Super Contributor.. chuchi Super Contributor..
Super Contributor..
477 views

Unsupported ciphersuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA

Hello:

One of our probes is not running the Inventory Discovery by Scanner job against the computers. The workflow stops at the Scanner Connect step (retrying again and again). Looking at the logs we've found that there is an error when the probe is trying to connect to the computers:

Unsupported ciphersuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA

The same error is also reported if i check the UDA credentials against one node.

No changes made to the probe.

Any ideas?

0 Likes
6 Replies
Micro Focus Expert
Micro Focus Expert

Re: Unsupported ciphersuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA

What is the CP version?

Kind regards,
Bogdan Mureșan
EMEA CMS Technical Success
0 Likes
Super Contributor.. chuchi Super Contributor..
Super Contributor..

Re: Unsupported ciphersuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA

UCMDB:10.31.107 and CP: 25

Last week this probe worked well with the Inventory Discovery by Scanner job

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Unsupported ciphersuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA

10.31 supports CP25 but it came with initial support for CP22.
Around CP23 we upgraded the UDA ciphers. I would suspect that this change didn't propagate to the UD agents or it's not effective.

Was there a recent CP upgrade?

In GlobalSettigns.xml (adapter management) you can try to play with the ciphers that we use for UDA, around line 415 you will havae the  <!--Encoding algorithms--> mark for this.

You can use nmap (present on probe side in tools\nmap_install) to find what cipahers does a particular UDA use

nmap --script ssl-enum-ciphers -p <UDA_port> <REMOTE_HOSTWITH_UDA_IP>

The output will be a list of supported ciphers by that UDA and you will need to adjust what the probe uses.

Kind regards,
Bogdan Mureșan
EMEA CMS Technical Success
0 Likes
Super Contributor.. chuchi Super Contributor..
Super Contributor..

Re: Unsupported ciphersuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA

thanks for the reply.

This is the result of nmap command to a node:

PORT STATE SERVICE
2738/tcp open ndl-tcp-ois-gw
| ssl-enum-ciphers:
|    TLSv1.2:
|        ciphers:
|           TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|           TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|           TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024) - D
|           TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A
|           TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 1024) - A
|           TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 1024) - A
|           TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A
|           TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 1024) - A
|           TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 1024) - A
|       compressors:
|           NULL
|       cipher preference: client
|       warnings:
|           64-bit block cipher 3DES vulnerable to SWEET32 attack
|           Weak certificate signature: SHA1
|_   least strength: D

and this is the globalsettings.xml line in the probe:

<property name="ddmagentCiphers">TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA</property>

Appears the ciphers of the UDA is supported by the probe. More strangely is that this probe works well last week, and we hadn't do any changes on it.

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Unsupported ciphersuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA

Ciphers looks good.

There was one similar incident but on 10.22. It may be a problem with the CUP deployment and the jar file discovery-content.jar isn't properly deployed in com\hp\ucmdb\discovery\library\clients\ddmagent

I would recommend to open a Support case on this issue as it's a security related problem and it will need more detailed logs and data.

Kind regards,
Bogdan Mureșan
EMEA CMS Technical Success
0 Likes
Super Contributor.. chuchi Super Contributor..
Super Contributor..

Re: Unsupported ciphersuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA

OK, thanks bmuresan.

I opened a ticket, we hope that they solve it as soon as possible.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.