Interesting, wonder what the handshake on those would look like... The xCAT IPMI.pm tries to open the session with C17, and then when the answer should come back with an error code, then it falls back to equivalent to C3. Might be interested in a pcap of the attempt to see what is up. It shouldn't possibly reply '0' if it thinks it's all good, but maybe it fails to reply at all, which might trigger a timeout during that phase instead of a fallback...
I took at glance at ipmitool source and verified that redhat back to 8.x either includes a new enough version or backports the 'auto-detect c17'. You could hard set things back to 3 across the board, however some newer firmware will refuse to work with 3 (because any use of SHA-1 is hunted down, regardless of whether the weakness actually applies, which in IPMI land the SHA-1 weakness doesn't matter since it's in an HMAC). You could make an 'ipmic3' console backend and possibly make an 'ipmic3' plugin that is a fork of c3 only for old systems that predate cipher suite 17 support. I would like to see and try out auto-degrade on older systems, but I may not be able to cover it. ________________________________ From: David Johnson <david_john...@brown.edu> Sent: Tuesday, January 9, 2024 5:41 PM To: xCAT Users Mailing list <xcat-user@lists.sourceforge.net> Subject: Re: [xcat-user] [External] Ipmitool support for old BMC cipher suite 3 We encountered the problem with rpower and gocons when we migrated our cluster this morning from rhel7.9 to rhel9.2. Most nodes had no issue when I moved the consoles from the old front end to the new one but one batch of tyan gpu nodes timed out on rpower, and couldn’t make a connection with sol. Googling revealed that some BMC firmware would reply that they offer suite 17, but in fact they did not implement it. Have not looked for updated firmware yet for these ten nodes, looking for an easier fix if possible. -- ddj Dave Johnson On Jan 9, 2024, at 5:31 PM, Jarrod Johnson <jjohns...@lenovo.com> wrote: In what context do you find use of ipmitool with '-C'? I was checking the ipmi console backend and it doesn't seem to have that. rpower and such should try SHA256, fallback to SHA1 (equivalent to -C 3) The ipmi backend for conserver, if used, doesn't currently attempt a -C 17 that I see. Newer ipmitool should try 17 and fallback to 3, if that's the issue. ________________________________ From: David Johnson <david_john...@brown.edu> Sent: Tuesday, January 9, 2024 11:53 AM To: xcat-user@lists.sourceforge.net <xcat-user@lists.sourceforge.net> Subject: [External] [xcat-user] Ipmitool support for old BMC cipher suite 3 I’d like to know if there is an option somewhere in xcat to choose -C 3 for either selected elderly nodes that don’t support suite 17, or use -C 3 by default for the whole cluster? Thanks! -- ddj Dave Johnson _______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fxcat-user&data=05%7C02%7Cjjohnson2%40lenovo.com%7Cd9dfc4515405458dcfe508dc115658f9%7C5c7d0b28bdf8410caa934df372b16203%7C0%7C0%7C638404309770277001%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=g7uQXqtymGyHV4M4KxJraoePWpw9aslYbAl6Cj0UCZk%3D&reserved=0<https://lists.sourceforge.net/lists/listinfo/xcat-user> _______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
_______________________________________________ xCAT-user mailing list xCAT-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xcat-user
