HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Server Management - Systems Insight Manager
Showing results for 
Search instead for 
Did you mean: 

HP SIM TLS Session Renegotiation Vulnerability

Occasional Contributor

HP SIM TLS Session Renegotiation Vulnerability

I work as the security analyst focusing on server vulnerability management for the. We have 2 issues. I need to know what patch or what configuration I need to make to resolve identified vulnerabilities.

1st) HP Systems Management Homepage - Windows Systems 2003 - 2008
- Running on port 2381
o TLS Protocol Session Renegotiation

2nd) HP SIM 6.0 CRM - Windows 2008 R2
- Running on port 50,000
o TLS Protocol Session Renegotiation
o SSL Server Supports Weak Encryption

With the first two I need to be able to disable the TLS Session Renegotiation. With the second we need to disable the Weak Encryption (cipher suites) provide by the underlying SIM web server (tomcat).

The Microsoft TLS Protocol Session Renegotiation fix has been applied. This is fixed with MS KB Patch 977377 (http://www.microsoft.com/technet/security/advisory/977377.mspx).
At the operating system level in the SCHANNEL hive of the registry weak ciphers have been disabled, why is SIM disregarding this? Does SIM use OpenSSL and thus the OS level configuration does not apply?

I have sent this to an HP support rep, Walter Castillo, but have not heard from him in over a week (20100421).



P.S. This thread has been moved from Insight Remote Support > general to ITRC HP Systems Insight Manager Forum - Hp Forums moderator

Viktor Balogh
Honored Contributor

Re: HP SIM TLS Session Renegotiation Vulnerability

For SIM: Look for the conf files of tomcat/SIM, I think the encryption level can be set there somewhere. Here is a doc to the topic:

Unix operates with beer.
Occasional Contributor

Re: HP SIM TLS Session Renegotiation Vulnerability

Thank you Viktor, but that is too high level. I know that HP IHM supports SSLv3 and TLSv1, but I am looking for the specifics as to how HP is rememdiating the TLS Session Renegotiation issue. Most vendors have released updates to their management consoles which include updates the the underlying OpenSSL which disabled TLS Session Renegotiation. Do you know of a specific patch set or update, or configuration within that will resolve this. Again, thanks again, I greatly appreciate your reply. Keith