Skip to main content
Start a Conversation

Unsolved

Closed

L

l4ndo

61 Posts

534

May 25th, 2023 04:00

Old SAN HQ, self signed certificate using SH1

HI

We have an SAN HQ server, but our security scans are flagging that a cert on the server is using SH1.

The cert was issued by Dell EqualLogic Self-signed, its good until 2041, but its using the old hash.  

What is this cert for exactly and can it be deleted or easily replaced with a new one?  I read maybe its for SupportAssist - We don't use that anymore, so could it just be deleted?

 

Thanks

1 person also has this problem

DellEMCSupport

Moderator

 • 

631 Posts

May 25th, 2023 08:00

Hello l4ndo,

 

This is the first I have heard of this. It may take me more research.

 

Could you let us know what tool you are using for scanning for vulnerabilities?

 

Can you post the details on an image or  the scan results?

 

l4ndo

61 Posts

May 25th, 2023 09:00

Nessus for scanning.
SSL Certificate Signed Using Weak Hashing Algorithm
The remote service uses an SSL certificate chain that has been signed using a cryptographically weak hashing algorithm (e.g. MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital signature, allowing an attacker to masquerade as the affected service.

Signature Algorithm : SHA-1 With RSA Encryption


Its probably because its an ancient server with an old SAN HQ, but I was just wondering if deleting it would be a quick fix as if its assocated with SupportAssist, then we don't care about that not working.

It's all due for decom anyway, so its no sweat if you can't find any information.

DellEMCSupport

Moderator

 • 

631 Posts

May 25th, 2023 10:00

Hello l4ndo,

 

What version are you on of SAN HQ and your powerstore unit?

 

It looks like SSL Certificate Signed Using Weak Hashing Algorithm is fixed with firmware update.

 

Dell EqualLogic SAN HeadQuarters v3.5.1

https://dell.to/3qevMyY

 

And update your PowerStore

PS Series Firmware v10.0.3

https://dell.to/3OAs1hC

 

    PS4100, PS4110, PS-M4110

    PS4210

    PS6000, PS6010, PS6100, PS6110

    PS6500, PS6510

    PS6210

    PS6610

 

Or you may wait as you are decommissioning soon.

Jim SDCU

24 Posts

August 27th, 2023 16:26

@DellEMCSupport​ i also have this issue, SanHQ 3.51, HIT 5.5.0 on servers, Firmware 10.0.3 on PS4210, can't find any info on how to update that weak certificate that nessus is finding. Ideas???

dwilliam62

1 Rookie

 • 

1.5K Posts

August 28th, 2023 17:23

Hello 

 

 I suspect you are scanning the 4210, not HIT/SANHQ?   

https://i.dell.com/sites/doccontent/shared-content/data-sheets/en/Documents/ESG-TechWP-Securing-EQL-SAN.pdf

 The older SSH v1 support can be disabled on the PS Series. 

  You can also disable the older legacy protocols as well.  However, if you are using the Vmware Storage Manager (VSM) appliance disabling legacy protocols will prevent VSM from communicating with the arrays 

 

 Regards, 

Don 

Jim SDCU

24 Posts

August 29th, 2023 16:35

@dwilliam62​ 

I'm scanning the servers w/HIT:

The following certificates were part of the certificate chain sent by
the remote host, but contain hashes that are considered to be weak.

Subject             : CN=My Server/O=Dell/OU=EqualLogic/2.5.4.12=Self-Signed Certificate
Signature Algorithm : SHA-1 With RSA Encryption
Valid From          : Jan 01 08:00:00 2000 GMT
Valid To            : Dec 31 08:00:00 2123 GMT
tcp port 7569

dwilliam62

1 Rookie

 • 

1.5K Posts

August 31st, 2023 18:28

@Jim SDCU​ 

 Thank you for that.  Do you have a test system or maybe a VM you could use to test something?  Where you can take a snapshot and roll it back if it doesn't work. 

 

 I was pointed to this article 
https://michaelhowardsecure.blog/2022/02/10/restricting-tls-1-2-ciphersuites-in-windows-using-powershell/

Do not try this on a production system please. 

Regards, 

Don

#IWorkForDell 

View More

View All

No Events found!

Top