Comware

 View Only
last person joined: 2 days ago 

Back to discussions
Expand all | Collapse all

A5500: Howto force ssl to tls 1.x?

This thread has been viewed 0 times

  • 1.  A5500: Howto force ssl to tls 1.x?

    Posted Nov 06, 2017 01:22 AM

    Have A5500 switches (formerly 3com 4800g), branded to HP with latest firmware 2222P07.

    I can access the switch using http, but wanted to enable the https protocol

    using the steps available via docs and google

    #ip https enable 

    I only get the message from the browsers (FF and Chrome): unsupported protocol. In fact I have to force the switch to tls 1.x (ssl v3.1). Howto do this?  Selfsigned certificate is not the problem, as I cancelled my tests with our AD-domain and the ceriifcate server because of "untrusted ca", where also no solution in world wibe web or docs.

     


    #SSL


  • 2.  RE: A5500: Howto force ssl to tls 1.x?

    MVP GURU
    Posted Nov 06, 2017 03:33 AM

    Hello, do you mean how to disable SSL 3.0 Switch side in order to force it to use TLS 1.0?



  • 3.  RE: A5500: Howto force ssl to tls 1.x?

    Posted Nov 06, 2017 03:53 AM

    Hi

    thx for fast answer.

    I have no idea, whats the right way to reach my goal.

    If it runs trough disabling sslv3, may be...

    Gotthard



  • 4.  RE: A5500: Howto force ssl to tls 1.x?

    MVP GURU
    Posted Nov 06, 2017 04:15 AM

    I asked that because I noticed that since R2221P08 a new feature was introduced: "Disabling SSL 3.0", it allows to disable SSL 3.0 on the Switch to enhance security (clearly peer devices - Web Browsers in our case - should support TLS 1.0).

    The explanation given on Release Notes was:

    This feature allows you to disable SSL 3.0 on a device to enhance system security.

    • An SSL server supports only TLS 1.0 after SSL 3.0 is disabled.
    • An SSL client always uses SSL 3.0 if SSL 3.0 is specified for the client policy, whether you
      disable SSL 3.0 or not.

    To ensure successful establishment of an SSL connection, do not disable SSL 3.0 on a device when the peer device only supports SSL 3.0. HP recommends upgrading the peer device to support TLS 1.0 to improve security.

    The system-view command is ssl version ssl3.0 disable (undo to revert to SSL 3.0, which is enabled by default).



  • 5.  RE: A5500: Howto force ssl to tls 1.x?

    Posted Nov 06, 2017 04:56 AM

    Hi,

    #ssl version ssl3.0 disable

    don´t forget to reload https server: :-)

    #undo ip https ena

    #ip https ena

    New error message in browser (here chrome):

    ERR_SSL_BAD_RECORD_MAC_ALERT

    If I check the certificate in IE, the selfsigned certificate is issued to "Comware-HTTPS...". No chance to change?

     

     



  • 6.  RE: A5500: Howto force ssl to tls 1.x?

    MVP GURU
    Posted Nov 06, 2017 05:33 AM

    Can you report if that Error "ERR_SSL_BAD_RECORD_MAC_ALERT" shows up using, respectively, latest Mozilla Firefox, Google Chrome and Microsoft Internet Explorer? maybe there is an issue (TLS 1.0 not supported on Web Browser side?) at Web Browser side...



  • 7.  RE: A5500: Howto force ssl to tls 1.x?

    Posted Nov 06, 2017 06:44 AM

    Hello,

    Firefox 56: no connection with message similar as reported

    Chrome 61: no connection with reported message 

    IE 11: connects with a lot of warnings: "the certificate was issued for an other address of this website"

    IMHO the FF and Chrome have disabled ssl v3 support, but should accept tls v1.0 connections.

    Go



  • 8.  RE: A5500: Howto force ssl to tls 1.x?

    Posted Sep 26, 2019 12:08 PM

    same problem here.....

     

    do you arribe to any solution?