12 Replies Latest reply on Jun 14, 2019 4:01 AM by Andrew Waters

    Does anyone know if Discovery 11.1.0.3 compatible with TLS 2.1?

    Liz Frank
      Share This:

      We are upgrading ENTLDAP to only accept communication via TLS 2.1 for communication infrastructures currently using TLS 1.0 and 1.1. I have searched the docs and found nothing about this version; does anyone know about compatibility between 11.1.0.3 and TLS 2.1?

        • 1. Re: Does anyone know if Discovery 11.1.0.3 compatible with TLS 2.1?
          Kerryn Wood

          Hi,

           

          I'm assuming you mean TLS 1.2? There is not TLS 2.1 (yet) as far as I know. 1.3 is in draft phase.

           

          I'm unsure exactly what you're asking. The UI (assuming https) will always attempt to use the "strongest" available. If the client (browser) allows 1.2, then this is what will be used. Otherwise if mean LDAPS for appliance authentication or discovery targets - those are fine too.

          3 of 3 people found this helpful
          • 2. Re: Does anyone know if Discovery 11.1.0.3 compatible with TLS 2.1?
            Marcin Cieslak
            SSL handshake has read 7185 bytes and written 385 bytes
            ---
            New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
            Server public key is 4096 bit
            Secure Renegotiation IS supported
            Compression: NONE
            Expansion: NONE
            SSL-Session:
                Protocol  : TLSv1.2
                Cipher    : ECDHE-RSA-AES256-GCM-SHA384
            

             

            We are using 10.2, so you should be fine with TLS 1.2 on the newer versions as well.

            2 of 2 people found this helpful
            • 3. Re: Does anyone know if Discovery 11.1.0.3 compatible with TLS 2.1?
              Jeff Sikorski

              Is there an approved method of disabling TLS 1.1 to use TLS 1.2 on these BMC Appliances?

               

              Vulnerability scans being done are showing that TLS is "okay" for now with 1.1, but I imagine soon TLS 1.1 will be not allowed.

               

              BMC seems to be keeping up with the times though.  It looks like TLS 1.0 is already disabled.  So I imagine sometime soon we will upgrade the appliance OS and TLS 1.1 will be disabled?

               

              thanks,

              Jeff

              • 4. Re: Does anyone know if Discovery 11.1.0.3 compatible with TLS 2.1?
                Marcin Cieslak

                There is also a question where it should be disabled. ADDM uses TLS for many purposes - communication between appliances, communication with proxies, its web interface, WBEM and Web API credentials etc.

                 

                We are currently facing the issue when we cannot establish HTTPS connection to slightly older NetApp devices, because ADDM requests to use the newest and shiniest ciphers (which is good!) but it does not always support downgrade to older or even obsolete cipher combinations.

                 

                It is an interesting question whether you want to have strongest possible security (like when talking to the users, using SSO, LDAP etc.)

                or when do you need to get connection using weaker or even obsolete arrangements.

                 

                Such setting would need to be configurable for many purposes separately which would make it pretty complicated.

                 

                Marcin

                2 of 2 people found this helpful
                • 5. Re: Does anyone know if Discovery 11.1.0.3 compatible with TLS 2.1?
                  Mark Lemar

                  Was there any further update on this?

                   

                  I assume that Kerryn's earlier post/comment is still relevant & reflect the current state of play?

                  1 of 1 people found this helpful
                  • 6. Re: Does anyone know if Discovery 11.1.0.3 compatible with TLS 2.1?
                    Andrew Waters

                    11.3.0.3 disables TLS 1.1, meaning only 1.2 is available.

                     

                    Red Hat / CentOS do not currently support TLS 1.3 (except on RHEL 8 beta)

                    5 of 5 people found this helpful
                    • 7. Re: Does anyone know if Discovery 11.1.0.3 compatible with TLS 2.1?
                      Bernard Stern

                      You can use nmap to check which cyphers are supported. We are running 11.3.0.4. I see only one cypher is supported which is TLS 1.2.

                       

                      # nmap --script ssl-enum-ciphers -p 443 hostname.domain

                       

                      Starting Nmap 5.51 ( http://nmap.org ) at 2019-05-17 11:42 CEST

                      Nmap scan report for hostname.domain (10.11.12.13)

                      Host is up (0.00049s latency).

                      rDNS record for 14.15.16.17: hostname2.domain

                      PORT    STATE SERVICE

                      443/tcp open  https

                      | ssl-enum-ciphers:

                      |   TLSv1.2

                      |     Ciphers (18)

                      |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA

                      |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

                      |       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

                      |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA

                      |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

                      |       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

                      |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

                      |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

                      |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

                      |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

                      |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

                      |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

                      |       TLS_RSA_WITH_AES_128_CBC_SHA

                      |       TLS_RSA_WITH_AES_128_CBC_SHA256

                      |       TLS_RSA_WITH_AES_128_GCM_SHA256

                      |       TLS_RSA_WITH_AES_256_CBC_SHA

                      |       TLS_RSA_WITH_AES_256_CBC_SHA256

                      |       TLS_RSA_WITH_AES_256_GCM_SHA384

                      |     Compressors (1)

                      |_      uncompressed

                       

                      Nmap done: 1 IP address (1 host up) scanned in 0.88 seconds

                      #

                      3 of 3 people found this helpful
                      • 8. Re: Does anyone know if Discovery 11.1.0.3 compatible with TLS 2.1?
                        Mark Lemar

                        Hi Andrew.

                         

                        What type of TLS traffic is enforced at 1.2 in Discovery 11.3.0.3?  User to UI, Appliance to Proxy, Appliance to Appliance or all of these?

                         

                        Only, a recent support ticket we raised confirmed that TLS 1.2 was enforced in Appliance to Proxy comms, by upgrading the proxy software (for 11.3).

                         

                        Therefore, I'm trying to understand whether we just need to upgrade our current proxy software to enforce this or whether we also need to upgrade the appliance from 11.3 to 11.3.0.5 too to cover all bases?

                         

                        Thanks

                        • 9. Re: Does anyone know if Discovery 11.1.0.3 compatible with TLS 2.1?
                          Andrew Waters

                          11.3 requires TLS 1.2 for CORBA communication between appliances in a cluster, consolidation and for proxies. You only need 11.3.0.3 for the UI.

                          1 of 1 people found this helpful
                          • 10. Re: Does anyone know if Discovery 11.1.0.3 compatible with TLS 2.1?
                            Mark Lemar

                            ...but we also need to upgrade the proxies to 11.3, to enforce TLS 1.2 for the appliance to proxy comms it seems.

                             

                            Working with support we used the following commands to test which TLS versions were allowed between an appliance and a proxy:

                             

                            openssl s_client -tls1 -connect <proxy_ip>:<proxy_port>

                            openssl s_client -tls1_1 -connect <proxy_ip>:<proxy_port>

                            openssl s_client -tls1_2 -connect <proxy_ip>:<proxy_port>

                             

                            From a 11.3 appliance to a 11.1.0.3 677713 proxy, TLS1, 1.1 and 1.2 were all open.

                             

                            From a 11.3 appliance to a 11.3 729942 proxy, only TLS 1.2 is open.

                            • 11. Re: Does anyone know if Discovery 11.1.0.3 compatible with TLS 2.1?
                              Andrew Waters

                              While older proxies would allow TLS 1.0 and 1.1, the appliance will not so it will not use it.

                              1 of 1 people found this helpful
                              • 12. Re: Does anyone know if Discovery 11.1.0.3 compatible with TLS 2.1?
                                Andrew Waters

                                Obviously if you do not want the proxies to allow any attempt to connect to them from elsewhere using 1.0 and 1.1 you would need upgrade them.

                                1 of 1 people found this helpful