HPE Community
Server Management - Systems Insight Manager
1819803 Members
2987 Online
109607 Solutions
New Discussion

SSL Server Has SSLv2 Enabled Vulnerability

 
Dave K.
New Member

‎08-12-2005 05:33 AM - last edited on ‎12-27-2012 06:28 PM by

‎08-12-2005 05:33 AM - last edited on ‎12-27-2012 06:28 PM by

SSL Server Has SSLv2 Enabled Vulnerability

SSL Server Has SSLv2 Enabled Vulnerability port 2381/tcp over SSL

Is the a way to mitigate this by going to SSLv3? I assume this is referring to Systems Manager.

Thanks

 

 

P.S. This thread has been moved from ITRC server mgmt (Insight Manager 7) Forum to ITRC HP Systems Insight Manager Forum - HP Forums Moderator

0 Kudos
Reply
5 REPLIES 5
Rich Purvis
Honored Contributor

‎08-16-2005 04:06 AM

‎08-16-2005 04:06 AM

Re: SSL Server Has SSLv2 Enabled Vulnerability

The software on port 2381 supports both SSLv2 and SSLv3.

-Rich
Why does my tivo keep recording Nickelodeon?
0 Kudos
Reply
Dave K.
New Member

‎08-16-2005 04:12 AM

‎08-16-2005 04:12 AM

Re: SSL Server Has SSLv2 Enabled Vulnerability

How do you disable v2 so that only v3 is enabled?
0 Kudos
Reply
Josef Roth_2
Occasional Visitor

‎09-05-2005 06:39 AM

‎09-05-2005 06:39 AM

Re: SSL Server Has SSLv2 Enabled Vulnerability

I have the following security vulnerabilities on several hundred proliant servers.

- SSL Server Supports Weak Encryption
- SSL Server Uses Weak Encryption
- SSL Server Has SSLv2 Enabled
- SSL Certificate - Signature Verification Failed
- SSL Certificate - Self-Signed Certificate
- SSL Certificate - Subject Common Name Does Not Match Server FQDN

All of them are caused by the HP System Management Homepage (v2.0.1.104) which listens on SSL port 2381. Is there a way to enable SSLv3 and turn-off SSLv2 and also restrict access to strong encryption only?

I got stuck and it seams it is not possible to disable v2. My attempts to change the config file "C:\hp\hpsmh\conf\smhpd.confâ was without success. The file gets dumped when the SysMgmtHP service starts up. Therefore, I assume configuration settings are hard coded somewhere.

A look at the SSLCipherSuite entry shows that v2 is enabled.
SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:RC4+RSA:+HIGH:+MEDIUM:+SSLv2:+EXP:-LOW:+eNULL

This should be changed to:
SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:RC4+RSA:+HIGH:+MEDIUM:-SSLv2:+SSLv3:+EXP:-LOW:+eNULL

Thanks
0 Kudos
Reply
ekonop
New Member

‎12-04-2006 02:22 AM

‎12-04-2006 02:22 AM

Re: SSL Server Has SSLv2 Enabled Vulnerability

I get the same SSLv2 Enabled Vulnerability. How can this be mitigated? This is in reference to the HP System Management Homepage. When I disable this service the SSLv2 vulnerability is removed, the only problem is that we use the system management homepage. Thanks
0 Kudos
Reply
Rich Purvis
Honored Contributor

‎12-06-2006 09:15 AM

‎12-06-2006 09:15 AM

Re: SSL Server Has SSLv2 Enabled Vulnerability

Latest versions of System Mangement Homepage have SSL V2 disabled by default. I would suggest you upgrade to the latest version.

-Rich
Why does my tivo keep recording Nickelodeon?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.