I wonder if that's the thing. The self signed cert just won't cut it if you're trying to limit the cipher suites.
Original Message:
Sent: May 30, 2023 05:07 AM
From: sebastian cerazy
Subject: HPE Switch - SSL Vulnerabilities.
No, local MS AD CA issued certificate
------------------------------
spgsitsupport
Original Message:
Sent: May 26, 2023 11:16 AM
From: kirby timm
Subject: HPE Switch - SSL Vulnerabilities.
self-signed cert?
Original Message:
Sent: May 26, 2023 11:11 AM
From: spgsitsupport
Subject: HPE Switch - SSL Vulnerabilities.
I get this:
<HPE5900-SR1>display ssl server-policyTotal number of SSL server policies: 1 SSL server policy: domain-ssl PKI domain: domain Ciphersuites: RSA_AES_128_CBC_SHA RSA_AES_256_CBC_SHA DHE_RSA_AES_128_CBC_SHA DHE_RSA_AES_256_CBC_SHA RSA_AES_128_CBC_SHA256 RSA_AES_256_CBC_SHA256 DHE_RSA_AES_128_CBC_SHA256 DHE_RSA_AES_256_CBC_SHA256 ECDHE_RSA_AES_128_CBC_SHA256 ECDHE_RSA_AES_256_CBC_SHA384 ECDHE_RSA_AES_128_GCM_SHA256 ECDHE_RSA_AES_256_GCM_SHA384 Session cache size: 500 Client-verify: disabled
------------------------------
spgsitsupport
Original Message:
Sent: May 26, 2023 10:54 AM
From: ktimm@labconnect.com
Subject: HPE Switch - SSL Vulnerabilities.
I also tried, cause why not, switching out the policies to match that which is displayed when no ssl server policy is applied. IE
[code]
[HP-BuildRoom-24]display ssl server-policy
Total number of SSL server policies: 1
SSL server policy: examplepolicyfromhp
PKI domain:
Ciphersuites:
RSA_AES_128_CBC_SHA
RSA_AES_256_CBC_SHA
DHE_RSA_AES_128_CBC_SHA
DHE_RSA_AES_256_CBC_SHA
RSA_AES_128_CBC_SHA256
RSA_AES_256_CBC_SHA256
DHE_RSA_AES_128_CBC_SHA256
DHE_RSA_AES_256_CBC_SHA256
ECDHE_RSA_AES_128_CBC_SHA256
ECDHE_RSA_AES_256_CBC_SHA384
ECDHE_RSA_AES_128_GCM_SHA256
ECDHE_RSA_AES_256_GCM_SHA384
Session cache size: 500
Caching timeout: 3600 seconds
Client-verify: Disabled
Certificate chain sending: Disabled
[/code]
However, Nmap still shows the same thing after, no ciphers being displayed at all
Original Message:
Sent: May 26, 2023 10:38 AM
From: spgsitsupport
Subject: HPE Switch - SSL Vulnerabilities.
And what is your certificate? Is it ECDHE ?
------------------------------
spgsitsupport
Original Message:
Sent: May 26, 2023 10:34 AM
From: kirby timm
Subject: HPE Switch - SSL Vulnerabilities.
With no policy applied I get this
[code]
Host is up (0.0010s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| Key exchange (dh 1024) of lower strength than certificate key
|_ least strength: A
MAC Address: 4C:AE:A3:C3:90:94 (Hewlett Packard Enterprise)
Nmap done: 1 IP address (1 host up) scanned in 7.76 seconds
[/code]
Then I apply the following server policy
[code]
Total number of SSL server policies: 1
SSL server policy: examplepolicyfromhp
PKI domain:
Ciphersuites:
ECDHE_RSA_AES_128_CBC_SHA256
ECDHE_RSA_AES_256_CBC_SHA384
ECDHE_RSA_AES_128_GCM_SHA256
ECDHE_RSA_AES_256_GCM_SHA384
Session cache size: 500
Caching timeout: 3600 seconds
Client-verify: Disabled
Certificate chain sending: Disabled
[/code]
After applying the ssl server policy and running the nmap
[code]
Host is up (0.0010s latency).
PORT STATE SERVICE
443/tcp open https
MAC Address: 4C:AE:A3:C3:90:94 (Hewlett Packard Enterprise)
Nmap done: 1 IP address (1 host up) scanned in 3.52 seconds
[/code]
SSL3.0, TLS1.0, and TLS1.1 are all disabled as well but enabling them doesn't seem to resolve anything. There is no rhyme or reason to that specific cipher set. Just happened to be the last set of ciphers that I tried.
Thanks for the response!
Original Message:
Sent: May 26, 2023 10:13 AM
From: spgsitsupport
Subject: HPE Switch - SSL Vulnerabilities.
What what does nmap show?
nmap --script ssl-enum-ciphers -p 443 host_IP_or_DNS
------------------------------
spgsitsupport
Original Message:
Sent: May 26, 2023 09:32 AM
From: ktimm@labconnect.com
Subject: HPE Switch - SSL Vulnerabilities.
@jmpk I've followed what you've listed above, however, no matter what ciphersuites I select, once I apply the server policy to HTTPS, I get a "This site can't provide a secure connection <IP> uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite." error. I've tried multiple permutations but every one ends the same, I can't get into the web config with the SSL server-policy enabled. Suggestions?
Original Message:
Sent: Mar 31, 2021 03:08 AM
From: jmpk
Subject: HPE Switch - SSL Vulnerabilities.
Users may see following Plugin name or Vulnerabilities on their security assessment report . Below is example one, but the plugin name will be same for all customer
Plugin Name
SSL RC4 Cipher Suites Supported (Bar Mitzvah)
Plugin Output: List of RC4 cipher suites supported by the remote server : Low Strength Ciphers (<= 64-bit key) EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export High Strength Ciphers (>= 112-bit key) RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
SSL Weak Cipher Suites Supported
Plugin Output: Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (<= 64-bit key) EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
SSL Medium Strength Cipher Suites Supported (SWEET32)
Plugin Output: Medium Strength Ciphers (> 64-bit and < 112-bit key or 3DES) DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
Users needs to create an SSL server-policy and choose the secured cipher suit. Then link this newly created SSL server-policy to the ip https service.
However from my point of view, customer don't need the http and https service as to configure and manage the switch as we use SSH.
Users can just disable the ip http and https service to mitigate this vulnerability.
Config Example for SSL:
==
ssl version ssl3.0 disable
ssl version tls1.0 disable
ssl server-policy myserverpolicy ciphersuite dhe_rsa_aes_128_cbc_sha dhe_rsa_aes_256_cbc_sha exp_rsa_des_cbc_sha rsa_3des_ede_cbc_sha rsa_aes_128_cbc_sha rsa_aes_256_cbc_sha rsa_des_cbc_sha
ssl client-policy myclientpolicy prefer-cipher dhe_rsa_aes_128_cbc_sha dhe_rsa_aes_256_cbc_sha exp_rsa_des_cbc_sha rsa_3des_ede_cbc_sha rsa_aes_128_cbc_sha rsa_aes_256_cbc_sha rsa_des_cbc_sha
==
[5940-133-32-ssl-server-policy- myserverpolicy]ciphersuite ?
dhe_rsa_aes_128_cbc_sha Use the ciphersuit
SSL_DHE_RSA_with_AES_128_CBC_SHA
dhe_rsa_aes_128_cbc_sha256 Use the ciphersuit
TLS_DHE_RSA_with_AES_128_CBC_SHA256
dhe_rsa_aes_256_cbc_sha Use the ciphersuit
SSL_DHE_RSA_with_AES_256_CBC_SHA
dhe_rsa_aes_256_cbc_sha256 Use the ciphersuit
TLS_DHE_RSA_with_AES_256_CBC_SHA256
ecdhe_ecdsa_aes_128_cbc_sha256 Use the ciphersuit
TLS_ECDHE_ECDSA_with_AES_128_CBC_SHA256
ecdhe_ecdsa_aes_128_gcm_sha256 Use the ciphersuit
TLS_ECDHE_ECDSA_with_AES_128_GCM_SHA256
ecdhe_ecdsa_aes_256_cbc_sha384 Use the ciphersuit
TLS_ECDHE_ECDSA_with_AES_256_CBC_SHA384
ecdhe_ecdsa_aes_256_gcm_sha384 Use the ciphersuit
TLS_ECDHE_ECDSA_with_AES_256_GCM_SHA384
ecdhe_rsa_aes_128_cbc_sha256 Use the ciphersuit
TLS_ECDHE_RSA_with_AES_128_CBC_SHA256
ecdhe_rsa_aes_128_gcm_sha256 Use the ciphersuit
TLS_ECDHE_RSA_with_AES_128_GCM_SHA256
ecdhe_rsa_aes_256_cbc_sha384 Use the ciphersuit
TLS_ECDHE_RSA_with_AES_256_CBC_SHA384
ecdhe_rsa_aes_256_gcm_sha384 Use the ciphersuit
TLS_ECDHE_RSA_with_AES_256_GCM_SHA384
exp_rsa_des_cbc_sha Use the ciphersuit
SSL_RSA_export_with_DES_CBC_SHA
exp_rsa_rc2_md5 Use the ciphersuit
SSL_RSA_export_with_RC2_CBC_40_MD5
exp_rsa_rc4_md5 Use the ciphersuit
SSL_RSA_export_with_RC4_40_MD5
rsa_3des_ede_cbc_sha Use the ciphersuit
SSL_RSA_with_3DES_EDE_CBC_SHA
rsa_aes_128_cbc_sha Use the ciphersuit
SSL_RSA_with_AES_128_CBC_SHA
rsa_aes_128_cbc_sha256 Use the ciphersuit
TLS_RSA_with_AES_128_CBC_SHA256
rsa_aes_256_cbc_sha Use the ciphersuit
SSL_RSA_with_AES_256_CBC_SHA
rsa_aes_256_cbc_sha256 Use the ciphersuit
TLS_RSA_with_AES_256_CBC_SHA256
rsa_des_cbc_sha Use the ciphersuit SSL_RSA_with_DES_CBC_SHA
rsa_rc4_128_md5 Use the ciphersuit SSL_RSA_with_RC4_128_MD5
rsa_rc4_128_sha Use the ciphersuit SSL_RSA_with_RC4_128_SHA
#SSLWeakCipherSuites
#SSLRC4CipherSuites
#SSLVulnerabilities