GUI access for an older ProCurve/ProVision Switch
07-20-2018 07:03 AM - edited 07-20-2018 06:44 PM
HTTP GUI Access
A customer asked about access to one of the older ProCurve 2520 switches. This applies to many of the switches from a similar timeframe; I tested a 2520 and 5406zl (V1 chassis).
Both switches have the most recent firmware. The 2520 used in this post has a basic config:
; J9298A Configuration Editor; Created on release #J.15.09.0028 ; Ver #06:04.08.00.01.14.05:1a hostname "HP-2520G-8-PoE" ip default-gateway 10.20.30.1 snmp-server community "public" unrestricted vlan 1 name "DEFAULT_VLAN" no untagged 1 untagged 2-10 no ip address exit vlan 930 name "VLAN930" untagged 1 ip address dhcp-bootp exit password manager
To browse with HTTP (port 80), you don't have to do anything - it works straight out of the box, just like SSH!
HTTPS/SSL GUI Access
To enable SSL access (HTTPS, port 443) is a little more involved. Also note that only older ciphers are used, and may not work with current browsers and/or settings (more on that at the end).
Set the time! Nothing cryptographic works unless the time is set. Ideally you should use timesync (such as SNTP in these older switches).
web-management ssl is the key command; it will remind yuo to install the certificate first.
HP-2520G-8-PoE(config)# web-management ssl https cannot be enabled with no certificate present. To install a self-signed certificate, * Use 'crypto key generate...' to install RSA key; then * Use 'crypto host-cert generate...' to install certificate. HP-2520G-8-PoE(config)# crypto key generate cert rsa bits 2048 Installing new key pair. If the key/entropy cache is depleted, this could take up to a minute. HP-2520G-8-PoE(config)# crypto host-cert generate self-signed Validity start date [07/20/2018]: Validity end date [07/20/2019]: 07/20/2029 Common name [0.0.0.0]: 10.20.30.248 Organizational unit [Dept Name]: Aruba Organization [Company Name]: HPE City or location [City]: Sydney State name [State]: NSW Country code [US]: AU HP-2520G-8-PoE(config)# web-management ssl
The GUI should now be accessible via https:// - except it isn't... Doesn't work on current versions of Chrome or Firefox.
I found an old version of IE (v11 from 2013) on an old machine, and it worked fine:
A Wireshark capture confirms that an old version is used, in this case TLSv1.0
Enabling Old Versions
This is not a good idea. However, if you are particularly keen, you can enable Firefox to use a specific version - in this case TLS1.0. Don't forget to change it back afterwards!
Type in about:config on the Firebox browser line, and change the blue highlighted settings to 1 (the number for TLSv1.0).
It now works in Firefox:
You can delete the cert with:
crypto key zeroize cert
Once you have a self-signed cert installed, you can add a proper CA-signed cert from the GUI.
Richard Litchfield, HPE Aruba
Consulting System Engineer