- Community Home
- >
- Software
- >
- HPE OneView
- >
- Re: iLO2 slow for DHE-RSA-AES256-SHA (20s), fast f...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2019 11:10 AM
04-08-2019 11:10 AM
iLO2 slow for DHE-RSA-AES256-SHA (20s), fast for AES256-SHA (0.8s). Force ciphers on OneView side?
I am having trouble adding iLO2 interfaces to OneView. Symptom:
"Unable to add server hardware: ilo-someserver"
Also, refreshing some iLO2 give the following symptom:
"Unable to establish secure communication with the server. An unexpected exception occurred while negotiating the secure connection."
Firmware OneView: 4.10.04-0370820
Firmware iLO2: 2.33 (latest/greatest for all I know)
Both problems seem related to OneView not liking the iLO2 to respond after 20 seconds. Well, the TLS connection is established after about 20 seconds, the content is served almost immediately afterwards. So, it seems the setting up of a TLS connection is hard for iLO2. (I read about a 66MHz processor, so get that part). But it seems only SOME cipher suites produce a slow connection startup, while other are FAST. Let me provide some details:
openssl ciphers -V 'ALL:COMPLEMENTOFALL' | awk '{print $3}' | while read CIPHER; do (time openssl s_client -connect ilo-someserver:443 -cipher "${CIPHER}" </dev/null &>/dev/null) 2>&1 | grep real >/tmp/real.txt; if [ ${PIPESTATUS[0]} -eq 0 ]; then echo -n "${CIPHER};"; cat /tmp/real.txt; fi; done
DHE-RSA-AES256-SHA;real 0m21.774s
AES256-SHA;real 0m0.812s
DHE-RSA-AES128-SHA;real 0m21.160s
AES128-SHA;real 0m0.810s
EDH-RSA-DES-CBC3-SHA;real 0m20.699s
DES-CBC3-SHA;real 0m0.814s
RC4-SHA;real 0m0.812s
The response times are either about 0,.8 seconds (fast enough) or some 21 seconds (too slow).
(If anyone knows more about iLO2 to solve it there [that would be a far better fix than a workaround at the OneView side], then please do share. Perhaps I will post about this problem in the iLO forum as well.)
If I were to "solve" this issue from the OneView side, I would want to choose the cipher(s) for outgoing TLS connections on a per host basis. Is that possible? Or is it possible to remove the "iLO2 slow ciphers" globally at the OneView side?
(I just want to know if it is possible. I know I should avoid RC4, 3DES, CBC. I will worry about the security implications. But not having hardware monitoring is also a security issue.)
(If I need to make an unsupported change in the OS of the appliance, then I am still interested. Again, not having hardware monitoring is also a risk.)
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-09-2019 07:49 AM
04-09-2019 07:49 AM
Re: iLO2 slow for DHE-RSA-AES256-SHA (20s), fast for AES256-SHA (0.8s). Force ciphers on OneView sid
Hello,
The iLO 2 devices can be added in Oneview for Hardware Monitoring alone and not for managing.
Kindly check this option while adding the server hardware.
Please refer to the support matrix for the server hardware monitoring features for iLO2.
https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00045392en_us&docLocale=en_US
If you require any further assistance, kindly log a support ticket.
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-09-2019 12:16 PM
04-09-2019 12:16 PM
Re: iLO2 slow for DHE-RSA-AES256-SHA (20s), fast for AES256-SHA (0.8s). Force ciphers on OneView sid
Thanks @aviorp for your suggestion. We only use OneView to monitor, so indeed not using "managed".
It used to work. Perhaps the trouble started once I switched from legacy encryption mode to FIPS and back again. FIPS is too strict for old hardware, but IIRC iLO2 device were monitoring correctly before switching to FIPS, yet weren't when switched back from FIPS to legacy. It may be lead, it may be a red herring.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-09-2019 10:15 PM
04-09-2019 10:15 PM
Re: iLO2 slow for DHE-RSA-AES256-SHA (20s), fast for AES256-SHA (0.8s). Force ciphers on OneView sid
Hi @Gamut
Can you log a support case with a support dump on this problem?
We are interested in knowing what is going on here with respect to ciphers when you did a FIPS mode switch and back to LEGACY.
Regards,
Bhaskar
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2019 06:11 PM
04-12-2019 06:11 PM
Re: iLO2 slow for DHE-RSA-AES256-SHA (20s), fast for AES256-SHA (0.8s). Force ciphers on OneView sid
Hi @Gamut
What version of OneView do you have?
Do you have atleast 4.10.00-0337278? Asking, as there has been a timeout increase starting this version/build to accommodate iLO2 when a slow cipher gets picked.
Have you opened a support case?
Regards,
Bhaskar
I am an HPE employee