idrac 8 on R730 Rack Server as TLS 1.1 enabled on >Port 5900

Check TLS setting: racadm get idrac.webserver.tlsprotocol

Change TLS setting: racadm set idrac.webserver.tlsprotocol

     Where can be 0, 1, or 2. 0 = TLS 1.0 or higher, 1 = TLS 1.1 or higher, and 2 = TLS 1.2 or higher.

You can use that command in the OS, if OpenManage is installed, or you can SSH into the iDRAC to use it. Alternatively, if you have access to the web GUI, you can find the setting at Overview > iDRAC Settings > Network > Services.

Hi Dylan,

idrac.webserver.tlsprotocol we alreday set to TLS 1.2 but vconsole Port 5900 dont worry about that setting (see attached screenshot).

Please do you have any other idea how to disable TLS 1.1 for Port 5900 and only provide TLS 1.2 for Port 5900. Kind regards.

With that being the case, double check that you're using the 256 bit encryption option. If you are, then roll it back to version 2.52.52.52 and set it to TLS 1.2. Might give it an extra racreset, too. I say this because 2.60.60.60 had an issue where TLS 1.1 ciphers were being incorrectly permitted and the fix may not have made it into 2.61.60.60.

Hi.

I downgraded idrac to Version: 2.52.52.52 and activated "SSL Enc 256" but TLS 1.1 is still active on Port 5900 .

I think this problem should be fixed, because with TLS 1.1 active idrac will not be PCI DSS complient. What do you think ?

Try setting a custom cipher string using the button just below where you would set the TLS protocol. Something like: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256.

This is something that is being worked on, but I'm not sure when the firmware with the fix will post.

I think you talking about button unter TLS Settings when using: idrac 2.61.60.60 see picture below.

When I input: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 I get error message:

what is error about "incorrect data input".

Any idea ?

Pump !

I was able to finally get rid of TLS1.1 on port 5900.

Step 1) Overview: Server: Virtual Console: Uncheck "Enabled"

Step 2) Overview: Server: Attached Media (Tab): Uncheck "Enabled"

The solution posted is to disable Virtual Console.

1. What is the impact in doing this?

2. Are you able to still perform Remote Lights Out type operations?

3.Is there a firmware fix from Dell yet?

You need to disable both virtual console and virtual media to disable  port 5900. There is no impact in disabling virtual console and virtual media. All other features other than virtual console and virtual media will continue to work.

Hi.

Older topic but I think, the issue remains.

Until now there was the very same problem when using iDRAC9. TLS1.1 and weak ciphers für virtual console / media regardless the iDRACs TLS-settings. Seems, VC is using its own server and/or settings.

With 4.40.00.00 and beyond this was fixed for iDRAC9. Unfortunately you (imo) can't find the settings needed using the GUI. See Dell article on this.

I would love to see this implemented for iDRAC8 as well. Maybe you should open tickets regarding this issue. Or is it already at Dells iDRAC8 pipleine?

Best regards.

Andrej

Hello Andrej,

What is the iDRAC version are you on?

I see DRAC v.2.61.60.60 addressed the following.

- Fixed an issue that was causing TLS 1.1 and TLS 1.2 ciphers to be listed even if the iDRAC was configured to use TLS 1.2 only

Command line Page 82-83 : https://dell.to/3gK3J2h

racadm set idrac.webserver.tlsprotocol

Where can be 0, 1, or 2

0 = TLS 1.0 or higher, 1 = TLS 1.1 or higher, and 2 = TLS 1.2 only.

Did you try the settings yd0ineedaname posted for iDRAC8 configuration?

Tip here: iDRAC 2.81.81.81 should be releasing by end of the month or early next month. I won't know the fixes it has until it post.

2.81.81.81 has been out a while, and as far as I can see has no fixes to address this issue. It's a problem for us too, so is there any news on a fix, please?

CyberP,

The only way to get it to pass for a Scan for TLS 1.1 is to turn off Virtual Console and Virtual media, as there is no way to make iDRAC8 use only TLS 1.2 for VC. 
On the iDrac9 they allowed it to mirror what the Webserver uses, but you can't on the idrac8.

Let me know if this helps.

Hi Chris,

That is in fact what we are doing, but since we do use the virtual console we have to keep enabling and then disabling it, meaning inevitably we sometimes get hit with a vulnerability notification.

It would be great if this could be fixed to match the idrac9 functionality.