Guide on updating old iLO 3 versions to a more current one

Updating iLO 3.md

Updating a HP(E) server from iLO 3 version 1.55 to version 1.94

This short document explain how to resolve the issues arising when trying to update an old (Gen7) HP(E) server to the most recent iLO 3 (HPE Integrated Lights-Out) version, which solves a great number of security and usability issues.

Issues

• Can't connect to iLO with a modern browser, for lack of supported TLS protocol version
  • solved by using FirefoxPortable version 31
  • and in the Firefox31 portable configuration, in the about:config settings, set security.tls.version.min (the minimum acceptable version of the TLS protocol) to 0 in order to be able to negociate down to TLS 1.0 (even if iLO 3 can do 1.1). Keep in mind your browser is now (even more) vulnerable to a host of attacks, do not connect to any potentially hostile host with it.
  • alternatively sabotage your regular Firefox security settings (this leaves you very vulnerable on the Internet) : in about:config set security.tls.version.enable-deprecated to true and security.tls.version.min to 0 (thanks @edgimar)
  • in the iLO web console, checking the option "Enforce AES/3DES Encryption" in Administration / Security / Encryption helps by enabling the best iLO 3 got to offer
• Can't connect with a modern OpenSSH in default configuration, because only a ssh-dss key is offered ("Unable to negotiate with w.x.y.z port 22: no matching host key type found. Their offer: ssh-dss")
  • enable ssh-dss on the command line, like so: ssh -oHostKeyAlgorithms=+ssh-dss user@ilo3host
  • alternatively solved by using PuTTY 0.76 that still supported such keys. More recent versions might also still offer support for this key type by default
• Can't update from 1.55 to the most recent versions, with an unclear error message
  • solved by updating to the intermediary iLO 3 version 1.57 first
  • then from iLO 3 version 1.57 to iLO 3 version 1.94
  • As per HPE, if one was running an even earlier version (before 1.20) they'd have to upgrade to iLO 3 version 1.20 first

Issues post upgrade

Even after upgrading, your should be getting the error ERR_SSL_VERSION_OR_CIPHER_MISMATCH when trying to connect with a modern browser, since the best TLS version iLO 3 can offer is TLS v1.1 that is deprecated and disabled in all modern browsers.

This is not solvable without putting your whole browser security in jeopardy. Some browsers can degrade that security setting but sadly this a a global and not per site setting, and thus pretty dangerous. Digicert has a handy documentation about doing so with various browsers.

I recommand you keep using an older browser dedicated to this usage.

Ressources

• A list of old iLO versions
• Page about solving the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error
• iLO Wikipedia page

Not a problem with any Firefox version: about:config, search for security.tls.version.min, change to 2 temporarily, access your device. Works for me.

@michael-o Does not work for me with Firefox 131.0.2 on NixOS LInux 24.05. Firefox complains SSL_ERROR_NO_CYPHER_OVERLAP.

I found a workaround on Linux x86_64, using nix to install an old version of the midori browser:

Install https://nixos.org, then run:

nix-store -r /nix/store/404nwc88vbbz3yw6n2cb541s7qccyr2h-midori-0.5.8
LANG=C /nix/store/404nwc88vbbz3yw6n2cb541s7qccyr2h-midori-0.5.8/bin/midori

This worked for me to connect to iLO3 1.88.

Not a problem with any Firefox version: about:config, search for security.tls.version.min, change to 2 temporarily, access your device. Works for me.

@michael-o Does not work for me with Firefox 131.0.2 on NixOS LInux 24.05. Firefox complains SSL_ERROR_NO_CYPHER_OVERLAP.

Depressing. On 128.4.0esr (64-Bit) Windows no issue. I use ESR only, maybe that is the difference.

@zotabee I don't know on which version of Windows you were running this "HPE Lights-Out Standalone Remote Console for Windows", but in my case, on Windows 11, I also got an SSL/TLS error and I couldn't connect. What did work was the iOS application. But on such a small screen (iPhone), unless you use an external Bluetooth keyboard, it provides a very bad user experience.

Did you ever find a solution for the SSL/TLS error?
If not ill try to figure it out alone and post here if i find a solution.

Not a problem with any Firefox version: about:config, search for security.tls.version.min, change to 2 temporarily, access your device. Works for me.

This does work, but only if the security.tls.version.enable-deprecated setting has also been set to true.

Well that nugget of information about security.tls.version.enable-deprecated made it to the page, thanks a lot @edgimar.

Thanks for this compilation! Regarding the issues post upgrade (ERR_SSL_VERSION_OR_CIPHER_MISMATCH) there is a simple way to handle it without putting your whole browser security in jeopardy, indeed. Firefox Nightly allows to circumvent the security warning by clicking "accept the risk" or so. Assuming one can reserve it for this specific type of browsing, the standard browser is not affected.

Does anyone know how to make the remote console with Web Start to work? The Web Start starts, but the screen remains gray.