Hi hansende,

Is this happening for just this cert connection? Is there a proxy being used? And if you change the Network Settings to "No Proxy"

In order to make sure that the certificate is compatible with the security settings built into Firefox, it is possible to look at the Certificate for the site from the url bar.

1. Right Click on the page and select "Page Info"
2. Click on Security and "View Certificate"

The CA certificate policy can be referenced: https://www.mozilla.org/en-US/about/g.../policy/

Hi guigs2

I have a bunch of other (newer) HP servers with iLO enabled. Seems to work fine there.

guigs2 said

1. Right Click on the page and select "Page Info"
2. Click on Security and "View Certificate"

Under the tab security I don't have an option View Certificate (I guess because the SSL connection couldn't get established, so no certificate info could be received?). But this might help:

==============

$ openssl s_client -connect X.X.X.X:443 CONNECTED(00000003) depth=1 /C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO3 Default Issuer (Do not trust) verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain

0 s:/CN=<redacted>/OU=ISS/O=Hewlett-Packard Company/L=Houston/ST=Texas/C=US
  i:/C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO3 Default Issuer (Do not trust)
1 s:/C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO3 Default Issuer (Do not trust)
  i:/C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO3 Default Issuer (Do not trust)

--- Server certificate

<redacted>

subject=/CN=<redacted>/OU=ISS/O=Hewlett-Packard Company/L=Houston/ST=Texas/C=US issuer=/C=US/ST=TX/L=Houston/O=Hewlett-Packard Company/OU=ISS/CN=iLO3 Default Issuer (Do not trust) --- No client certificate CA names sent --- SSL handshake has read 1919 bytes and written 311 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 1024 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session:

   Protocol  : TLSv1
   Cipher    : EDH-RSA-DES-CBC3-SHA
   Session-ID: <redacted>
   Session-ID-ctx: 
   Master-Key: <redacted>
   Key-Arg   : None
   Start Time: <redacted>
   Timeout   : 300 (sec)
   Verify return code: 19 (self signed certificate in certificate chain)

==============

Regardsguigs2 said

The CA certificate policy can be referenced: https://www.mozilla.org/en-US/about/g.../policy/

Not sure what I should do with that. This is default, self-signed SSL certificate that comes out of the box when buying a HP server. Here's the certificate from a working iLO 4 interface:

-> Not working (iLO ? - HP ProLiant DL360 Gen7) -> Working (iLO 4 - HP ProLiant DL360 Gen9)

==============

$ openssl s_client -connect X.X.X.X:443 CONNECTED(00000003) depth=0 /CN=undefined/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /CN=undefined/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US verify error:num=27:certificate not trusted verify return:1 depth=0 /CN=undefined/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain

0 s:/CN=undefined/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US
  i:/CN=iLO Default Issuer (Do not trust)/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US

--- Server certificate

<redacted>

subject=/CN=undefined/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US issuer=/CN=iLO Default Issuer (Do not trust)/O=Hewlett-Packard Company/OU=ISS/L=Houston/ST=Texas/C=US --- No client certificate CA names sent --- SSL handshake has read 852 bytes and written 307 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session:

   Protocol  : TLSv1
   Cipher    : RC4-SHA
   Session-ID: <redacted>
   Session-ID-ctx: 
   Master-Key: <redacted>
   Key-Arg   : None
   Start Time: <redacted>
   Timeout   : 300 (sec)
   Verify return code: 21 (unable to verify the first certificate)

==============

Regards

You can no longer use RC4 cipher suites, these are considered deprecated. So you can't connect to servers that only offer SSL3 and RC4 certificate.

• https://developer.mozilla.org/en-US/Firefox/Releases/36/Site_Compatibility#Security

This is now a standard:

• RFC 7465 - Prohibiting RC4 Cipher Suites:
  https://tools.ietf.org/html/rfc7465

Hummmm ok, so what should I do with all my HP ProLiant DL360 Gen7 servers that are hosted in a DC 1000 miles away from here? I'm no longer able to administrate them (which means that I'm also not able to generate a new SSL certificate for iLO).

How can I re-enable rc4 in FF?

had to ran update on ubuntu ?

please run these commands in terminal

1. apt-get update
2. apt-get upgrade -y

Last week there were some updates related to certificates.

@Saurav: Yep, my Ubuntu is up to date. I can't find any way to renable RC4 in FF :-(

Hello

1. Go to navigation var and type about:config
2. search rc4

Set all to false.

Hopefully it solve your problem.

Saurav said

Hello

1. Go to navigation var and type about:config
2. search rc4

Set all to false. Hopefully it solve your problem.

Done, & restarted FF. Still doesn't work :-(

Ya they are all default set to true, and its not a great experience that you have had to wait this long without being able to administrate the servers.

I do not want to recommend this a a permanent solution, however using a working older version of Firefox in the meantime might be a good way to update the security. Back up and restore information in Firefox profiles and Install an older version of Firefox

I have a better answer, upgrade to version 37 via bug 1138332

I can confirm that upgrading to FF 37 solved this problem. Thanks!