MSA Storage
1834027 Members
2835 Online
110063 Solutions
New Discussion

How to Disable Cipher Suite in HPE MSA2060 FC

 
y-tanaka0805
Occasional Advisor

How to Disable Cipher Suite in HPE MSA2060 FC

In HPE MSA2060 FC
How do I disable the following cipher suites?
--------------------------------
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CCM
TLS_RSA_WITH_AES_256_CCM_8
TLS_RSA_WITH_AES_256_GCM_SHA384
--------------------------------

12 REPLIES 12
support_s
System Recommended

Query: How to Disable Cipher Suite in HPE MSA2060 FC

System recommended content:

1. HPE OneView 9.0 User Guide for HPE Synergy | Enforcing GCM cipher suites

2. HPE OneView 8.9 User Guide for HPE Synergy | Enforcing GCM cipher suites

 

Please click on "Thumbs Up/Kudo" icon to give a "Kudo".

 

Thank you for being a HPE valuable community member.


Accept or Kudo

venkat_y
HPE Pro

Re: How to Disable Cipher Suite in HPE MSA2060 FC

Hello@y-tanaka0805,

You may reset and set the cipher suite using the commands below:
set ciphers list <cipher-string> and
reset ciphers
Please verify the link below for more information about Ciphers:
https://www.hpe.com/psnow/doc/a00105313en_us  (page no 145&174).

Hope this helps!
Regards,
Venkat

If you feel this was helpful please click the KUDOS! thumb below!
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
y-tanaka0805
Occasional Advisor

Re: How to Disable Cipher Suite in HPE MSA2060 FC

Thank you for your response.
set ciphers list ALL:!TLS_RSA_WITH_AES_128_GCM_SHA256:!TLS_RSA_WITH_AES_256_CBC_SHA256:!TLS_RSA_WITH_AES_256_CCM:!TLS_RSA_WITH_AES_ 256_CCM_8:!TLS_RSA_WITH_AES_256_GCM_SHA384"

After executing the above, the following cipher suites, including the specified cipher suite, were activated. Is there a problem with the way I specified it?
------------------------------------
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CCM
TLS_RSA_WITH_AES_128_CCM_8
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CCM
TLS_RSA_WITH_AES_256_CCM_8
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_ARIA_128_GCM_SHA256
TLS_RSA_WITH_ARIA_256_GCM_SHA384
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
------------------------------------

y-tanaka0805
Occasional Advisor

Re: How to Disable Cipher Suite in HPE MSA2060 FC

新たに指摘された暗号スイートを指定して以下のコマンドを改めて実行すれば、指定された暗号スイートを無効化できるものと考えておりますが、認識に誤りはありませんでしょうか。
「set ciphers list ALL:!TLS_DHE_RSA_WITH_AES_128_CBC_SHA:!TLS_DHE_RSA_WITH_AES_256_CBC_SHA:!TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA:!TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA:!TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:!TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:!TLS_RSA_WITH_AES_128_CBC_SHA:!TLS_RSA_WITH_AES_128_CBC_SHA256:!TLS_RSA_WITH_AES_128_CCM:!TLS_RSA_WITH_AES_128_CCM_8:!TLS_RSA_WITH_AES_128_GCM_SHA256:!TLS_RSA_WITH_AES_256_CBC_SHA:!TLS_RSA_WITH_AES_256_CBC_SHA256:!TLS_RSA_WITH_AES_256_CCM:!TLS_RSA_WITH_AES_256_CCM_8:!TLS_RSA_WITH_AES_256_GCM_SHA384:!TLS_RSA_WITH_ARIA_128_GCM_SHA256:!TLS_RSA_WITH_ARIA_256_GCM_SHA384:!TLS_RSA_WITH_CAMELLIA_128_CBC_SHA:!TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256:!TLS_RSA_WITH_CAMELLIA_256_CBC_SHA:!TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256」

それとも一旦、以下のコマンドでデフォルト設定に戻すべきでしょうか。
「reset ciphers」

Google Translated

I believe that if I specify the newly identified cipher suite and execute the following command again, I will be able to disable the specified cipher suite, but am I correct in my understanding?

Or should I first revert to the default setting with the following command?

y-tanaka0805
Occasional Advisor

Re: How to Disable Cipher Suite in HPE MSA2060 FC

Since I posted this in Japanese, I will correct it and post it again.

I am assuming that I can disable the specified cipher suite by running the following command again, specifying the newly indicated cipher suite.
set ciphers list ALL:!TLS_DHE_RSA_WITH_AES_128_CBC_SHA:!TLS_DHE_RSA_WITH_AES_256_CBC_SHA:!TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA:!TLS _DHE_RSA_WITH_CAMELLIA_256_CBC_SHA:!TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:!TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:!TLS_RSA_WITH_AES_128_! CBC_SHA:!TLS_RSA_WITH_AES_128_CBC_SHA256:!TLS_RSA_WITH_AES_128_CCM:!TLS_RSA_WITH_AES_128_CCM_8:!TLS_RSA_WITH_AES_128_GCM_SHA256:! TLS_RSA_WITH_AES_256_CBC_SHA:!TLS_RSA_WITH_AES_256_CBC_SHA256:!TLS_RSA_WITH_AES_256_CCM:!TLS_RSA_WITH_AES_256_CCM_8:!TLS_RSA_WITH_ AES_256_GCM_SHA384:!TLS_RSA_WITH_ARIA_128_GCM_SHA256:!TLS_RSA_WITH_ARIA_256_GCM_SHA384:!TLS_RSA_WITH_CAMELLIA_128_CBC_SHA:!TLS_RSA TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256:!TLS_RSA_WITH_CAMELLIA_256_CBC_SHA:!TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256"

Or should I just restore the default settings with the following command?
reset ciphers".

venkat_y
HPE Pro

Re: How to Disable Cipher Suite in HPE MSA2060 FC

hello@y-tanaka0805,

Reset the cipher suites and then activate the ciphers which you want and do not specify 'ALL' when setting ciphers. All ciphers will be activated if you specify the ALL option.
The 'reset ciphers' command clears user-supplied ciphers and sets the cipher list to the system default.

Hope this helps!
Regards,
Venkat

If you feel this was helpful please click the KUDOS! thumb below!
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
y-tanaka0805
Occasional Advisor

Re: How to Disable Cipher Suite in HPE MSA2060 FC

Thank you for your response.
I understood that specifying "ALL" will enable all cipher suites.
I am planning to run the one that does not specify "ALL" as you advised, but I am concerned that I may have made a mistake in specifying the cipher suites to disable.
For example, I have read the "HPE MSA 1060/2060/2062 CLI
Reference Guide", the example on page 174 is " set ciphers list ALL:!AES128:!AES256:!SHA256:ECDHE-PSK-CAMELLIA127-SHA256:!ADH:@STRENGTH"

The cipher suite specification scheme is "ECDHE-PSK-CAMELLIA127-SHA256", and "OpenSSL name" is used.
From the above, the following can be inferred, for example
I want to disable "TLS_RSA_WITH_AES_128_GCM_SHA256",
Use "AES128-GCM-SHA256" as "OpenSSL name" instead of "TLS_RSA_WITH_AES_128_GCM_SHA256".
Are there any restrictions on how to specify cipher suites?

y-tanaka0805
Occasional Advisor

Re: How to Disable Cipher Suite in HPE MSA2060 FC

Also, is there a restriction that the cipher suite designation method must be specified by "OpenSSL name" rather than "IANA name"?

y-tanaka0805
Occasional Advisor

Re: How to Disable Cipher Suite in HPE MSA2060 FC

For example, for "TLS_RSA_WITH_AES_128_GCM_SHA256", do we need to specify "AES128-GCM-SHA256"?

venkat_y
HPE Pro

Re: How to Disable Cipher Suite in HPE MSA2060 FC

Hello@y-tanaka0805, 

Yes, specify the same as what you specified ("AES128-GCM-SHA256"), and separate one or more ciphers by a colon (without space).
Please use the show ciphers command to view the active cipher list, the user-supplied cipher list (which was specified using the set ciphers command), and the default cipher list after execution.

Hope this helps!
Regards,
Venkat.

If you feel this was helpful please click the KUDOS! thumb below!
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
support_s
System Recommended

Query: How to Disable Cipher Suite in HPE MSA2060 FC

Hello,

 

Let us know if you were able to resolve the issue.

 

If you have no further query, and you are satisfied with the answer then kindly mark the topic as Solved so that it is helpful for all community members.

 

Please click on "Thumbs Up/Kudo" icon to give a "Kudo".

 

Thank you for being a HPE valuable community member.


Accept or Kudo

y-tanaka0805
Occasional Advisor

Re: How to Disable Cipher Suite in HPE MSA2060 FC

Thank you for your response.
As you advised, I specified the cipher suite to be disabled with the following command, but I get the error message “Error: Invalid cipher list specified.
error message.
--------------------------
set ciphers list !DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA:!ECDHE-RSA-AES128-SHA:! ECDHE-RSA-AES256-SHA:!AES128-SHA:!AES256-SHA:!CAMELLIA128-SHA:!CAMELLIA256-SHA:!AES128-SHA256:!AES128-CCM:!AES128-CCM8:!AES128-GCM -SHA256:!AES256-SHA256:!AES256-CCM:!AES256-CCM8:!AES256-GCM-SHA384:!ARIA128-GCM-SHA256:!ARIA256-GCM-SHA384:!CAMELLIA128-SHA256:! CAMELLIA256-SHA256
--------------------------

Is this because only the ones to disable are specified and not the ones to enable?

The correct answer is, once the cipher suite is restored to the default with the following command,

“reset ciphers”


---------------------
The default values are as follows
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:ECDHE- RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256- SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES256:!ECDHE-RSA-AES256-SHA:!DHE-RSA-AES 256-SHA:!AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK@STRENGTH
---------------------

It is safe to assume that you can disable five cipher suitesby executing the following, including the cipher suites to be enabled.
including the cipher suites you want to enable, is it correct?

---------------------
Command to execute

set ciphers list TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES256:!ECDHE-RSA-AES256-SHA:!DHE-RSA-AES256-SHA:!AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK@STRENGTH
---------------------


-------------------------
Cipher suites to be disabled
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CCM
TLS_RSA_WITH_AES_256_CCM_8
TLS_RSA_WITH_AES_256_GCM_SHA384
-------------------------

 

Default value
"AES128-GCM-SHA256:AES256-GCM-SHA384:AES256”

changed to

"!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES256"