HPE Community
HPE OneView
1827078 Members
1486 Online
109713 Solutions
New Discussion

Re: Scanning HPE OneView using Nessus scan shows Medium Strength Cipher Suites Supported

 
SOLVED
Go to solution
UCL
Occasional Contributor

‎05-31-2023 02:17 AM - last edited on ‎05-31-2023 09:00 AM by

‎05-31-2023 02:17 AM - last edited on ‎05-31-2023 09:00 AM by

Scanning HPE OneView using Nessus scan shows Medium Strength Cipher Suites Supported

How can one disable 3DES on the HPE OneView appliance? 

 
 

Appliance

  1. Firmware 
    8.20.00-0475724

 

Output

  •   Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

    Name                          Code             KEX           Auth     Encryption             MAC
    ----------------------        ----------       ---           ----     ---------------------  ---
    ECDHE-RSA-DES-CBC3-SHA        0xC0, 0x12       ECDH          RSA      3DES-CBC(168)          SHA1

The fields above are :

  {Tenable ciphername}
  {Cipher ID code}
  Kex={key exchange}
  Auth={authentication}
  Encrypt={symmetric encryption method}
  MAC={message authentication code}
  {export flag}
0 Kudos
Reply
2 REPLIES 2
DanCernese
HPE Pro

‎05-31-2023 06:24 AM

‎05-31-2023 06:24 AM

Re: Scanning HPE OneView using Nessus scan shows Medium Strength Cipher Suites Supported

I may not remember correctly, but iLO4 has an AES/3DES setting and therefore HPE OneView must support it.



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
ChrisLynch
HPE Pro

‎06-01-2023 09:37 AM - edited ‎06-01-2023 09:38 AM

‎06-01-2023 09:37 AM - edited ‎06-01-2023 09:38 AM

Solution

Re: Scanning HPE OneView using Nessus scan shows Medium Strength Cipher Suites Supported

You can disable 3DES, or weaker ciphers and enforce stronger GCM ciphers by doing one of the following:

  1. Navigate to Settings -> Security panel -> Actions -> Edit cipher suites.  Here you can enable GCM ciphers. 
  2. Use the REST API to perform a PUT operation to /rest/security/global-settings. 
  3. Use the Enable-OVApplianceStrictSecurityCipherSuite Cmdlet.

 A reboot of the appliance is needed regardless of the process you follow above.  Do know that for the API, you need to be at OneView 6.30 or newer.  The UI was added later in 6.60.

As Dan stated, iLO4 systems will require a minimum version of firmware to continue monitoring or management operations.  This is outlined in this CA.

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.