LCD Console CL5708IN/CL5716IN technical questions

FIPS is not available, getting that explicitly would require moving up to the KN series, including the KL1108V/KL1116V, but there were some undocumented commands added to the CL/CS series to enable/disable various cipher levels:

1. Remote connect to unit.
2. Select --> Maintenance ---> Ping host
3. Type the command to change the setting.
4. Press ping button to send command and change the setting.

tc enablerc4 [options]
0 - disable RC4 cipher.
1 - enable RC4 cipher.

tc enablesslv2 [options]
0 - disable SSLv2 protocol.
1 - enable SSLv2 protocol.

tc enabletlsv1.0 [options]
0 - disable TLSv1.0 protocol.
1 - enable TLSv1.0 protocol.

tc enabletlsv1.1 [options]
0 - disable TLSv1.1 protocol.
1 - enable TLSv1.1 protocol.

tc get
display status of protocols

Hope this helps!
We welcome your questions - please come back and ask us anything, anytime.

Important note: To continue this discussion - please respond via KVMGalore HelpCenter thread, NOT via e-mail.

 

With the CL configured in this manner:
SSLv2 is disabled.
SSLv3 is disabled.
TLSv1.0 is disabled.
TLSv1.1 is disabled.
RC4 cipher is disabled.
LDAP attribute:iKVM39-userProfile.
SSL uses HIGH ciphers.
Disable LDAP debugging.

nmap returns the below:
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| Forward Secrecy not supported by any cipher
|_ least strength: A

Hope this helps!
We welcome your questions - please come back and ask us anything, anytime.

Important note: To continue this discussion - please respond via KVMGalore HelpCenter thread, NOT via e-mail.

 

ATEN USA will confirm with ATEN HQ on that.
You could probably do it, but ATEN would also probably like confirmation that you would move ahead with the CL units before committing development time.

On another note: Do you still need the demo unit up as well? We're being asked about it from warehouse.
Please advise.

Important note: To continue this discussion - please respond via KVMGalore HelpCenter thread, NOT via e-mail.

 

It would have to be a firmware change, and ATEN HQ is looking into the possibility.
Haven't heard back yet, hopefully by tomorrow morning.

 

Yes. ATEN HQ indicated that in the next firmware (currently no ETA), CBC will be disabled by default.

 

Usually - quarterly.

 

ATEN HQ reports they could deliver a beta with that feature ready some time this week.

 

The official FW release won't be ready for a while, but they can push the CBC disable option early in a beta. The planned operation would be:
To enable CBC cipher， please go to Maintenance > Ping Host and enter command like this "tc enablecbc 1" to enable.
To disable CBC cipher， enter command like this "tc enablecbc 0" to disable.

 

ATEN has a pre-release available now if you have the unit and want to try it out.
There was also a new iCard firmware released mid October. Release notes don't mention if the CBC cipher toggle was added, but they're also not always exhaustive so ATEN USA is checking with ATEN HQ.

 

ATEN HQ came back and said the CBC command wasn't ready in time for the .213 release but it will be integrated to the .214 release (and it also won't be mentioned in the public notes).
No ETA on when .214 is released, but the previously-mentioned pre-release should still work in the meantime.