iDRAC6, the Dell Remote Access Controller in the 11th generation of PowerEdge Servers support the protocols TLS version 1.0, TLS version 1.1 and TLS version 1.2 (cryptographic protocols designed to provide communications security over a computer network). Starting with firmware version 2.90 for Monolithic and version 3.85 for Modular, we have added the capability of optionally disabling TLS1.0 in iDRAC6. This is to facilitate running the system in a highly secured environment due to known security vulnerabilities with TLS1.0.
TLS 1.0 with SSL 3.0 is known for exposing the system for following security vulnerabilities:
POODLE, the vulnerability which could allow hackers to intercept and decrypt the traffic between a user's browser and an SSL-secured website.
BEAST attack where an attacker can “decrypt” data exchanged between the two parties by taking advantage of a vulnerability in the implementation of the Cipher Block Chaining (CBC) mode in TLS 1.0 which allows them to perform chosen plaintext attack.
Disabling TLS1.0 provides the users an option to run the system with TLS1.1 and above, thereby isolating the system from the above mentioned vulnerabilities.
The capability to enable/disable TLS1.0 is supported only through the command line interface in iDRAC6 - RACadm. By default, TLS 1.0 is enabled.
Limitations of disabling TLS 1.0:
Certain versions of Windows OS may not support TLS1.1 and above by default. On such systems WSMan access to iDRAC6 may not work seamlessly.
More details, and the patches from Microsoft for certain OS versions to work with TLS1.1 and above:
Where is the screenshot?
@Cameron -- working on it. Having an issue with the upload. Hope to have it resolved soon.
Yay, this is good progress. Now if only we had control over the ciphers.