subject:"Re\: \[Linux\-PowerEdge\] r815 new BIOS 3.4.0 major problem"

Re: [Linux-PowerEdge] r815 new BIOS 3.4.0 major problem

2018-05-17 Thread Libor Klepáč

Hi,

> That doesn't work for me. We all have different configurations which might
Agreed

> play into this. 3DES_EDE_CBC is not even used if I read the the output of
> TestSSL correctly.
> 
> 
> I took a different approach and started with disabling MD5 as this is what

MD5 was first thing I tried, did not help here

> the default iDRAC6 cert uses. I also upgraded OpenJDK8 to version 171 which
> might have changed invalidated my earlier testing as Java might have
> tightened security again. After testing around different combinations found
> on the list I found only MD5 need to be removed from two settings in the
> java.security file. a) jdk.certpath.disabledAlgorithms
> b) jdk.jar.disabledAlgorithms
> 

I think that only proper solution is new version of iDrac firmware with proper 
SSL level of security, instead of users fidling with java settings.


Libor

> 
> 
> 
> 
> 
> On Tue, May 15, 2018 at 7:17 AM, Libor Klepáč 
> wrote:
> 
> 
> Hi,
> that explains why suddenly I cannot connect to remote console from my linux
> box. I was also thinking it has something to do with BIOS upgrade.
> 
> For the record, I can connect to console again without commenting out
> jdk.jar.disabledAlgorithms
> 
> but with removing
> 3DES_EDE_CBC
> from
> jdk.tls.disabledAlgorithms
> 
> few lines lower in config file (leaving rest of jdk.tls.disabledAlgorithms
> with no change)
> 
> My java is 8u171-b11-1 from Debian
> 
> Libor
> 
> On čtvrtek 10. května 2018 17:37:56 CEST Stephen John Smoogen wrote:
> > On 10 May 2018 at 09:57, Patrick Boutilier  
wrote:
> > > On 05/10/2018 10:34 AM, lejeczek wrote:
> > >> On 09/05/18 22:34, R S wrote:
> > >>> Is there a mechanism that prevents me to downgrade from v6.5.0 back to
> > >>> v6.4.0 on a R710/T710? I downgraded the iDRAC from 2.90 to v2.80 and
> > >>> the
> > >>> 'Connection Failed' issue is still there, so I'm trying to downgrade
> > >>> the
> > >>> BIOS.
> > >> 
> > >> I've just downgraded back to 3.2.2 on one r815 and it seems that it
> > >> actually might be iDrac6 =! new Java.
> > >> 
> > >> I wonder if users of newer iDracs also experience this problem?
> > > 
> > > Newer iDRACs can use html5 instead of java plugin for the console. Not
> > > sure
> > > if it is the default but it is possible to change from Java to html5.
> > 
> > I think that is only on the iDrac8 and some? iDrac7 so on an iDrac6
> > probably will not have it. We found that the newest java puts in a
> > security fix to remove accepting weak encryption.
> > 
> > the 'fix' was to edit
> > /usr/lib/jvm/java-openjdk/jre/lib/security/java.security and comment
> > out the "jdk.jar.disabledAlgorithms=" line. Not great.. but it got the
> > newer javas to talk to the old consoles.
> > 
> > I would also uncomment the line afterwords.
> 
> Linux-PowerEdge@dell.com[3]
> https://lists.us.dell.com/mailman/listinfo/linux-poweredge[4]
> 
> 
> 
> 
> 
> Tech III * AppControl * Endpoint Protection * Server MaintenanceBuncombe
> County Schools Technology Department Network Group
> 
> ComicSans Awareness Campaign[5]


___
Linux-PowerEdge mailing list
Linux-PowerEdge@dell.com
https://lists.us.dell.com/mailman/listinfo/linux-poweredge

Re: [Linux-PowerEdge] r815 new BIOS 3.4.0 major problem

2018-05-16 Thread R S

That doesn't work for me. We all have different configurations which might
play into this. 3DES_EDE_CBC is not even used if I read the the output of
TestSSL correctly.

I took a different approach and started with disabling MD5 as this is what
the default iDRAC6 cert uses. I also upgraded OpenJDK8 to version 171 which
might have changed invalidated my earlier testing as Java might have
tightened security again.
After testing around different combinations found on the list I found only
MD5 need to be removed from two settings in the java.security file.
a) jdk.certpath.disabledAlgorithms
b) jdk.jar.disabledAlgorithms



On Tue, May 15, 2018 at 7:17 AM, Libor Klepáč  wrote:

> Hi,
>
> that explains why suddenly I cannot connect to remote console from my
> linux box.
>
> I was also thinking it has something to do with BIOS upgrade.
>
>
>
> For the record, I can connect to console again without commenting out
>
> jdk.jar.disabledAlgorithms
>
>
>
> but with removing
>
> 3DES_EDE_CBC
>
> from
>
> jdk.tls.disabledAlgorithms
>
>
>
> few lines lower in config file (leaving rest of jdk.tls.disabledAlgorithms
> with no change)
>
>
>
> My java is 8u171-b11-1 from Debian
>
>
>
> Libor
>
>
>
>
>
>
>
> On čtvrtek 10. května 2018 17:37:56 CEST Stephen John Smoogen wrote:
>
> > On 10 May 2018 at 09:57, Patrick Boutilier  wrote:
>
> > > On 05/10/2018 10:34 AM, lejeczek wrote:
>
> > >> On 09/05/18 22:34, R S wrote:
>
> > >>> Is there a mechanism that prevents me to downgrade from v6.5.0 back
> to
>
> > >>> v6.4.0 on a R710/T710? I downgraded the iDRAC from 2.90 to v2.80 and
> the
>
> > >>> 'Connection Failed' issue is still there, so I'm trying to downgrade
> the
>
> > >>> BIOS.
>
> > >>
>
> > >> I've just downgraded back to 3.2.2 on one r815 and it seems that it
>
> > >> actually might be iDrac6 =! new Java.
>
> > >>
>
> > >> I wonder if users of newer iDracs also experience this problem?
>
> > >
>
> > > Newer iDRACs can use html5 instead of java plugin for the console. Not
>
> > > sure
>
> > > if it is the default but it is possible to change from Java to html5.
>
> >
>
> > I think that is only on the iDrac8 and some? iDrac7 so on an iDrac6
>
> > probably will not have it. We found that the newest java puts in a
>
> > security fix to remove accepting weak encryption.
>
> >
>
> > the 'fix' was to edit
>
> > /usr/lib/jvm/java-openjdk/jre/lib/security/java.security and comment
>
> > out the "jdk.jar.disabledAlgorithms=" line. Not great.. but it got the
>
> > newer javas to talk to the old consoles.
>
> >
>
> > I would also uncomment the line afterwords.
>
>
>
> ___
> Linux-PowerEdge mailing list
> Linux-PowerEdge@dell.com
> https://lists.us.dell.com/mailman/listinfo/linux-poweredge
>
>


-- 
Tech III * AppControl * Endpoint Protection * Server Maintenance
Buncombe County Schools Technology Department Network Group
ComicSans Awareness Campaign 
___
Linux-PowerEdge mailing list
Linux-PowerEdge@dell.com
https://lists.us.dell.com/mailman/listinfo/linux-poweredge

Re: [Linux-PowerEdge] r815 new BIOS 3.4.0 major problem

2018-05-15 Thread Libor Klepáč

Hi,
that explains why suddenly I cannot connect to remote console from my linux box.
I was also thinking it has something to do with BIOS upgrade.

For the record, I can connect to console again without commenting out
jdk.jar.disabledAlgorithms

but with removing 
3DES_EDE_CBC
from
jdk.tls.disabledAlgorithms

few lines lower in config file (leaving rest of jdk.tls.disabledAlgorithms with 
no change)

My java is 8u171-b11-1 from Debian

Libor



On čtvrtek 10. května 2018 17:37:56 CEST Stephen John Smoogen wrote:
> On 10 May 2018 at 09:57, Patrick Boutilier  wrote:
> > On 05/10/2018 10:34 AM, lejeczek wrote:
> >> On 09/05/18 22:34, R S wrote:
> >>> Is there a mechanism that prevents me to downgrade from v6.5.0 back to
> >>> v6.4.0 on a R710/T710? I downgraded the iDRAC from 2.90 to v2.80 and the
> >>> 'Connection Failed' issue is still there, so I'm trying to downgrade the
> >>> BIOS.
> >> 
> >> I've just downgraded back to 3.2.2 on one r815 and it seems that it
> >> actually might be iDrac6 =! new Java.
> >> 
> >> I wonder if users of newer iDracs also experience this problem?
> > 
> > Newer iDRACs can use html5 instead of java plugin for the console. Not
> > sure
> > if it is the default but it is possible to change from Java to html5.
> 
> I think that is only on the iDrac8 and some? iDrac7 so on an iDrac6
> probably will not have it. We found that the newest java puts in a
> security fix to remove accepting weak encryption.
> 
> the 'fix' was to edit
> /usr/lib/jvm/java-openjdk/jre/lib/security/java.security and comment
> out the "jdk.jar.disabledAlgorithms=" line. Not great.. but it got the
> newer javas to talk to the old consoles.
> 
> I would also uncomment the line afterwords.

___
Linux-PowerEdge mailing list
Linux-PowerEdge@dell.com
https://lists.us.dell.com/mailman/listinfo/linux-poweredge

Re: [Linux-PowerEdge] r815 new BIOS 3.4.0 major problem

2018-05-10 Thread Stephen John Smoogen

Cool. I was not aware of that. Thank you for that answer.

On 10 May 2018 at 13:44, R S  wrote:
> They did that just last year. All of the SSL backend was updated. They
> removed RC4, updated OpenSSL etc etc. See
> http://www.dell.com/support/home/us/en/19/drivers/driversdetails?driverId=9GJYW
>
> On Thu, May 10, 2018 at 12:56 PM, Stephen John Smoogen 
> wrote:
>>
>> On 10 May 2018 at 12:31, R S  wrote:
>> > Smoogen, I just tested commenting out "jdk.jar.disabledAlgorithms" and
>> > connecting to the iDRAC Remote Console now works on Java 8 Update 162.
>> >
>> > Depending on your distro the path to the java.security file might be
>> > different from /usr/lib/jvm/java-openjdk/jre/lib/security/java.security
>> > I'm running a Debian derivate and it symlinks from
>> > /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security to
>> > /etc/java-8-openjdk/security
>> >
>> > So the ball is back to Dell. The compromising elements that the iDRAC6
>> > still
>> > relies on is either a 1024 certificate key, MD5 or MD2.
>> >
>>
>> I don't know what the support cycle for the iDRAC6 is since it is
>> based off of 10+ year old technology. I expect it would take a major
>> update to getting a newer openssl and other software and the CPU is
>> probably going to be even slower dealing with sha256, 4096 bit keys
>> and AES256 encryption.
>>
>>
>>
>> --
>> Stephen J Smoogen.
>
>
>
>
> --
> Tech III * AppControl * Endpoint Protection * Server Maintenance
> Buncombe County Schools Technology Department Network Group
> ComicSans Awareness Campaign



-- 
Stephen J Smoogen.

___
Linux-PowerEdge mailing list
Linux-PowerEdge@dell.com
https://lists.us.dell.com/mailman/listinfo/linux-poweredge

Re: [Linux-PowerEdge] r815 new BIOS 3.4.0 major problem

2018-05-10 Thread R S

Smoogen, I just tested commenting out "jdk.jar.disabledAlgorithms" and
connecting to the iDRAC Remote Console now works on Java 8 Update 162.

Depending on your distro the path to the java.security file might be
different from /usr/lib/jvm/java-openjdk/jre/lib/security/java.security
I'm running a Debian derivate and it symlinks from
/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security
to /etc/java-8-openjdk/security

So the ball is back to Dell. The compromising elements that the iDRAC6
still relies on is either a 1024 certificate key, MD5 or MD2.

On Thu, May 10, 2018 at 11:45 AM, Patrick Boutilier 
wrote:

> On 05/10/2018 12:37 PM, Stephen John Smoogen wrote:
>
>> On 10 May 2018 at 09:57, Patrick Boutilier  wrote:
>>
>>> On 05/10/2018 10:34 AM, lejeczek wrote:
>>>



 On 09/05/18 22:34, R S wrote:

>
> Is there a mechanism that prevents me to downgrade from v6.5.0 back to
> v6.4.0 on a R710/T710? I downgraded the iDRAC from 2.90 to v2.80 and
> the
> 'Connection Failed' issue is still there, so I'm trying to downgrade
> the
> BIOS.
>


 I've just downgraded back to 3.2.2 on one r815 and it seems that it
 actually might be iDrac6 =! new Java.

 I wonder if users of newer iDracs also experience this problem?

>>>
>>>
>>> Newer iDRACs can use html5 instead of java plugin for the console. Not
>>> sure
>>> if it is the default but it is possible to change from Java to html5.
>>>
>>>
>> I think that is only on the iDrac8 and some? iDrac7 so on an iDrac6
>> probably will not have it.
>>
>
> Definitely no html5 with iDrac6. Only on newer iDracs.
>
>
>
>
>
>  We found that the newest java puts in a
>
>> security fix to remove accepting weak encryption.
>>
>> the 'fix' was to edit
>> /usr/lib/jvm/java-openjdk/jre/lib/security/java.security and comment
>> out the "jdk.jar.disabledAlgorithms=" line. Not great.. but it got the
>> newer javas to talk to the old consoles.
>>
>> I would also uncomment the line afterwords.
>>
>>
>
> ___
> Linux-PowerEdge mailing list
> Linux-PowerEdge@dell.com
> https://lists.us.dell.com/mailman/listinfo/linux-poweredge
>
>


-- 
Tech III * AppControl * Endpoint Protection * Server Maintenance
Buncombe County Schools Technology Department Network Group
ComicSans Awareness Campaign 
___
Linux-PowerEdge mailing list
Linux-PowerEdge@dell.com
https://lists.us.dell.com/mailman/listinfo/linux-poweredge

Re: [Linux-PowerEdge] r815 new BIOS 3.4.0 major problem

2018-05-10 Thread Patrick Boutilier


On 05/10/2018 12:37 PM, Stephen John Smoogen wrote:

On 10 May 2018 at 09:57, Patrick Boutilier  wrote:

On 05/10/2018 10:34 AM, lejeczek wrote:




On 09/05/18 22:34, R S wrote:


Is there a mechanism that prevents me to downgrade from v6.5.0 back to
v6.4.0 on a R710/T710? I downgraded the iDRAC from 2.90 to v2.80 and the
'Connection Failed' issue is still there, so I'm trying to downgrade the
BIOS.



I've just downgraded back to 3.2.2 on one r815 and it seems that it
actually might be iDrac6 =! new Java.

I wonder if users of newer iDracs also experience this problem?



Newer iDRACs can use html5 instead of java plugin for the console. Not sure
if it is the default but it is possible to change from Java to html5.



I think that is only on the iDrac8 and some? iDrac7 so on an iDrac6
probably will not have it.


Definitely no html5 with iDrac6. Only on newer iDracs.




 We found that the newest java puts in a

security fix to remove accepting weak encryption.

the 'fix' was to edit
/usr/lib/jvm/java-openjdk/jre/lib/security/java.security and comment
out the "jdk.jar.disabledAlgorithms=" line. Not great.. but it got the
newer javas to talk to the old consoles.

I would also uncomment the line afterwords.



<>___
Linux-PowerEdge mailing list
Linux-PowerEdge@dell.com
https://lists.us.dell.com/mailman/listinfo/linux-poweredge

Re: [Linux-PowerEdge] r815 new BIOS 3.4.0 major problem

2018-05-10 Thread Patrick Boutilier


On 05/10/2018 10:34 AM, lejeczek wrote:



On 09/05/18 22:34, R S wrote:
Is there a mechanism that prevents me to downgrade from v6.5.0 back to 
v6.4.0 on a R710/T710? I downgraded the iDRAC from 2.90 to v2.80 and 
the 'Connection Failed' issue is still there, so I'm trying to 
downgrade the BIOS.


I've just downgraded back to 3.2.2 on one r815 and it seems that it 
actually might be iDrac6 =! new Java.


I wonder if users of newer iDracs also experience this problem?


Newer iDRACs can use html5 instead of java plugin for the console. Not 
sure if it is the default but it is possible to change from Java to html5.





___
Linux-PowerEdge mailing list
Linux-PowerEdge@dell.com
https://lists.us.dell.com/mailman/listinfo/linux-poweredge


<>___
Linux-PowerEdge mailing list
Linux-PowerEdge@dell.com
https://lists.us.dell.com/mailman/listinfo/linux-poweredge

Re: [Linux-PowerEdge] r815 new BIOS 3.4.0 major problem

2018-05-10 Thread lejeczek




On 09/05/18 22:34, R S wrote:
Is there a mechanism that prevents me to downgrade from 
v6.5.0 back to v6.4.0 on a R710/T710? I downgraded the 
iDRAC from 2.90 to v2.80 and the 'Connection Failed' issue 
is still there, so I'm trying to downgrade the BIOS.


I've just downgraded back to 3.2.2 on one r815 and it seems 
that it actually might be iDrac6 =! new Java.


I wonder if users of newer iDracs also experience this problem?

___
Linux-PowerEdge mailing list
Linux-PowerEdge@dell.com
https://lists.us.dell.com/mailman/listinfo/linux-poweredge

Re: [Linux-PowerEdge] r815 new BIOS 3.4.0 major problem

2018-05-09 Thread lejeczek




On 09/05/18 17:54, R S wrote:
I'm having problems Lauching Console in an iDRAC6 on a 
R710 with BIOS 6.5.0 and iDRC 2.90

It errors out:


Tried with 3 different browser on 3 different OS and they 
all fail.


I'm going to downgrade to 2.85 first and see if it 
connects. If not I'm going to downgrade BIOS to 6.4.0


Is DELL planning to update the cert that will expire in 
about 7 month. Just a heads up as thing take time



On Wed, May 9, 2018 at 6:04 AM, lejeczek 
> wrote:


guys, can you get to "virtual console" in your
iDrac(2.90 (Build 04))?
It seems to me 3.4.0 BIOS has broken something.

many thanks, L.

___
Linux-PowerEdge mailing list
Linux-PowerEdge@dell.com 
https://lists.us.dell.com/mailman/listinfo/linux-poweredge





--
Tech III * AppControl * Endpoint Protection * Server 
Maintenance

Buncombe County Schools Technology Department Network Group
ComicSans Awareness Campaign 


that is what I get. Though in case if r815 it's iDrac. I've 
had 2.90 for ... well, a long time. Only recent BIOS update 
to 3.4.0 broke the console.


@dell team - this is rather urgent. Can you help guys?

many thanks, L.

___
Linux-PowerEdge mailing list
Linux-PowerEdge@dell.com
https://lists.us.dell.com/mailman/listinfo/linux-poweredge

Re: [Linux-PowerEdge] r815 new BIOS 3.4.0 major problem

Re: [Linux-PowerEdge] r815 new BIOS 3.4.0 major problem

Re: [Linux-PowerEdge] r815 new BIOS 3.4.0 major problem

Re: [Linux-PowerEdge] r815 new BIOS 3.4.0 major problem

Re: [Linux-PowerEdge] r815 new BIOS 3.4.0 major problem

Re: [Linux-PowerEdge] r815 new BIOS 3.4.0 major problem

Re: [Linux-PowerEdge] r815 new BIOS 3.4.0 major problem

Re: [Linux-PowerEdge] r815 new BIOS 3.4.0 major problem

Re: [Linux-PowerEdge] r815 new BIOS 3.4.0 major problem

9 matches

Site Navigation

Mail list logo

Footer information