HP DL380 G7 iLO3 SSLV3 Handshake Error
triDcontrols opened this issue · comments
Hi, I can't connect to my iLO 3. I get this error. I'm running HP iLO 3 V1.89 on HP DL380 G7
Sounds like a SSL handshake error, I am using a self signed cert, is there a way to set a flag to continue with invalid certs?
delluser@ubuntu-iot:~$ hpilo_cli -l Administrator -p myPASS 192.168.1.29 get_uid_status
Traceback (most recent call last):
File "/usr/bin/hpilo_cli", line 334, in
main()
File "/usr/bin/hpilo_cli", line 214, in main
results = [getattr(ilo, method)(**params)]
File "/usr/lib/python2.7/dist-packages/hpilo.py", line 1339, in get_uid_status
return self._info_tag('SERVER_INFO', 'GET_UID_STATUS', process=lambda data: data['uid'])
File "/usr/lib/python2.7/dist-packages/hpilo.py", line 704, in _info_tag
header, message = self._request(root)
File "/usr/lib/python2.7/dist-packages/hpilo.py", line 235, in _request
self._detect_protocol()
File "/usr/lib/python2.7/dist-packages/hpilo.py", line 275, in _detect_protocol
header, data = self._communicate(b'', ILO_HTTP, save=False)
File "/usr/lib/python2.7/dist-packages/hpilo.py", line 403, in _communicate
sock = self._get_socket()
File "/usr/lib/python2.7/dist-packages/hpilo.py", line 400, in _get_socket
raise IloCommunicationError("Cannot establish ssl session with %s:%d: %s" % (self.hostname, self.port, str(exc)))
hpilo.IloCommunicationError: Cannot establish ssl session with 192.168.1.29:443: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:661)
As most people use the certs that come with the iLO, python-hpilo doesn't verify certificates by default. This looks more like an ssl protocol version mismatch to me, which is also odd as python-hpilo should automatically try multiple versions. Which version of python-hpilo is this, and is this the only server with this problem?
Installed it today, running 4.2.1 using the PPA install on ubuntu.
I don't have any other servers to test. I had iLO 3 version 1.22, saw a closed issue someone needed to update to version 1.25 or greater, so I updated to version 1.89
Could you share the output of the following command:
: | openssl s_client -connect 192.168.1.29:443
That should give more info about what ssl version should work.
delluser@ubuntu-iot:~$ : | openssl s_client -connect 192.168.1.29:443
CONNECTED(00000003)
depth=0 CN = RIB.local.net, OU = ISS, O = Hewlett-Packard Company, L = Houston, ST = Texas, C = US
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = RIB.local.net, OU = ISS, O = Hewlett-Packard Company, L = Houston, ST = Texas, C = US
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate chain
0 s:/CN=RIB.local.net/OU=ISS/O=Hewlett-Packard Company/L=Houston/ST =Texas/C=US
i:/C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO3 Default Issu er (Do not trust)
Server certificate
-----BEGIN CERTIFICATE-----
CERTIFICATE GOES HERE
-----END CERTIFICATE-----
subject=/CN=RIB.local.net/OU=ISS/O=Hewlett-Packard Company/L=Houston /ST=Texas/C=US
issuer=/C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO3 Default Is suer (Do not trust)
No client certificate CA names sent
SSL handshake has read 881 bytes and written 491 bytes
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : RC4-SHA
Session-ID: 0212C138279EDFF64243706EAED4D90E0000000000000030090EC1DEA05E3B23
Session-ID-ctx:
Master-Key: A835FE068FA6DD4734FE11852B511DA3E7F7F5577FB7CDEA1866BE92AE97FA50 8EEC125D9F8ADCBBED1A97B48558923D
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1528233991
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
DONE
Hmm, that all looks good. Could you try replacing PROTOCOL_TLS with PROTOCOL_TLSv1_1 on line 398 of hpilo.py?
Same error.
hpilo_cli -l Administrator -p myPASS 192.168.1.29 get_uid_status
Traceback (most recent call last):
File "/usr/bin/hpilo_cli", line 334, in
main()
File "/usr/bin/hpilo_cli", line 214, in main
results = [getattr(ilo, method)(**params)]
File "/usr/lib/python2.7/dist-packages/hpilo.py", line 1339, in get_uid_status
return self._info_tag('SERVER_INFO', 'GET_UID_STATUS', process=lambda data: data['uid'])
File "/usr/lib/python2.7/dist-packages/hpilo.py", line 704, in _info_tag
header, message = self._request(root)
File "/usr/lib/python2.7/dist-packages/hpilo.py", line 235, in _request
self._detect_protocol()
File "/usr/lib/python2.7/dist-packages/hpilo.py", line 275, in _detect_protocol
header, data = self._communicate(b'', ILO_HTTP, save=False)
File "/usr/lib/python2.7/dist-packages/hpilo.py", line 403, in _communicate
sock = self._get_socket()
File "/usr/lib/python2.7/dist-packages/hpilo.py", line 400, in _get_socket
raise IloCommunicationError("Cannot establish ssl session with %s:%d: %s" % (self.hostname, self.port, str(exc)))
hpilo.IloCommunicationError: Cannot establish ssl session with 192.168.1.29:443: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:661)
Ok, that's really unexpected...
Could you maybe install python-hpilo under python3 and try with that python version? The ssl module has seen very significant changes in python 3 and that may just be a feasible workaround :)
Ill have to try that when i get home in few hrs, Would resetting the iLO from F8 during boot do any good?
I doubt that an ilo reset will help, but it won't hurt either :)
Thanks, I’ll try both and report back.
I tried resetting the iLO now have the original certificate that shipped with iLO3. Get the same error. I Reverted back and remove PROTOCOL_TLSv1_1 to PROTOCOL_TLS on line 398. I tried running the hpilo.py through python3 and nothing happens. I issued the command python3 hpilo.py and get few moments of waiting, then program is terminated. I'm not good with python.
delluser@ubuntu-iot:/usr/lib/python2.7/dist-packages$ : | openssl s_client -connect 192.168.1.29:443
CONNECTED(00000003)
depth=1 C = US, ST = TX, L = Houston, O = Hewlett-Packard Company, OU = ISS, CN = iLO Default Issuer (Do not trust)
verify error:num=19:self signed certificate in certificate chain
Certificate chain
0 s:/CN=ILOUSE038N3BP.localdomain/OU=ISS/O=Hewlett-Packard Company/L=Houston/ST=Texas/C=US
i:/C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO Default Issuer (Do not trust)
1 s:/C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO Default Issuer (Do not trust)
i:/C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO Default Issuer (Do not trust)
Server certificate
-----BEGIN CERTIFICATE-----
MIICyTCCAjKgAwIBAgIE811gszANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAlRYMRAwDgYDVQQHEwdIb3VzdG9uMSAwHgYDVQQKExdIZXds
ZXR0LVBhY2thcmQgQ29tcGFueTEMMAoGA1UECxMDSVNTMSowKAYDVQQDEyFpTE8g
RGVmYXVsdCBJc3N1ZXIgKERvIG5vdCB0cnVzdCkwHhcNMTgwNjA0MTcwNzEzWhcN
MzgwMTE4MjM0NzU5WjCBgzEiMCAGA1UEAwwZSUxPVVNFMDM4TjNCUC5sb2NhbGRv
bWFpbjEMMAoGA1UECwwDSVNTMSAwHgYDVQQKDBdIZXdsZXR0LVBhY2thcmQgQ29t
cGFueTEQMA4GA1UEBwwHSG91c3RvbjEOMAwGA1UECAwFVGV4YXMxCzAJBgNVBAYT
AlVTMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCw0S9NO42e5QySA7xLJLuE
kKji4yRh5rJ3bDHbjZajBmdVl/lBIIhvhmXKZCWLkpfPFdCmHRbFuw/bRHTd6vTQ
zzaxk0OTXU00z1i9AOwLQhkskqnqPn9NiWW3j6o2HLYnun3UX/qgSLT5PHU/bViu
/2KR+89bnZ/wEc1F54NPLQIDAQABo0MwQTALBgNVHSMEBDACgAAwDAYDVR0PBAUD
AwegADAkBgNVHREEHTAbghlJTE9VU0UwMzhOM0JQLmxvY2FsZG9tYWluMA0GCSqG
SIb3DQEBBQUAA4GBABlqdFySX6iBKYHfr//Y2aX4tgLo8v5/3FEhTUkTT4bHX9Sn
PAbw1ASNXwUphdL0TIE/pkfFA2kESnanxOxhywfkc9b8m2cgz6mPoiO6pR4QUyKW
PXOO2HWAQG39jsAvkEAP2lhbgX3s0dcFaab+3fHXHTll5A74Gj5Yn7y0wAt5
-----END CERTIFICATE-----
subject=/CN=ILOUSE038N3BP.localdomain/OU=ISS/O=Hewlett-Packard Company/L=Houston/ST=Texas/C=US
issuer=/C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO Default Issuer (Do not trust)
No client certificate CA names sent
SSL handshake has read 1515 bytes and written 491 bytes
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : RC4-SHA
Session-ID: EBAC1028B3DB51EFC2427129DE6257F5000000000000002B1054C1DE9EE88C02
Session-ID-ctx:
Master-Key: E9D70959EE9F5C68D0F3BA6A8B7489580ADDD54EFAD8699FD717757C2F49CDB0F7FDB5ED0D5CFBA1A344A1330A7E0B69
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1528248323
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
DONE
The error I get.
delluser@ubuntu-iot:/usr/lib/python2.7/dist-packages$ hpilo_cli -l Administrator -p myPASS 192.168.1.29 get_uid_status
Traceback (most recent call last):
File "/usr/bin/hpilo_cli", line 334, in
main()
File "/usr/bin/hpilo_cli", line 214, in main
results = [getattr(ilo, method)(**params)]
File "/usr/lib/python2.7/dist-packages/hpilo.py", line 1339, in get_uid_status
return self._info_tag('SERVER_INFO', 'GET_UID_STATUS', process=lambda data: data['uid'])
File "/usr/lib/python2.7/dist-packages/hpilo.py", line 704, in _info_tag
header, message = self._request(root)
File "/usr/lib/python2.7/dist-packages/hpilo.py", line 235, in _request
self._detect_protocol()
File "/usr/lib/python2.7/dist-packages/hpilo.py", line 275, in _detect_protocol
header, data = self._communicate(b'', ILO_HTTP, save=False)
File "/usr/lib/python2.7/dist-packages/hpilo.py", line 403, in _communicate
sock = self._get_socket()
File "/usr/lib/python2.7/dist-packages/hpilo.py", line 400, in _get_socket
raise IloCommunicationError("Cannot establish ssl session with %s:%d: %s" % (self.hostname, self.port, str(exc)))
hpilo.IloCommunicationError: Cannot establish ssl session with 192.168.1.29:443: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:661)
delluser@ubuntu-iot:/usr/lib/python2.7/dist-packages$
One thing that i've been pocking around is this
https://exchange.nagios.org/directory/Plugins/Hardware/Server-Hardware/HP-(Compaq)/check_ilo2_health/details
The first comment says if you have iLO3, then you need to add cipher suites
The comment references version 1.89 which is the latest version I have. I'm not sure what I need to add to hpilo.py to add the cipher suites.
Direct Quote.
`For those with problems with ILO3, you have to specify the SSL cipher. In my case, in order to connect with an ILO 3 v1.89, I had to use:
--sslopts 'SSL_cipher_list => "DES-CBC3-SHA",SSL_verify_mode => SSL_VERIFY_NONE'
You can check available ciphers of ILO using cnark (http://blog.techstacks.com/cryptonark.html):
cnark.pl -h 192.168.2.66 -p 443 --insecure`
I’ve given up, I’ve tried many different things, and not able to get past this ssl handshake error.
@triDcontrols which version of ubuntu are you using?
I run in this same error when using Debian Stretch because they deprecated SSLv3 which means also the python ssl module is compiled without support, even if you LD_PRELOAD some other crypto library it wont work...
We settled on a schroot with an older Debian Version to gain access to iLO3 again.
@conrad784 I'm running 17.10, What version of ubuntu would you recommend?
I am not familiar with schroot. What version of debian are you running?
I run Debian 8 (jessie) in the chroot, with Ubuntu it should work with 16.04 then.
Schroot allows you a chroot environment accessable for unprivileged users (still it is a security risk overall) -- if somebody got a better idea, I am interested in other approaches.
I'll have to try 16.04 in a VM for testing.
Is there a way to run 16.04 on top of ubuntu 17.10 like in a isolated container? I know there is docker and VM. Would hate to spin up a 16.04 VM just for iLO.
I'm not overly concerned with the security risk, as this will sit on a separate VLAN than my trusted network.
like in a isolated container?
Thats what I do with chroot.
hmm. I need to look into chroot.
This issue can be closed, thanks to @conrad784.
I'm running this on ubuntu 16.04 works as expected, no error there.
I'm reopening this issue, as this should at least be documented
Documented now in b2790b0
To anyone else bashing their head against this issue, you don't need to use a chroot or an old version of Python. Here:
import re
import ssl
import hpilo
ilo3_context = ssl.create_default_context()
# Start with the default cipher set
ciphers = ssl._DEFAULT_CIPHERS
# Remove any explit prohibition against 3DES
ciphers = re.sub(r":!3DES", "", ciphers)
# Add on DES-CBC3-SHA, as that apears to be the 'best' cipher suite supported
# by iLO3 v1.89
ciphers = ciphers + ":DES-CBC3-SHA"
# Use the modified cipher suite list
ilo3_context.set_ciphers(ciphers)
# Allow SSLv3
ilo3_context.options &= ~ssl.OP_NO_SSLv3
# Disable any attempt at verifying the cert
ilo3_context.check_hostname = False
ilo3_context.verify_mode = ssl.CERT_NONE
iloc = hpilo.Ilo(
"somehost", "someuser", "somepassword", timeout=5, ssl_context=ilo3_context
)
# Do stuff!Works OK for me under Python 2.7.14, against G7 systems running iLO3 version 1.89. Should work under Python 3.6/3.7 as well, but I haven't tried.
Verified this worked on Python 3.6 (on win10 box). Thanks for solving as it was driving me nuts. Tested against G7 system running ilo3 with firmware ver 1.91.
What worked for me (without sslv3 on debian stretch) is going to the ilo web interface > Administration > security > Encryption tab > Enforce AES/3DES Encryption > Enabled. Combining this with version 4.3 of python-hpilo fixed all issues for me.
I'm running into this issue. sort of. I'm using a dl380 g7 with Ilo 3 1.89. I know python-hpilo works as my home assistant is using the sensors (with AES/3DES enabled)
However when using hpilo_cli I now run into
[SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1108)
When I disable AES/3DES I run into the old familiar:
[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1108)
I should note I'm trying to run hpilo_cli version 4.3 on a ubuntu 20.04 container. Anyone know what is up with this?
import hpilo, ssl
ilo = hpilo.Ilo("10.0.0.52", "USERNAME", "PASSWORD", protocol=ssl.PROTOCOL_TLSv1)
print(ilo.get_network_settings())
The above seemed to do the trick for me in resolving this issue.
Thought I would drop in this message even thought the issue is closed.
Thank you all for your work on this! It's a great tool!