Change default TLS Protocol to TLS 1.2

Question

Change default TLS Protocol to TLS 1.2

cueball23 opened this issue 7 years ago · comments

If on an ILO 4 board "Enforce AES/3DES Encryption" is enabled. A connection with TLS 1 is not possible.
The default Protocol of python-hpilo is TLS1. With the parameter "--ssl-version 5" login is possible (TLSv1.2).

If python-hpilo would change the default Protocol (with fallback) out-of-the-box usage with all iLO configurations would be possible. Currently the newer and more secure protocol TLSv1.2 is never used.

Dennis Kaarsemaker · Answer 1 · Wed Apr 19 2017 18:04:23 GMT+0800 (China Standard Time)

Yeah, makes sense. I'll see if I can improve the autodetection there.

Chris · Answer 2 · Thu Apr 27 2017 04:47:52 GMT+0800 (China Standard Time)

Choose ssl.PROTOCOL_SSLv23 despite it's name in OpenSSL this value means "negotiate best available"
I can confirm changing the default value to PROTOCOL_SSLv23 allows a connection using TLSv1.2 with an iLO 4 running 2.50 firmware with "Enforce AES/3DES Encryption" enabled, and still works with iLO 4 in default configuration.

Flavio Torres · Answer 3 · Fri Sep 01 2017 15:16:14 GMT+0800 (China Standard Time)

@cueball23 how did you manage to get it working? I'm facing the same issue, I can help testing if you guy's have worked on some code... Let me know! TKS!

cueball23 · Answer 4 · Fri Sep 01 2017 15:40:01 GMT+0800 (China Standard Time)

@flaviotorres I'm using it from ansible so I patched the ansible modules to set the TLS Version to 1.2.
If you want to use it from the hpilo_cli just set "-s tlsv1_2" see https://github.com/seveas/python-hpilo/blob/master/hpilo_cli . If you are running from the python code see https://github.com/seveas/python-hpilo/blob/master/hpilo.py line 219 ans 226. When you call hpilo.ILO() add the correct kwarg "ssl_version".

Dennis Kaarsemaker · Answer 5 · Wed Sep 20 2017 02:18:45 GMT+0800 (China Standard Time)

I took @davenpcj5542009's suggestion in bc6c331