Jan 31

Java update broke the Dell DRAC 5 remote management cards!

So the openjdk in most linux distros has now been upgraded to v1.8. This has a good bug fix regarding the whole SSLv3 Poodle vulnerability.

This has one problem. The Dell DRAC remote management cards installed in a lot of Dell servers relies on SSLv3 to operate. Without this, you can get into the web interface – but when you get an error stating Error when reading from SSL socket connection and no further.

drac-ssl-error

Thankfully, it is simple to re-enable SSLv3 to allow the connection to succeed.

Open up /usr/lib/jvm/*/jre/lib/security/java.security in your favourite editor as root, and change the following line:
jdk.tls.disabledAlgorithms=SSLv3

to

jdk.tls.disabledAlgorithms=

This enables SSLv3 to all java applications – however it exposes yourself to the MITM attack as defined in CVE-2014-3566. I suggest having a read of the CVE to understand if you want to leave this setting as default on your system or disable it again afterwards.

6 comments

Skip to comment form

    • Fred Sawyer on June 11, 2015 at 1:23 am
    • Reply

    Just ran into this issue, your write up saved tons of time. Thanks for sharing.

    • Niru on June 29, 2015 at 4:33 pm
    • Reply

    Really fantastic solution. Thank you so much for posting very valuable and useful info…

    • fish on October 8, 2015 at 3:57 am
    • Reply

    nice attempt, unfortunately didn’t work for me. Is there any other place, where maybe globally defined parameters are? I try to acces the virtual console of HP ILO 2. When I use the browser, I can download the JAR-file, but java says:

    JAR https://10.100.128.20/rc175p08.jar not found. Continuing.

    My environment:

    fedora 21,
    OpenJDK Runtime Environment (build 1.8.0_60-b27)
    OpenJDK 64-Bit Server VM (build 25.60-b23, mixed mode)

    regards fish

  1. Thank you Steve this did the trick for a problem with a KVM viewer.
    It is a wonder why Java implementations and the API are completely non-standard and each update seems to break critical applications.

    • Bill on April 8, 2016 at 11:38 pm
    • Reply

    I had to do this, and do a remote racadm command to get the ssl cert or else I kept getting the same error.

    Using remote racadm, I ran this command:

    racadm -r -u -p sslcertdownload -t 1 -f

    Then it works like a charm for me.

    • Bill on April 8, 2016 at 11:39 pm
    • Reply

    I forgot to add that I then had to import the cert into Java.

Leave a Reply

Your email address will not be published.