ILO3 hardware monitoring stopped working after Debian upgrade due to outdated TLS protocols

Written by - 0 comments

Published on - last updated on July 11th 2024 - Listed in Hardware Monitoring SSL Security


After a monitoring (satellite) server was upgraded from Debian 9 (Stretch) to 10 (Buster), the hardware monitoring of HP servers (using ILO3) stopped working.

The plugin used for monitoring the HP hardware health is check_ilo2_health, an excellent monitoring plugin created and maintained since 2007 by Alexander Greiner-Baer, which uses the ILO (Integrated Lights Out) management interface of HP servers.

ILO communication error with newer OpenSSL version

After the Debian distribution upgrade, the ILO hardware checks stopped working. On the command line the error could be reproduced:

root@buster:~# /usr/lib/nagios/plugins/check_ilo2_health.pl -H iloip -3 -u monitoring -p secret -a -c -d -o -W -t 60
ILO2_HEALTH UNKNOWN - ERROR: Failed to establish SSL connection with iloip:443  SSL connect attempt failed error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol.

The Debian upgrade from Stretch to Buster includes a major change in the OpenSSL version and its settings:

  • Debian 9 comes with OpenSSL 1.1.0l
  • Debian 10 comes with OpenSSL 1.1.1d

Besides this, the OpenSSL configuration (/etc/ssl/openssl.cnf) sets a minimum protocol of TLSv1.2 since the upgrade:

root@buster:~# tail /etc/ssl/openssl.cnf
                # identifier (optional, default: sha1)
[default_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2

The problem with this? ILO3 is too old and does not support TLSv1.2. And HP refused to create a new ILO3 firmware which would enable a newer TLS protocol:

HPE does not plan for support to be added to iLO 3 because the HPE ProLiant G7-series servers are out of the product support timeframe.

Use a web browser that still supports TLSv1.0 and TLSv1.1 or use the Remote Insight Board Command Language (RIBCL) and Command Line Interface (CLI) SSH to access iLO 3.

Welcome in the land of legacy.

The OpenSSL settings were adjusted to use a lower minimum protocol (TLSv1.0):

root@buster:~# tail /etc/ssl/openssl.cnf
                # identifier (optional, default: sha1)
[default_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1.0
CipherString = DEFAULT@SECLEVEL=2

Right after this change, the hardware checks with check_ilo2_health started working again:

root@buster:~# /usr/lib/nagios/plugins/check_ilo2_health.pl -H iloip -3 -u monitoring -p secret -a -c -d -o -W -t 60
ILO2_HEALTH OK - (Board-Version: ILO>=3) Power Usage: 218 Watts, Temperatures: Temp_1 (OK): 28, Temp_2 (OK): 40, Temp_3 (OK): 40, Temp_4 (OK): 44, Temp_5 (OK): 43, Temp_6 (OK): 52, Temp_7 (OK): 51, Temp_8 (OK): 52, Temp_9 (OK): 47, Temp_10 (OK): 53, Temp_11 (OK): 45, Temp_12 (OK): 54, Temp_19 (OK): 31, Temp_20 (OK): 39, Temp_21 (OK): 39, Temp_22 (OK): 37, Temp_23 (OK): 46, Temp_24 (OK): 43, Temp_25 (OK): 44, Temp_26 (OK): 46, Temp_30 (OK): 77 | power=218;; Temp_1=28;41;45 Temp_2=40;82;83 Temp_3=40;82;83 Temp_4=44;87;92 Temp_5=43;87;92 Temp_6=52;87;92 Temp_7=51;87;92 Temp_8=52;90;95 Temp_9=47;65;70 Temp_10=53;90;95 Temp_11=45;70;75 Temp_12=54;90;95 Temp_19=31;70;75 Temp_20=39;70;75 Temp_21=39;80;85 Temp_22=37;80;85 Temp_23=46;77;82 Temp_24=43;70;75 Temp_25=44;70;75 Temp_26=46;70;75 Temp_30=77;110;115

Bookworm with OpenSSL 3.0.x needs a different fix

The fix mentioned above works fine for Debian 10 (Buster) and 11 (Bullseye) but does not work for Debian 12 (Bookworm), which now has OpenSSL 3.0.x installed. Another workaround needs to be applied here.

First you can verify that the check_ilo2_health.pl can't establish a SSL connection:

root@bookworm:~# /usr/lib/nagios/plugins/check_ilo2_health.pl -H iloip -3 -u monitoring -p secret -a -c -d -o -W -t 60
ILO2_HEALTH UNKNOWN - ERROR: Failed to establish SSL connection with 192.168.11.11:443  SSL connect attempt failed error:0A000152:SSL routines::unsafe legacy renegotiation disabled.

Create a separate openssl.cnf configuration file (I'm using /usr/lib/nagios/plugins/openssl.cnf) with the following contents:

root@bookworm:~# cat /usr/lib/nagios/plugins/openssl.cnf
openssl_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1.0
Options = UnsafeLegacyRenegotiation
CipherString = DEFAULT@SECLEVEL=0

Tell the systen to use this SSL config in your Shell session by setting the OPENSSL_CONF environment variable:

root@bookworm:~# export OPENSSL_CONF=/usr/lib/nagios/plugins/openssl.cnf

From the OpenSSL documentation:

OPENSSL_CONF
    The path to the config file. Ignored in set-user-ID and set-group-ID programs.

Now the plugin works again:

root@bookworm:~# /usr/lib/nagios/plugins/check_ilo2_health.pl -H iloip -3 -u monitoring -p secret -a -c -d -o -W -t 60
ILO2_HEALTH OK - (Board-Version: ILO>=3) Power Usage: 214 Watts, Temperatures: Temp_1 (OK): 24, Temp_2 (OK): 40, Temp_3 (OK): 40, Temp_4 (OK): 40, Temp_5 (OK): 43, Temp_6 (OK): 47, Temp_7 (OK): 48, Temp_8 (OK): 53, Temp_9 (OK): 46, Temp_10 (OK): 52, Temp_11 (OK): 43, Temp_12 (OK): 52, Temp_19 (OK): 29, Temp_20 (OK): 37, Temp_21 (OK): 37, Temp_22 (OK): 35, Temp_23 (OK): 46, Temp_24 (OK): 44, Temp_25 (OK): 42, Temp_26 (OK): 44, Temp_30 (OK): 77 | power=214;; Temp_1=24;41;45 Temp_2=40;82;83 Temp_3=40;82;83 Temp_4=40;87;92 Temp_5=43;87;92 Temp_6=47;87;92 Temp_7=48;87;92 Temp_8=53;90;95 Temp_9=46;65;70 Temp_10=52;90;95 Temp_11=43;70;75 Temp_12=52;90;95 Temp_19=29;70;75 Temp_20=37;70;75 Temp_21=37;80;85 Temp_22=35;80;85 Temp_23=46;77;82 Temp_24=44;70;75 Temp_25=42;70;75 Temp_26=44;70;75 Temp_30=77;110;115


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.

RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder