Capability for disabling TLS1.0 on iDRAC6 in 11th generation of PowerEdge Servers

Capability for disabling TLS1.0 on iDRAC6 in 11th generation of PowerEdge Servers

TechCenter

TechCenter
DellTechCenter.com is a community for IT professionals that focuses on Data Center and End User Computing best practices. Here you can learn about and share knowledge about Dell products and solutions.

Capability for disabling TLS1.0 on iDRAC6 in 11th generation of PowerEdge Servers

iDRAC6, the Dell Remote Access Controller in the 11th generation of PowerEdge Servers support the protocols TLS version 1.0, TLS version 1.1 and TLS version 1.2 (cryptographic protocols designed to provide communications security over a computer network). Starting with firmware version 2.90 for Monolithic and version 3.85 for Modular, we have added the capability of optionally disabling TLS1.0 in iDRAC6. This is to facilitate running the system in a highly secured environment due to known security vulnerabilities with TLS1.0.

TLS 1.0 with SSL 3.0 is known for exposing the system for following security vulnerabilities:

  1. POODLE, the vulnerability which could allow hackers to intercept and decrypt the traffic between a user's browser and an SSL-secured website.

  2. BEAST attack where an attacker can “decrypt” data exchanged between the two parties by taking advantage of a vulnerability in the implementation of the Cipher Block Chaining (CBC) mode in TLS 1.0 which allows them to perform chosen plaintext attack.

 Disabling TLS1.0 provides the users an option to run the system with TLS1.1 and above, thereby isolating the system from the above mentioned vulnerabilities.

 The capability to enable/disable TLS1.0 is supported only through the command line interface in iDRAC6 - RACadm. By default, TLS 1.0 is enabled.

 Limitations of disabling TLS 1.0:

  • Certain versions of Windows OS may not support TLS1.1 and above by default. On such systems WSMan access to iDRAC6 may not work seamlessly. 

More details, and the patches from Microsoft for certain OS versions to work with TLS1.1 and above:

https://blogs.msdn.microsoft.com/kaushal/2011/10/02/support-for-ssltls-protocols-on-windows/

https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-   default-secure-protocols-in 

0
Comment Reminder

Unrelated comments or requests for service will be unpublished. Please post your technical questions in the Support Forums or for direct assistance contact Dell Customer Service or Dell Technical Support.. All comments must adhere to the Dell Community Terms of Use.

  • Where is the screenshot?

  • @Cameron -- working on it.  Having an issue with the upload.  Hope to have it resolved soon.

  • Yay, this is good progress. Now if only we had control over the ciphers.