HPE Community
Servers - General
1833783 Members
2315 Online
110063 Solutions
New Discussion

HPE G2 Metered & Switched PDUs -- Disable TLS 1.0 and 1.1

 
SOLVED
Go to solution
Berkeley
Occasional Collector

‎09-01-2022 03:49 PM - last edited on ‎09-10-2022 05:49 PM by

‎09-01-2022 03:49 PM - last edited on ‎09-10-2022 05:49 PM by

HPE G2 Metered & Switched PDUs -- Disable TLS 1.0 and 1.1

I have two G2 PDUs, model P9S15A (Metered & Switched), running the latest firmware (at this time, 2.0.0.P). They have a reasonable web interface for exercising its features. Our organization mandates TLS 1.2 as a minimum, but by default, this PDU has TLS 1.0 and 1.1 enabled. Here's the output from sslscan:

 

SSL/TLS Protocols:
SSLv2   disabled
SSLv3   disabled
TLSv1.0 enabled
TLSv1.1 enabled
TLSv1.2 enabled
TLSv1.3 disabled

 

Sadly I cannot find a good way to disable TLS 1.0 and 1.1 but leave 1.2 enabled. Since it shows up on corporate cybersecurity scans, I have to leave HTTPS disabled.

 

Can TLS 1.0 and 1.1 be disabled while leaving TLS 1.2 enabled? It would be an important feature to add if absent.

0 Kudos
Reply
4 REPLIES 4
TVVJ
HPE Pro

‎09-02-2022 05:53 AM

‎09-02-2022 05:53 AM

Solution

Re: HPE G2 Metered & Switched PDUs -- Disable TLS 1.0 and 1.1

Hello,

I am not sure, but when searched the fixes in firmware update, I got this:

"05. ICT Security review findings related to HPE PDU: TLS and SWEET32 Vulnerability"

This is fixed in Version: 2.0.0.L (27 Aug 2021) of the firmware. Click here for the latest version of the HPE G2 "Metered", "Switched", and "Metered and Switched" Power Distribution Units Firmware.

You may see if the firmware update makes a difference.

Regards,



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[All opinions expressed here are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
Reply
Berkeley
Occasional Collector

‎09-02-2022 10:19 AM

‎09-02-2022 10:19 AM

Re: HPE G2 Metered & Switched PDUs -- Disable TLS 1.0 and 1.1

Thanks for the tip! Fortunately, the SWEET32 issue doesn't appear on scans. Unfortunately I'm already on the latest firmware (at this time, 2.0.0.P), so an existing firmware update doesn't appear to be the solution here.

0 Kudos
Reply
TVVJ
HPE Pro

‎09-09-2022 01:03 AM

‎09-09-2022 01:03 AM

Re: HPE G2 Metered & Switched PDUs -- Disable TLS 1.0 and 1.1

Hello,

As the device is already on the latest firmware, you may contact HPE Support for further assistance.

Regards,



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[All opinions expressed here are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
Berkeley
Occasional Collector

‎09-30-2022 09:25 AM

‎09-30-2022 09:25 AM

Re: HPE G2 Metered & Switched PDUs -- Disable TLS 1.0 and 1.1

Update: the earlier post from HPE was actually correct. Later firmware versions do have TLS 1.0 and 1.1 disabled. I only tested 2.0.0.P, but this likely dates back to 2.0.0.L as mentioned earlier.

 

For those interested, it turns out the firmware disables TLS in an unconventional way, yielding a false positive result in some security scanning software. Whereas most devices will immediately terminate the TLS session if a device asks for an early version, this firmware does so somewhat late, but before any HTTP data is transmitted. Since scanning software like sslscan is usually only looking for that initial response (the ServerHello), it just assumes old TLS versions are enabled.

 

Thanks!

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.