ILO3 hardware monitoring stopped working after Debian upgrade due to outdated TLS protocols

Written by - 0 comments

Published on - Listed in Hardware Monitoring SSL


After a monitoring (satellite) server was upgraded from Debian 9 (Stretch) to 10 (Buster), the hardware monitoring of HP servers (using ILO3) stopped working.

The plugin used for monitoring the HP hardware health is check_ilo2_health, an excellent monitoring plugin created and maintained since 2007 by Alexander Greiner-Baer, which uses the ILO (Integrated Lights Out) management interface of HP servers.

After the distribution upgrade, the ILO hardware checks stopped working. On the command line the error could be reproduced:

root@buster:~# /usr/lib/nagios/plugins/check_ilo2_health.pl -H iloip -3 -u monitoring -p secret -a -c -d -o -W -t 60
ILO2_HEALTH UNKNOWN - ERROR: Failed to establish SSL connection with iloip:443  SSL connect attempt failed error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol.

The Debian upgrade from Stretch to Buster includes a major change in the OpenSSL version and its settings:

  • Debian 9 comes with OpenSSL 1.1.0l
  • Debian 10 comes with OpenSSL 1.1.1d

Besides this, the OpenSSL configuration (/etc/ssl/openssl.cnf) sets a minimum protocol of TLSv1.2 since the upgrade:

root@buster:~# tail /etc/ssl/openssl.cnf
                # identifier (optional, default: sha1)
[default_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2

The problem with this? ILO3 is too old and does not support TLSv1.2. And HP refused to create a new ILO3 firmware which would enable a newer TLS protocol:

HPE does not plan for support to be added to iLO 3 because the HPE ProLiant G7-series servers are out of the product support timeframe.

Use a web browser that still supports TLSv1.0 and TLSv1.1 or use the Remote Insight Board Command Language (RIBCL) and Command Line Interface (CLI) SSH to access iLO 3.

Welcome in the land of legacy.

The OpenSSL settings were adjusted to use a lower minimum protocol (TLSv1.0):

root@buster:~# tail /etc/ssl/openssl.cnf
                # identifier (optional, default: sha1)
[default_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1.0
CipherString = DEFAULT@SECLEVEL=2

Right after this change, the hardware checks with check_ilo2_health started working again:

root@buster:~# /usr/lib/nagios/plugins/check_ilo2_health.pl -H iloip -3 -u monitoring -p secret -a -c -d -o -W -t 60
ILO2_HEALTH OK - (Board-Version: ILO>=3) Power Usage: 218 Watts, Temperatures: Temp_1 (OK): 28, Temp_2 (OK): 40, Temp_3 (OK): 40, Temp_4 (OK): 44, Temp_5 (OK): 43, Temp_6 (OK): 52, Temp_7 (OK): 51, Temp_8 (OK): 52, Temp_9 (OK): 47, Temp_10 (OK): 53, Temp_11 (OK): 45, Temp_12 (OK): 54, Temp_19 (OK): 31, Temp_20 (OK): 39, Temp_21 (OK): 39, Temp_22 (OK): 37, Temp_23 (OK): 46, Temp_24 (OK): 43, Temp_25 (OK): 44, Temp_26 (OK): 46, Temp_30 (OK): 77 | power=218;; Temp_1=28;41;45 Temp_2=40;82;83 Temp_3=40;82;83 Temp_4=44;87;92 Temp_5=43;87;92 Temp_6=52;87;92 Temp_7=51;87;92 Temp_8=52;90;95 Temp_9=47;65;70 Temp_10=53;90;95 Temp_11=45;70;75 Temp_12=54;90;95 Temp_19=31;70;75 Temp_20=39;70;75 Temp_21=39;80;85 Temp_22=37;80;85 Temp_23=46;77;82 Temp_24=43;70;75 Temp_25=44;70;75 Temp_26=46;70;75 Temp_30=77;110;115



Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.

Blog Tags: