Guide on updating old iLO 3 versions to a more current one

Updating iLO 3.md

Updating a HP(E) server from iLO 3 version 1.55 to version 1.94

This short document explain how to resolve the issues arising when trying to update an old (Gen7) HP(E) server to the most recent iLO 3 (HPE Integrated Lights-Out) version, which solves a great number of security and usability issues.

Issues

• Can't connect to iLO with a modern browser, for lack of supported TLS protocol version
  • solved by using FirefoxPortable version 31
  • and in the Firefox31 portable configuration, in the about:config settings, set security.tls.version.min (the minimum acceptable version of the TLS protocol) to 0 in order to be able to negociate down to TLS 1.0 (even if iLO 3 can do 1.1). Keep in mind your browser is now (even more) vulnerable to a host of attacks, do not connect to any potentially hostile host with it.
  • in the iLO web console, checking the option "Enforce AES/3DES Encryption" in Administration / Security / Encryption helps by enabling the best iLO 3 got to offer
• Can't connect with a modern OpenSSH in default configuration, because only a ssh-dss key is offered ("Unable to negotiate with w.x.y.z port 22: no matching host key type found. Their offer: ssh-dss")
  • enable ssh-dss on the command line, like so: ssh -oHostKeyAlgorithms=+ssh-dss user@ilo3host
  • alternatively solved by using PuTTY 0.76 that still supported such keys. More recent versions might also still offer support for this key type by default
• Can't update from 1.55 to the most recent versions, with an unclear error message
  • solved by updating to the intermediary iLO 3 version 1.57 first
  • then from iLO 3 version 1.57 to iLO 3 version 1.94
  • As per HPE, if one was running an even earlier version (before 1.20) they'd have to upgrade to iLO 3 version 1.20 first
• Even after upgrading, getting the error ERR_SSL_VERSION_OR_CIPHER_MISMATCH when trying to connect with a modern browser (e.g. happening with Chrome 94 at the time of writing)
  • this is not solvable anymore, the best TLS version iLO 3 can offer is TLS v1.1 that is deprecated and disabled in all modern browsers

Ressources

• A list of old iLO versions
• Page about solving the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error
• iLO Wikipedia page

Contact: bruno.rohee@siginfo.fr

Just download an older version of any browser. I downloded an old opera from here: https://get.geo.opera.com/pub/opera/desktop/64.0.3417.73/win/
(on windows you need to delete the task scheduler entry for opera auto-update)

anyone else having this issue, I tried this and it worked right away.
use docker kaixhin/vnc it's 14.04 with a vnc in it, recommend using VNC as old firefox had issues running on ubuntu 22.04 .
So once docker image is running, vnc in and then use and old version of firefox , I had ILO3 V1.3 and ILO4 V1.13 so I used version 30.0 and was able to access the ILO management panel, then just upload your new bin and you'll be upgraded in no time :)

if you're looking for the updated ILO bins, I got mine from here and it working for ILO3 & ILO4 https://pingtool.org/latest-hp-ilo-firmwares/

On a Mac M2 MacOS 13, using Waterfox Classic and JRE 1.7 works with minimal fuss. Need to downgrade security in about:config, enable TLS 1.1 in the Java control panel, etc. as described above. See https://classic.waterfox.net/

That restores the use of Java remote console for HPE BladeSystem BL460c G7 servers.

Not a problem with any Firefox version: about:config, search for security.tls.version.min, change to 2 temporarily, access your device. Works for me.