample.
Has anyone succesfully disabled ssl ciphersuites on a 5700 series switch?
Am I missing something in my configuration?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-09-2021 03:01 AM
тАО09-09-2021 03:01 AM
Re: HPE FlexFabric 5700 - Disabling SSL ciphers
Hi @Support_PenB !
Did you have a chance to analyze TLS 'Client Hello' and 'Server Hello' messages to see what ciphers your browser declares as proposed and what cipher the switch advertises? Check both working and non-working scenarios. There is a useful display filter in Wireshark 'tls.handshake' that can help you filtering out those two packets. If any doubts, share the filtered capture here, I'll check. My suspicion is that when it works, both client (browser) and server agree on rsa_rc4_128_md5 but when you exclude it they can't negotiate anything compatible. Which is definitely strange taking into account how many various ciphers you have in that SSL policy...
BTW, have you tried that policy without 'ssl version ssl3.0 tls1.0 tls1.1 disable'? Like to allow all TLS versions, but with ciphers you choose?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-09-2021 05:57 AM
тАО09-09-2021 05:57 AM
Re: HPE FlexFabric 5700 - Disabling SSL ciphers
I have tried with SSL 3.0, TLS 1.0, and TLS 1.1 enabled AND the specific ciphersuites, but the result is the same ERR_SSL_VERSION_OR_CIPHER_MISMATCH error.
I enabled SSL 3.0, TLS 1.0, TLS 1.1:
undo ssl version ssl3.0 disable
undo ssl version tls1.0 disable
undo ssl version tls1.1 disable
undo ip https enable
ip https enable
Without setting a specific ciphersuite.
Testing with nmap v7.70 from a CentOS 8 host with command:
nmap -sV --script ssl-enum-ciphers -p 443 switch2.domain.local
Shows a very limited cipher set:
|_http-server-header: HTTPD
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| CBC-mode cipher in SSLv3 (CVE-2014-3566)
| Ciphersuite uses MD5 for message integrity
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| Ciphersuite uses MD5 for message integrity
| TLSv1.1:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| Ciphersuite uses MD5 for message integrity
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| Ciphersuite uses MD5 for message integrity
|_ least strength: C
Same with sslyze (https://github.com/nabla-c0d3/sslyze) 4.1.0 from a Windows Server 2019 server:
SCAN RESULTS FOR SWITCH2.DOMAIN.LOCAL:443 - 10.10.10.10
-------------------------------------------------------------
* Deflate Compression:
OK - Compression disabled
* OpenSSL Heartbleed:
OK - Not vulnerable to Heartbleed
* OpenSSL CCS Injection:
OK - Not vulnerable to OpenSSL CCS injection
* TLS 1.2 Cipher Suites:
Attempted to connect using 156 cipher suites.
The server accepted the following 5 cipher suites:
TLS_RSA_WITH_RC4_128_SHA 128
TLS_RSA_WITH_RC4_128_MD5 128
TLS_RSA_WITH_AES_256_CBC_SHA 256
TLS_RSA_WITH_AES_128_CBC_SHA 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA 168
The group of cipher suites supported by the server has the following properties:
Forward Secrecy INSECURE - Not Supported
Legacy RC4 Algorithm INSECURE - Supported
* ROBOT Attack:
OK - Not vulnerable.
* Session Renegotiation:
Client Renegotiation DoS Attack: VULNERABLE - Server honors client-initiated renegotiations
Secure Renegotiation: OK - Supported
* TLS 1.2 Session Resumption Support:
With Session IDs: NOT SUPPORTED (0 successful resumptions out of 5 attempts).
With TLS Tickets: OK - Supported.
* SSL 3.0 Cipher Suites:
Attempted to connect using 80 cipher suites.
The server accepted the following 5 cipher suites:
TLS_RSA_WITH_RC4_128_SHA 128
TLS_RSA_WITH_RC4_128_MD5 128
TLS_RSA_WITH_AES_256_CBC_SHA 256
TLS_RSA_WITH_AES_128_CBC_SHA 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA 168
The group of cipher suites supported by the server has the following properties:
Forward Secrecy INSECURE - Not Supported
Legacy RC4 Algorithm INSECURE - Supported
* Certificates Information:
Hostname sent for SNI: switch2.domain.local
Number of certificates detected: 1
Certificate #0 ( _RSAPublicKey )
SHA1 Fingerprint: 88c43163b01d2e0d8fddc44320ee967e6f2077d8
Common Name: HTTPS-Self-Signed-Certificate-ba0115a4076d6ffc
Issuer: HTTPS-Self-Signed-Certificate-ba0115a4076d6ffc
Serial Number: 0
Not Before: 2011-01-01
Not After: 2030-12-27
Public Key Algorithm: _RSAPublicKey
Signature Algorithm: sha256
Key Size: 2048
Exponent: 65537
DNS Subject Alternative Names: []
Certificate #0 - Trust
Hostname Validation: FAILED - Certificate does NOT match server hostname
Android CA Store (9.0.0_r9): FAILED - Certificate is NOT Trusted: self signed certificate
Apple CA Store (iOS 14, iPadOS 14, macOS 11, watchOS 7, and tvOS 14):FAILED - Certificate is NOT Trusted: self signed certificate
Java CA Store (jdk-13.0.2): FAILED - Certificate is NOT Trusted: self signed certificate
Mozilla CA Store (2021-01-24): FAILED - Certificate is NOT Trusted: self signed certificate
Windows CA Store (2021-02-08): FAILED - Certificate is NOT Trusted: self signed certificate
Symantec 2018 Deprecation: ERROR - Could not build verified chain (certificate untrusted?)
Received Chain: HTTPS-Self-Signed-Certificate-ba0115a4076d6ffc
Verified Chain: ERROR - Could not build verified chain (certificate untrusted?)
Received Chain Contains Anchor: ERROR - Could not build verified chain (certificate untrusted?)
Received Chain Order: OK - Order is valid
Verified Chain contains SHA1: ERROR - Could not build verified chain (certificate untrusted?)
Certificate #0 - Extensions
OCSP Must-Staple: NOT SUPPORTED - Extension not found
Certificate Transparency: NOT SUPPORTED - Extension not found
Certificate #0 - OCSP Stapling
NOT SUPPORTED - Server did not send back an OCSP response
* SSL 2.0 Cipher Suites:
Attempted to connect using 7 cipher suites; the server rejected all cipher suites.
* TLS 1.0 Cipher Suites:
Attempted to connect using 80 cipher suites.
The server accepted the following 5 cipher suites:
TLS_RSA_WITH_RC4_128_SHA 128
TLS_RSA_WITH_RC4_128_MD5 128
TLS_RSA_WITH_AES_256_CBC_SHA 256
TLS_RSA_WITH_AES_128_CBC_SHA 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA 168
The group of cipher suites supported by the server has the following properties:
Forward Secrecy INSECURE - Not Supported
Legacy RC4 Algorithm INSECURE - Supported
* TLS 1.3 Cipher Suites:
Attempted to connect using 5 cipher suites; the server rejected all cipher suites.
* Elliptic Curve Key Exchange:
The server does not support cipher suites with ECDH key exchanges.
* TLS 1.1 Cipher Suites:
Attempted to connect using 80 cipher suites.
The server accepted the following 5 cipher suites:
TLS_RSA_WITH_RC4_128_SHA 128
TLS_RSA_WITH_RC4_128_MD5 128
TLS_RSA_WITH_AES_256_CBC_SHA 256
TLS_RSA_WITH_AES_128_CBC_SHA 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA 168
The group of cipher suites supported by the server has the following properties:
Forward Secrecy INSECURE - Not Supported
Legacy RC4 Algorithm INSECURE - Supported
* Downgrade Attacks:
TLS_FALLBACK_SCSV: OK - Supported
SCAN COMPLETED IN 9.10 S
------------------------
According to the Security tab in the Developer Tools in the Edge browser it connected with:
The connection to this site is encrypted and authenticated using TLS 1.2, RSA, and AES_128_CBC with HMAC-SHA1.
Now to apply my ciphersuite:
ssl server-policy "specific-ciphersuites"
ciphersuite dhe_rsa_aes_128_cbc_sha dhe_rsa_aes_128_cbc_sha256 dhe_rsa_aes_256_cbc_sha dhe_rsa_aes_256_cbc_sha256 ecdhe_ecdsa_aes_128_cbc_sha256 ecdhe_ecdsa_aes_128_gcm_sha256 ecdhe_ecdsa_aes_256_cbc_sha384 ecdhe_ecdsa_aes_256_gcm_sha384 ecdhe_rsa_aes_128_cbc_sha256 ecdhe_rsa_aes_128_gcm_sha256 ecdhe_rsa_aes_256_cbc_sha384 ecdhe_rsa_aes_256_gcm_sha384 rsa_aes_128_cbc_sha rsa_aes_128_cbc_sha256 rsa_aes_256_cbc_sha rsa_aes_256_cbc_sha256
quit
undo ip https enable
ip https ssl-server-policy "specific-ciphersuites"
ip https enable
Edge now shows the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error.
The nmap test with the same command now shows only an open port:
Starting Nmap 7.70 ( https://nmap.org ) at 2021-09-09 14:47 CEST
Nmap scan report for switch2.domain.local (10.10.10.10)
Host is up (0.0010s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/https?
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.95 seconds
sslyze shows that it cannot connect:
CHECKING HOST(S) AVAILABILITY
-----------------------------
switch2.domain.local:443 => ERROR: Probing failed: could not find a TLS version and cipher suite supported by the server; discarding scan.
SCAN COMPLETED IN 0.13 S
------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-09-2021 10:28 AM
тАО09-09-2021 10:28 AM
Re: HPE FlexFabric 5700 - Disabling SSL ciphers
It seems that when the SSL policy is applied the server rejects the connection because it can't find anything compatible among ciphers advertised by your browser or testing tools in their 'Client Hello' message. But I highly doubt it is the real cause. It is more like the server incorrectly processes the SSL policy, since rsa_aes_128_cbc_sha is in the policy and it's known to be acceptable cipher.
Not sure if it has anything to do with your issue, but I have just found that 5700 does not officially support Web GUI. And while 'ip http' and 'ip https' commands are still in the CLI, they are not mentioned in the Command Reference Guides for this platform and HPE doesn't guarantee they will work. To me your configuration seems absolutely correct, so my guess is that SSL policy support doesn't work for the Web GUI server (ip https), but works only for FTPS and portal Web server. At least according the 5700's guides these two are the only features that support SSL server-policy.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-09-2021 11:35 PM
тАО09-09-2021 11:35 PM
Re: HPE FlexFabric 5700 - Disabling SSL ciphers
I can't find mention of "ip http" or "ip https" in any of the guides for the 5700 at https://support.hpe.com/connect/s/product?language=en_US&ismnp=1&l5oid=7268889&kmpmoid=1008635527&productNumber=JG896A&cep=on#t=All.
That would mean the web interface was never supported on 5700 series switches? Weird.
So that would mean that the only way to disable ciphers on the web server on a 5700 series switch is to either disable the web server or enable FIPS mode.
Assuming that the web server would even work after enabling FIPS mode as the web server is not officially supported on an 5700 serie switch as it is not mentioned in any manual for the 5700.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-10-2021 02:20 AM
тАО09-10-2021 02:20 AM
SolutionHmm, the story about Web GUI in 5700 series is slightly more complicated. As far as I remember it was something like a feature implemented for testing in initial releases, like a beta or even alpha-grade feature, but then HPE decided to drop it and limit Web GUI to 19xx and 51xx series switches. In fact it was never working 100%. Those commands remained in CLI for unknown reason, maybe there were plans to re-consider Web GUI implementation, so devs just left them in the code...