Obviously you dont support it but will you be adding support to it or should I just add this to the list of justifications for not purchasing any more HP servers as we replace our existing 250 G7 servers that have current HPE support contracts? Tls 1.0 and 1.1 both have security issues that were announced before the EOL of iLO 3 support and as such it should have been updated to use 1.2.
New servers don't have iLO 3 in them. HPE ProLiant Gen8, Gen 9 and Gen10 servers have iLO 4 and iLO 5, which both support TLSv1.2
But iLO 3 did address the TLSv1.0 and TLSv1.1 issues.
iLO 3 implemented both the split record fix and TLS bad padding alert masking, which mitigate the IV implementation problems and the padding-check oracles which are the root cause problems for TLSv1.0 and TLSv1.1 (and TLSv1.2, actually in some implementations)
iLO 3 added the ability to disable the HTTPS webserver entirely, which certainly addresses the issues, and works well for some customers who are primarily using SSH for management.
It's worth mentioning that many such attacks require code injection, an active or forwarding man in the middle, and tens of thousands of requests made against iLO. Those tend to be impossible to practically execute on iLO's small processor/webserver with static page content.
If there truly are concerns about a man-in-the-middle; a properly trusted iLO SSL certificate and a policy of respecting the browser's warnings is necessary to defeat those attacks, regardless of the presence of TLSv1.2+.
