Skip to content

Instantly share code, notes, and snippets.

@brohee

brohee/Updating iLO 3.md

Last active April 30, 2024 23:56
Show Gist options
  • Star 10 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save brohee/5ec3f750cdb98d696080f332c9e39229 to your computer and use it in GitHub Desktop.
Save brohee/5ec3f750cdb98d696080f332c9e39229 to your computer and use it in GitHub Desktop.
Download ZIP
Guide on updating old iLO 3 versions to a more current one
Raw
Updating iLO 3.md

Updating a HP(E) server from iLO 3 version 1.55 to version 1.94

This short document explain how to resolve the issues arising when trying to update an old (Gen7) HP(E) server to the most recent iLO 3 (HPE Integrated Lights-Out) version, which solves a great number of security and usability issues.

Issues

  • Can't connect to iLO with a modern browser, for lack of supported TLS protocol version
    • solved by using FirefoxPortable version 31
    • and in the Firefox31 portable configuration, in the about:config settings, set security.tls.version.min (the minimum acceptable version of the TLS protocol) to 0 in order to be able to negociate down to TLS 1.0 (even if iLO 3 can do 1.1). Keep in mind your browser is now (even more) vulnerable to a host of attacks, do not connect to any potentially hostile host with it.
    • in the iLO web console, checking the option "Enforce AES/3DES Encryption" in Administration / Security / Encryption helps by enabling the best iLO 3 got to offer
  • Can't connect with a modern OpenSSH in default configuration, because only a ssh-dss key is offered ("Unable to negotiate with w.x.y.z port 22: no matching host key type found. Their offer: ssh-dss")
    • enable ssh-dss on the command line, like so: ssh -oHostKeyAlgorithms=+ssh-dss user@ilo3host
    • alternatively solved by using PuTTY 0.76 that still supported such keys. More recent versions might also still offer support for this key type by default
  • Can't update from 1.55 to the most recent versions, with an unclear error message
  • Even after upgrading, getting the error ERR_SSL_VERSION_OR_CIPHER_MISMATCH when trying to connect with a modern browser (e.g. happening with Chrome 94 at the time of writing)
    • this is not solvable anymore, the best TLS version iLO 3 can offer is TLS v1.1 that is deprecated and disabled in all modern browsers

Ressources

Contact: bruno.rohee@siginfo.fr

@zotabee
Copy link

zotabee commented Sep 17, 2022

Great resource! Thank you for all the tips. FirefoxPortable version 31 to the rescue!

Just upgraded my iLO from 1.90 to 1.94, but I still can't use it with a recent browser, even with Edge being forced in IE mode.

@brohee
Copy link
Author

brohee commented Sep 17, 2022

Is it a TLS issue? "Enforce AES/3DES Encryption" solved it for me.

@zotabee
Copy link

zotabee commented Sep 19, 2022

It was already enabled on my server but didn't seem to make it work. :/

@winstons76
Copy link

https://supertekboy.com/2021/11/19/accessing-hpe-ilo-3-fails-with-err-ssl-version-or-cipher-mismatch/

A workaround for the problem.

@brohee
Copy link
Author

brohee commented Jan 10, 2023

This page was already mentioned in the gist...

@winstons76
Copy link

This page was already mentioned in the gist...

Ok. Sorry for this.

@KaptainRainman
Copy link

Thank you so much!!! FirefoxPortable version 31 was the only solution I could find at this point. Even MS Edge in IE mode wasn't working.

@raindancer2204
Copy link

Hi,

can someone please describe in one or two bullet points what you have configured in Firefox Portable 31?
Open tab and then about:config? And which values ​​did you adjust? Have the latest ILO version 1.94 on the system. But can't connect anymore.

Thanks very much

@brohee
Copy link
Author

brohee commented Apr 11, 2023
edited

I connect without issue with FF31 and the setting "security.tls.version.min;0". But I did enable "Enforce AES/3DES Encryption" before.

SSLyze shows that iLO 3 as configured accepts only the TLS 1.1 protocol with the 4 following cipher suites:

        TLS_RSA_WITH_AES_256_CBC_SHA                      256
        TLS_RSA_WITH_AES_128_CBC_SHA                      128
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA                  256       DH (1024 bits)
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA                  128       DH (1024 bits)

@raindancer2204
Copy link

Hi with the settings I was really able to connect with the FirefoxPortable version 31. But now I have to ask again. When I want to open the remote console. What addons or plugins did you install or how do you do it? I installed Java on my machine. The remote console doesn't work for me, how do you do it? Thanks

@raindancer2204
Copy link

raindancer2204 commented Apr 23, 2023
edited

Screenshot from ilo System:
grafik

@zotabee
Copy link

zotabee commented Apr 24, 2023

I had to re-do this again these days to IPMI a server that was down. Spent couple hours trying to configure Java an old version jre-8u162) and this time I couldn't make it work even by disabling every thing possible (newer TLS versions for ex) like I had to do last time.

Fortunately, there is a much better solution, that is straight forward and for some reasons, almost no internet sites or comments mention it, I don't know why not even HP from the iLO interface mention it even it's by far the best and easiest solution : HPE Lights-Out Standalone Remote Console for Windows via https://support.hpe.com/connect/s/softwaredetails?language=en_US&softwareId=MTX_bc8e3ffa59904ec3b505d9964d

Just install it, run it and you can connect to your server. No need to use and thinker hours to have one of the proposed solutions that never work.

@dalbani
Copy link

dalbani commented Jul 23, 2023

@zotabee I don't know on which version of Windows you were running this "HPE Lights-Out Standalone Remote Console for Windows", but in my case, on Windows 11, I also got an SSL/TLS error and I couldn't connect.
What did work was the iOS application. But on such a small screen (iPhone), unless you use an external Bluetooth keyboard, it provides a very bad user experience.

@zotabee
Copy link

zotabee commented Jul 25, 2023

@dalbani This is really strange because I'm on the last stable Win11 22H2 x64 and this app just worked straight away. Glad you could find an alternative though!

@serdar-acir
Copy link

serdar-acir commented Nov 27, 2023
edited

Just download an older version of any browser. I downloded an old opera from here: https://get.geo.opera.com/pub/opera/desktop/64.0.3417.73/win/
(on windows you need to delete the task scheduler entry for opera auto-update)

@evanokeeffe
Copy link

evanokeeffe commented Jan 18, 2024
edited

anyone else having this issue, I tried this and it worked right away.
use docker kaixhin/vnc it's 14.04 with a vnc in it, recommend using VNC as old firefox had issues running on ubuntu 22.04 .
So once docker image is running, vnc in and then use and old version of firefox , I had ILO3 V1.3 and ILO4 V1.13 so I used version 30.0 and was able to access the ILO management panel, then just upload your new bin and you'll be upgraded in no time :)

if you're looking for the updated ILO bins, I got mine from here and it working for ILO3 & ILO4 https://pingtool.org/latest-hp-ilo-firmwares/

@lweeks
Copy link

lweeks commented Feb 2, 2024
edited

On a Mac M2 MacOS 13, using Waterfox Classic and JRE 1.7 works with minimal fuss. Need to downgrade security in about:config, enable TLS 1.1 in the Java control panel, etc. as described above. See https://classic.waterfox.net/

That restores the use of Java remote console for HPE BladeSystem BL460c G7 servers.

@michael-o
Copy link

Not a problem with any Firefox version: about:config, search for security.tls.version.min, change to 2 temporarily, access your device. Works for me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment