1. It is better to sign-up/log-in before you post your question (or reply to an existing thread), instead of posting as a guest.
    This will allow you to easily look up the Q&A sequence anytime, anywhere, with just one mouse click. Learn more...

    You can log in with your Facebook, Twitter, or Google+ accounts, or create a KVMGalore HelpCenter user-name/password.
    Dismiss Notice

LCD Console CL5708IN/CL5716IN technical questions

Discussion in 'KVM' started by DeanF, Aug 18, 2022.

  1. DeanF

    DeanF Guest

    Thank you for the assistance, the scan was completed.

    Follow on question emerged, it triggered alerts for multiple weak TLS ciphers being enabled. Is there any way in these devices to manage the ciphers that are used? Our current model has a FIPS mode that has strict ciphers, I couldn't see an equivalent option. Is there a way to limit the use of older/weaker TLS ciphers?
     
  2. KVMGalore Expert

    KVMGalore Expert Staff Member

    FIPS is not available, getting that explicitly would require moving up to the KN series, including the KL1108V/KL1116V, but there were some undocumented commands added to the CL/CS series to enable/disable various cipher levels:

    1. Remote connect to unit.
    2. Select --> Maintenance ---> Ping host
    3. Type the command to change the setting.
    4. Press ping button to send command and change the setting.

    tc enablerc4 [options]
    0 - disable RC4 cipher.
    1 - enable RC4 cipher.

    tc enablesslv2 [options]
    0 - disable SSLv2 protocol.
    1 - enable SSLv2 protocol.

    tc enabletlsv1.0 [options]
    0 - disable TLSv1.0 protocol.
    1 - enable TLSv1.0 protocol.

    tc enabletlsv1.1 [options]
    0 - disable TLSv1.1 protocol.
    1 - enable TLSv1.1 protocol.

    tc get
    display status of protocols

    Hope this helps!
    We welcome your questions - please come back and ask us anything, anytime.

    Important note: To continue this discussion - please respond via KVMGalore HelpCenter thread, NOT via e-mail.
     
  3. DeanF

    DeanF Guest

    Thank you, this is quite helpful.

    If we disabled SSLv2 and TLS 1.0/1.1 so the device can only use TLS 1.2 or higher, and disabled RC4 ciphers. What ciphers would the device still leverage ? We have internal standards and I'm trying to see if this configuration will meet them.
     
  4. KVMGalore Expert

    KVMGalore Expert Staff Member

    With the CL configured in this manner:
    SSLv2 is disabled.
    SSLv3 is disabled.
    TLSv1.0 is disabled.
    TLSv1.1 is disabled.
    RC4 cipher is disabled.
    LDAP attribute:iKVM39-userProfile.
    SSL uses HIGH ciphers.
    Disable LDAP debugging.

    nmap returns the below:
    PORT STATE SERVICE
    443/tcp open https
    | ssl-enum-ciphers:
    | TLSv1.2:
    | ciphers:
    | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
    | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
    | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
    | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
    | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
    | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
    | compressors:
    | NULL
    | cipher preference: client
    | warnings:
    | Forward Secrecy not supported by any cipher
    |_ least strength: A

    Hope this helps!
    We welcome your questions - please come back and ask us anything, anytime.

    Important note: To continue this discussion - please respond via KVMGalore HelpCenter thread, NOT via e-mail.
     
  5. DeanF

    DeanF Guest

    Thank you, this is super helpful.
    Is there any option to deselect CBC ciphers ? My allowed options are GCM and CCM so I wanted to see if an option exists that would allow me to deselect those that don't meet enterprise standards.
     
  6. KVMGalore Expert

    KVMGalore Expert Staff Member

    ATEN USA will confirm with ATEN HQ on that.
    You could probably do it, but ATEN would also probably like confirmation that you would move ahead with the CL units before committing development time.

    On another note: Do you still need the demo unit up as well? We're being asked about it from warehouse.
    Please advise.

    Important note: To continue this discussion - please respond via KVMGalore HelpCenter thread, NOT via e-mail.
     
  7. DeanF

    DeanF Guest

    We are done with the demo system, scan is complete. It does not trigger the Qualys issue for HTTP security headers.

    On the TLS item, is that something that would have to be a feature request to adopt via a code change ?
     
  8. KVMGalore Expert

    KVMGalore Expert Staff Member

    It would have to be a firmware change, and ATEN HQ is looking into the possibility.
    Haven't heard back yet, hopefully by tomorrow morning.
     
  9. DeanF

    DeanF Guest

    Just checking in to see if any word came back from HQ?
     
  10. KVMGalore Expert

    KVMGalore Expert Staff Member

    Yes. ATEN HQ indicated that in the next firmware (currently no ETA), CBC will be disabled by default.
     
  11. DeanF

    DeanF Guest

    Are updates released on any sort of normal schedule (say quarterly or semi-annually) that would give us an idea of when this might be included? Just want to plan to move forward as long as I'm not swapping one audit finding for a different one :)
     
  12. KVMGalore Expert

    KVMGalore Expert Staff Member

    Usually - quarterly.
     
  13. KVMGalore Expert

    KVMGalore Expert Staff Member

    ATEN HQ reports they could deliver a beta with that feature ready some time this week.
     
  14. DeanF

    DeanF Guest

    Any update? If there is a doc sample showing the option to disable it should allow me to start the process. I would hope it would be available by he time we could purchase and deploy.
    Thanks !
    Dean
     
  15. KVMGalore Expert

    KVMGalore Expert Staff Member

    The official FW release won't be ready for a while, but they can push the CBC disable option early in a beta. The planned operation would be:
    To enable CBC cipher, please go to Maintenance > Ping Host and enter command like this "tc enablecbc 1" to enable.
    To disable CBC cipher, enter command like this "tc enablecbc 0" to disable.
     
  16. DeanF

    DeanF Guest

    Any update on a release date for the firmware with the fix in it?
     
  17. KVMGalore Expert

    KVMGalore Expert Staff Member

    ATEN has a pre-release available now if you have the unit and want to try it out.
    There was also a new iCard firmware released mid October. Release notes don't mention if the CBC cipher toggle was added, but they're also not always exhaustive so ATEN USA is checking with ATEN HQ.
     
  18. KVMGalore Expert

    KVMGalore Expert Staff Member

    ATEN HQ came back and said the CBC command wasn't ready in time for the .213 release but it will be integrated to the .214 release (and it also won't be mentioned in the public notes).
    No ETA on when .214 is released, but the previously-mentioned pre-release should still work in the meantime.
     

Share This Page