HPE OneView
cancel
Showing results for 
Search instead for 
Did you mean: 

iLO2 slow for DHE-RSA-AES256-SHA (20s), fast for AES256-SHA (0.8s). Force ciphers on OneView side?

 
Gamut
Frequent Advisor

iLO2 slow for DHE-RSA-AES256-SHA (20s), fast for AES256-SHA (0.8s). Force ciphers on OneView side?

I am having trouble adding iLO2 interfaces to OneView. Symptom:

"Unable to add server hardware: ilo-someserver"

Also, refreshing some iLO2 give the following symptom:

"Unable to establish secure communication with the server. An unexpected exception occurred while negotiating the secure connection."

 

Firmware OneView: 4.10.04-0370820

Firmware iLO2: 2.33 (latest/greatest for all I know)

 

Both problems seem related to OneView not liking the iLO2 to respond after 20 seconds. Well, the TLS connection is established after about 20 seconds, the content is served almost immediately afterwards. So, it seems the setting up of a TLS connection is hard for iLO2. (I read about a 66MHz processor, so get that part). But it seems only SOME cipher suites produce a slow connection startup, while other are FAST. Let me provide some details:

openssl ciphers -V 'ALL:COMPLEMENTOFALL' | awk '{print $3}' | while read CIPHER; do (time openssl s_client -connect ilo-someserver:443 -cipher "${CIPHER}" </dev/null &>/dev/null) 2>&1 | grep real >/tmp/real.txt; if [ ${PIPESTATUS[0]} -eq 0 ]; then echo -n "${CIPHER};"; cat /tmp/real.txt; fi; done
DHE-RSA-AES256-SHA;real 0m21.774s
AES256-SHA;real 0m0.812s
DHE-RSA-AES128-SHA;real 0m21.160s
AES128-SHA;real 0m0.810s
EDH-RSA-DES-CBC3-SHA;real 0m20.699s
DES-CBC3-SHA;real 0m0.814s
RC4-SHA;real 0m0.812s

The response times are either about 0,.8 seconds (fast enough) or some 21 seconds (too slow).

(If anyone knows more about iLO2 to solve it there [that would be a far better fix than a workaround at the OneView side], then please do share. Perhaps I will post about this problem in the iLO forum as well.)

 

 

If I were to "solve" this issue from the OneView side, I would want to choose the cipher(s) for outgoing TLS connections on a per host basis. Is that possible? Or is it possible to remove the "iLO2 slow ciphers" globally at the OneView side?

(I just want to know if it is possible. I know I should avoid RC4, 3DES, CBC. I will worry about the security implications. But not having hardware monitoring is also a security issue.)

(If I need to make an unsupported change in the OS of the appliance, then I am still interested. Again, not having hardware monitoring is also a risk.)

Thanks.

4 REPLIES 4
aviorp
Advisor

Re: iLO2 slow for DHE-RSA-AES256-SHA (20s), fast for AES256-SHA (0.8s). Force ciphers on OneView sid

Hello,

The iLO 2 devices can be added in Oneview for Hardware Monitoring alone and not for managing.

Kindly check this option while adding the server hardware.

iLO2.JPG

Please refer to the support matrix for the server hardware monitoring features for iLO2.

https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00045392en_us&docLocale=en_US

If you require any further assistance, kindly log a support ticket.

Regards

Gamut
Frequent Advisor

Re: iLO2 slow for DHE-RSA-AES256-SHA (20s), fast for AES256-SHA (0.8s). Force ciphers on OneView sid

Thanks @aviorp for your suggestion. We only use OneView to monitor, so indeed not using "managed".

It used to work. Perhaps the trouble started once I switched from legacy encryption mode to FIPS and back again. FIPS is too strict for old hardware, but IIRC iLO2 device were monitoring correctly before switching to FIPS, yet weren't when switched back from FIPS to legacy. It may be lead, it may be a red herring.

BhaskarV
HPE Pro

Re: iLO2 slow for DHE-RSA-AES256-SHA (20s), fast for AES256-SHA (0.8s). Force ciphers on OneView sid

Hi @Gamut 

Can you log a support case with a support dump on this problem?
We are interested in knowing what is going on here with respect to ciphers when you did a FIPS mode switch and back to LEGACY.

Regards,
Bhaskar


Accept or Kudo
BhaskarV
HPE Pro

Re: iLO2 slow for DHE-RSA-AES256-SHA (20s), fast for AES256-SHA (0.8s). Force ciphers on OneView sid

Hi @Gamut 

What version of OneView do you have?
Do you have atleast 4.10.00-0337278? Asking, as there has been a timeout increase starting this version/build to accommodate iLO2 when a slow cipher gets picked.

Have you opened a support case?

Regards,
Bhaskar


Accept or Kudo