Remote Lights-Out Mgmt (iLO 2, iLO, RILOE II) Forum
Showing results for 
Search instead for 
Do you mean 

ILO2 TLS upgrade

Visitor

ILO2 TLS upgrade

Dear all,

https://blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compliance/

As per the above link TLS 1.0 is no longer accepted, and is already blocked by Google Chrome.

ERR_SSL_BAD_RECORD_MAC_ALERT

The question is: are there any plans of HP to release a version of iLO 2 with TLS > 1.2 backed in? 

Or has support ended for these kind of machines? 

And is there anything we - as users - can do to mitigate this issue - appart from using Internet Explorer, which is bound to fail in the future too.

4 REPLIES
Honored Contributor

Re: ILO2 TLS upgrade

[ Edited ]

Unfortunately, iLO2 has a version of the RSA SSL library that only supports SSLv3 and TLS 1.0 protocols.   Remember that iLO2 was released more than 10 years ago, when the entire World used the SSLv3 protocol and TLS 1.1/1.2 did not even exist.

Also, iLO2 is already out or RAM space so, even if we had a license of a newer SSL library with TLS 1.2 support,  we wouldn't be able to build the firmware.  At least not without removing important functionality from iLO2 in order to make room for the new library.

Finally, Google Chrome has never been officially supported by iLO2.  You get a popup screen warning you about unsupported browser every time you use Chrome to browse into iLO2.  




__________________________________________________
I work for Hewlett Packard

If you feel this was helpful please click the KUDOS! thumb below!
Occasional Visitor

Re: ILO2 TLS upgrade

I have discovered that Chrome can be forced to *connect* to iLO2 (see how below) but it still can't do the remote console thing because there's no JVM.  Better than nothing, though.  Enough to reboot, anyway.

Having stopped all chrome processes, use the command line (your installed location of the chrome executable may be different):

/opt/google/chrome/chrome --ssl-version-min=tls1 --ssl-version-max=tls1 -ignore-certificate-errors

 

Occasional Visitor

Re: ILO2 TLS upgrade

And you can access ILO 2 with Firefox and IE 11 without problems.

Should be able to do virtual console as well as these browsers support Java still.

Occasional Visitor

Re: ILO2 TLS upgrade

Using the reverse proxy feature on my Synology DiskStation along with my free domain name through Synology, I was able to wrap the old iLO2 HTTPS connection. I still get an error about the SSL and have to click procced, but it works in Chrome since it sees the DiskStation certificate instead of the iLO's. You may be able to do something similar with some router settings. I think DD-WRT may have something like that but not sure.