Simpler Navigation for Servers and Operating Systems - Please Update Your Bookmarks
Completed: a much simpler Servers and Operating Systems section of the Community. We combined many of the older boards, so you won't have to click through so many levels to get at the information you need. Check the consolidated boards here as many sub-forums are now single boards.
If you have bookmarked forums or discussion boards in Servers and Operating Systems, we suggest you check and update them as needed.
Server Management - Systems Insight Manager
cancel
Showing results for 
Search instead for 
Did you mean: 

SSL Server Has SSLv2 Enabled Vulnerability

Dave K.
Occasional Visitor

SSL Server Has SSLv2 Enabled Vulnerability

SSL Server Has SSLv2 Enabled Vulnerability port 2381/tcp over SSL

Is the a way to mitigate this by going to SSLv3? I assume this is referring to Systems Manager.

Thanks

 

 

P.S. This thread has been moved from ITRC server mgmt (Insight Manager 7) Forum to ITRC HP Systems Insight Manager Forum - HP Forums Moderator

5 REPLIES
Rich Purvis
Honored Contributor

Re: SSL Server Has SSLv2 Enabled Vulnerability

The software on port 2381 supports both SSLv2 and SSLv3.

-Rich
Why does my tivo keep recording Nickelodeon?
Dave K.
Occasional Visitor

Re: SSL Server Has SSLv2 Enabled Vulnerability

How do you disable v2 so that only v3 is enabled?
Josef Roth_2
Occasional Visitor

Re: SSL Server Has SSLv2 Enabled Vulnerability

I have the following security vulnerabilities on several hundred proliant servers.

- SSL Server Supports Weak Encryption
- SSL Server Uses Weak Encryption
- SSL Server Has SSLv2 Enabled
- SSL Certificate - Signature Verification Failed
- SSL Certificate - Self-Signed Certificate
- SSL Certificate - Subject Common Name Does Not Match Server FQDN

All of them are caused by the HP System Management Homepage (v2.0.1.104) which listens on SSL port 2381. Is there a way to enable SSLv3 and turn-off SSLv2 and also restrict access to strong encryption only?

I got stuck and it seams it is not possible to disable v2. My attempts to change the config file "C:\hp\hpsmh\conf\smhpd.confâ was without success. The file gets dumped when the SysMgmtHP service starts up. Therefore, I assume configuration settings are hard coded somewhere.

A look at the SSLCipherSuite entry shows that v2 is enabled.
SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:RC4+RSA:+HIGH:+MEDIUM:+SSLv2:+EXP:-LOW:+eNULL

This should be changed to:
SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:RC4+RSA:+HIGH:+MEDIUM:-SSLv2:+SSLv3:+EXP:-LOW:+eNULL

Thanks
ekonop
Occasional Visitor

Re: SSL Server Has SSLv2 Enabled Vulnerability

I get the same SSLv2 Enabled Vulnerability. How can this be mitigated? This is in reference to the HP System Management Homepage. When I disable this service the SSLv2 vulnerability is removed, the only problem is that we use the system management homepage. Thanks
Highlighted
Rich Purvis
Honored Contributor

Re: SSL Server Has SSLv2 Enabled Vulnerability

Latest versions of System Mangement Homepage have SSL V2 disabled by default. I would suggest you upgrade to the latest version.

-Rich
Why does my tivo keep recording Nickelodeon?