Thanks for the detailed and comprehensive explanation, Jarrod. Lots of thanks here ;)
> On Jun 14, 2018, at 10:23 AM, Jarrod Johnson <jjohns...@lenovo.com> wrote: > > So the firmware team decided to stop allowing cipher suite 2 (Also forbids > IPMI 1.5). It's the same line of thought that causes them to disable http > and only allow https (and further, https has disabled a lot of ciphers) and > same reason telnet server is disabled and only ssh allowed (also with some > older ssh ciphers removed). If you don't have those formerly (for you > current) optional rpms, then xCAT used IPMI 2.0, cipher suite 2 to speak to > BMCs (or IPMI 1.5 if 2.0 wasn't supported). If those rpms are there, then it > was able to do cipher suite 3. For some systems, a firmware update will > remove support for older ciphers, some systems never shipped with a version > that allowed cipher suite 2. > > Random rambling on the state of the security of this stuff for the curious: > Fun fact, IPMI cipher suite 3 and better is not vulnerable to quantum > computing based attacks, even in theory at the moment. Ditto for SNMPv3 at > 'authPriv' level of protection.. > > Cipher Suite2 provided full protection for your username/password and > provided full integrity assurance, but on the wire you would be able to see > the payload ("what is server power state? It is on") as it was authenticated > and integrity assured, but no privacy cipher. Cipher suite 3 added AES to > provide encryption as well as integrity and authentication via HMAC-SHA1 (now > not only protected against tampering and impersonation, but eavesdropper > doesn't know what the conversation is, though they could make educated > guesses based on traffic analysis, like with all protocols). > > For any curious, one thing with IPMI is that the password is really a shared > secret, and the BMC goes first with 'proof'. Therefore anyone with ability > to send and receive udp ports to an IPMI device can send a message and will > receive a random set of data and an HMAC using the password as as the key. > This is roughly equivalent to getting a copy of /etc/shadow of your password > and as such someone can ask for the equivalent of /etc/shadow for a user they > know the name of. This is not necessarily fatal as if you select a strong > password (e.g. 20 random characters), your password even in /etc/shadow form > will never fall to an attacker. SNMPv3 has a similar situation, but the > client goes first, so attacker would have to either capture traffic or spoof > the ip of an SNMP endpoint. Of course on the other hand using TLS with cert > verification disabled is also vulnerable to the latter sort of attack and in > fact is actually weaker, as at least in SNMP and IPMI the password is never > actually sent on the wire, only a derivation of it, versus TLS schemes that > assume it's ok to ship the password. > > > For those curious about security, HMAC-SHA1 may raise eyebrows and in fact > there are newer cipher suites with SHA256/SHA384. However when used in an > HMAC, SHA1 is still considered ok, as collision/preimage isn't the risk in > HMAC, so SHA1 has no known weaknesses relevant to HMAC. > > > > -----Original Message----- > From: Rogie Pamintuan <rbpamint...@gmail.com> > Sent: Thursday, June 14, 2018 10:06 AM > To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net> > Subject: Re: [xcat-user] [External] No cipher suite match with proposed > security algorithms > > Great. A BIG thanks Jarrod. > > I will have to test those 2 rpms since the cluster is in Production. > > before we wrap up this issue. I want to know where exactly the changes > happened. Is it in BMC level? or BMC for Lenovo machines? or directly with > xCAT? when we hit the cipher issue. > > Thanks Again. > > > >> On Jun 14, 2018, at 8:47 AM, Rogie Pamintuan <rbpamint...@gmail.com> wrote: >> >> Morning Jarrod, >> >> Just to confirm > Installing the two rpms you’ve referenced will resolve the >> issue on xcat2.8.2? I dont expect any side effect, right? Let me know if >> there is a simplier solution. Thanks! >> >>> On Jun 13, 2018, at 10:01 AM, Rogie Pamintuan <rbpamint...@gmail.com> wrote: >>> >>> Morning Jarrod. Thanks for looking at this issue. >>> >>> I look at my environment, I don’t have the two rpms installed. >>> >>> ]# lsxcatd -v >>> Version 2.8.2 (built Fri Oct 25 04:29:40 EDT 2013) # rpm -qa | grep >>> -i perl-Crypt >>> perl-Crypt-SSLeay-0.57-16.el6.x86_64 >>> >>> Thank you. >>> >>> >>>> On Jun 13, 2018, at 8:50 AM, Jarrod Johnson <jjohns...@lenovo.com> wrote: >>>> >>>> Can you check if you have the two rpms installed I referenced? If >>>> they are installed (CBC and Rijndael) then 2.8.2 should be able to >>>> communicate using the stricter security cipher. >>>> -----Original Message----- >>>> From: Rogie Pamintuan <rbpamint...@gmail.com> >>>> Reply-To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net> >>>> To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net> >>>> Subject: Re: [xcat-user] [External] No cipher suite match with >>>> proposed security algorithms >>>> Date: Tue, 12 Jun 2018 17:43:23 -0400 >>>> >>>> Hi Jarrod, >>>> I have xCAT v2.8.2 (comes with PHPC) which works on my existing >>>> idataflex nodes. When u say we disabled weaker ciphers in the XCC >>>> (BMC/IMM), how easy it is to enable? Any workaround? Thanks. >>>> >>>> On Jun 12, 2018, at 4:23 PM, Jarrod Johnson <jjohns...@lenovo.com> >>>> wrote: >>>> >>>>> What version of xCAT? Do you have perl-Crypt-Rijndael and perl- >>>>> Crypt-CBC installed? >>>>> We disabled the weaker ciphers in the XCC (BMC/IMM), which means >>>>> you now *must* have AES support to speak to the BMC, whereas at one >>>>> point it was optional. >>>>> >>>>> From: Rogie Pamintuan <rbpamint...@gmail.com> >>>>> Sent: Tuesday, June 12, 2018 4:09 PM >>>>> To: xcat-user@lists.sourceforge.net >>>>> Subject: [External] [xcat-user] No cipher suite match with proposed >>>>> security algorithms >>>>> >>>>> Hi There, >>>>> >>>>> I’m having issue adding new nodes running on Lenovo 7x02 SR630 HW. >>>>> No problem with existing nodes running on idataflex HW. >>>>> >>>>> Here goes the error: >>>>> >>>>> # rinv compute000 >>>>> compute000: Error: No cipher suite match with proposed security >>>>> algorithms >>>>> compute000: Error: No cipher suite match with proposed security >>>>> algorithms >>>>> compute000: Error: No cipher suite match with proposed security >>>>> algorithms >>>>> compute000: Error: No cipher suite match with proposed security >>>>> algorithms >>>>> compute000: Error: No cipher suite match with proposed security >>>>> algorithms >>>>> >>>>> Other r* commands (i.e rpower, rvitals etc) showing the same issue. >>>>> >>>>> I have updated the HW firmware level for my Lenovo machines but >>>>> still having the same issue. >>>>> >>>>> I saw similar issue here before but I can’t see the answer or update. >>>>> Link as follow: >>>>> >>>>> https://sourceforge.net/p/xcat/mailman/message/32241804/ >>>>> >>>>> Any help will be greatly appreciated. Thank you! >>>>> ------------------------------------------------------------------- >>>>> ----------- >>>>> Check out the vibrant tech community on one of the world's most >>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>> _______________________________________________ >>>>> xCAT-user mailing list >>>>> xCAT-user@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/xcat-user >>>> >>>> -------------------------------------------------------------------- >>>> - >>>> --------- >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> xCAT-user mailing list >>>> xCAT-user@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/xcat-user >>>> -------------------------------------------------------------------- >>>> ---------- Check out the vibrant tech community on one of the >>>> world's most engaging tech sites, Slashdot.org! >>>> http://sdm.link/slashdot >>>> _______________________________________________ >>>> xCAT-user mailing list >>>> xCAT-user@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/xcat-user >>> > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most engaging tech > sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > xCAT-user mailing list > xCAT-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/xcat-user > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > xCAT-user mailing list > xCAT-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/xcat-user ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user