This short document explain how to resolve the issues arising when trying to update an old (Gen7) HP(E) server to the most recent iLO 3 (HPE Integrated Lights-Out) version, which solves a great number of security and usability issues.
- Can't connect to iLO with a modern browser, for lack of supported TLS protocol version
- solved by using FirefoxPortable version 31
- and in the Firefox31 portable configuration, in the about:config settings, set
security.tls.version.min(the minimum acceptable version of the TLS protocol) to 0 in order to be able to negociate down to TLS 1.0 (even if iLO 3 can do 1.1). Keep in mind your browser is now (even more) vulnerable to a host of attacks, do not connect to any potentially hostile host with it. - in the iLO web console, checking the option "Enforce AES/3DES Encryption" in Administration / Security / Encryption helps by enabling the best iLO 3 got to offer
- Can't connect with a modern OpenSSH in default configuration, because only a ssh-dss key is offered ("Unable to negotiate with w.x.y.z port 22: no matching host key type found. Their offer: ssh-dss")
- enable ssh-dss on the command line, like so:
ssh -oHostKeyAlgorithms=+ssh-dss user@ilo3host - alternatively solved by using PuTTY 0.76 that still supported such keys. More recent versions might also still offer support for this key type by default
- enable ssh-dss on the command line, like so:
- Can't update from 1.55 to the most recent versions, with an unclear error message
- solved by updating to the intermediary iLO 3 version 1.57 first
- then from iLO 3 version 1.57 to iLO 3 version 1.94
- As per HPE, if one was running an even earlier version (before 1.20) they'd have to upgrade to iLO 3 version 1.20 first
- Even after upgrading, getting the error ERR_SSL_VERSION_OR_CIPHER_MISMATCH when trying to connect with a modern browser (e.g. happening with Chrome 94 at the time of writing)
- this is not solvable anymore, the best TLS version iLO 3 can offer is TLS v1.1 that is deprecated and disabled in all modern browsers
- A list of old iLO versions
- Page about solving the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error
- iLO Wikipedia page
Contact: [email protected]
The following VBS allows you to launch Internet Explorer in a Windows environment and connect to iLO3 (tested on Win11 23H2).
Since TLS1.0/1.1 is disabled on the Internet Explorer side by default, it is necessary to enable them in the settings of Internet Explorer launched after the script is executed for the first time.
https://gist.github.com/mitaken/485cbedc82690ef01100f6720c8bfa7d