Wired Intelligent Edge

We would like to perform HP 2530 hardening, but some options seems to be missing in current firmware.

For HTTPS we were unable to:

1. Disable all protocols except TLSv1.2.

2. Enable forward secrecy key exchange: ECDHE (with P-521 or Curve25519) or DHE with 4096 dhparam instead of non-FS RSA key exchange.

3. Disable 3DES_EDE_CBC cipher (grade C in Qualys SSL Server Test).

4. Enable AEAD ciphers like AES_256_GCM, AES_128_GCM or CHACHA20_POLY1305.

5. Disable Secure Client-Initiated Renegotiation.

For SSH we were unable to:

1. Replace diffie-hellman-group14-sha1 and diffie-hellman-group1-sha1 with diffie-hellman-group-exchange-sha256.

2. Replace existing MACs with hmac-sha2-256.

Firmware used: YA.15.16.0008.

Can we expect support for modern cipher suites will appear in HP products?

The 2530 switch shouldn't be terminating any connections relevant to secure card payments.

The hardening you refer to needs to be carried out on the applications and on the firewalls & routers that secure them.

Vince: at some point you need to connect to the switch to manage it, and that connection should be secure. If someone decided to support HTTPS and SSH protocols in this model, then it should be implemented properly.

There were updates to the protocols in the 15.17 builds. I have a 2920 that is running 15.17.0005 and it is using TLS 1.2. I am not sure how to test the switch to see the full list of enabled algorithms. If you can provide details on the test you are using, I would be willing to run it and see what returns.

There is an update for the 2530: YA.15.17.0007: https://h10145.www1.hp.com/Downloads/SoftwareReleases.aspx?ProductNumber=J9853A&lang=en,en&cc=us,us&prodSeriesId=5333803

HW 2530-48 ver YB.16.10.0010

1. Disable all protocols except TLSv1.2
# tls application all lowest-version tls1.2
Do you want to terminate the existing TLS or SSL sessions (y/n)? y

3. Disable 3DES_EDE_CBC cipher (grade C in Qualys SSL Server Test)
# tls application all lowest-version tls1.2 disable-cipher des3-cbc-sha
Do you want to terminate the existing TLS or SSL sessions (y/n)? y
# tls application all lowest-version tls1.2 disable-cipher ecdh-ecdsa-des-cbc3-sha
Do you want to terminate the existing TLS or SSL sessions (y/n)? y
# tls application all lowest-version tls1.2 disable-cipher ecdh-rsa-des-cbc3-sha
Do you want to terminate the existing TLS or SSL sessions (y/n)? y
# tls application all lowest-version tls1.2 disable-cipher ecdhe-ecdsa-des-cbc3-sha
Do you want to terminate the existing TLS or SSL sessions (y/n)? y
# tls application all lowest-version tls1.2 disable-cipher ecdhe-rsa-des-cbc3-sha
Do you want to terminate the existing TLS or SSL sessions (y/n)? y

4. Enable AEAD ciphers like AES_256_GCM, AES_128_GCM or CHACHA20_POLY1305
only these available
# tls application all lowest-version tls1.2 cipher
aes128-gcm-sha256 Specify the cipher suite TLS_RSA_WITH_AES_128_GCM_SHA256
aes128-sha Specify the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA
aes128-sha256 Specify the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256
aes256-gcm-sha384 Specify the cipher suite TLS_RSA_WITH_AES_256_GCM_SHA384
aes256-sha Specify the cipher suite TLS_RSA_WITH_AES_256_CBC_SHA
aes256-sha256 Specify the cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256