{}

Nos marques

Bienvenue sur le site Web de Schneider Electric

Bienvenue sur notre site Web.
Consulter notre FAQ
UPDATED MARCH-2016: Unable to access my APC Network Management Card (NMC) enabled device via HTTPS (SSL/TLS)

Issue

The user is unable to access their APC Network Management Card (NMC) products via HTTPS (SSL/TLS) secured web access.

There are two parts to this issue, both of which occur when the user has their Network Management Card product configured for SSL (HTTPS).
  1. Companies such as Microsoft, Mozilla, and Google are disabling SSLv3.0 in their browser products due to numerous security vulnerabilities that exist. One such vulnerability is POODLE (https://www.openssl.org/~bodo/ssl-poodle.pdf).  TLSv1.0, at a minimum, is the advised protocol.
  1. TLS does not work on the current NMC products.  Therefore, the NMC will fall back to SSLv3.0 and as such, be vulnerable to POODLE.

Examples:
An example of this problem, shown via Firefox, is below. A NetBotz Rack Monitor 200 (SKU# NBRK0201) is configured for HTTPS. The user has Firefox v34.0 installed. The user opens their web browser and types the IP address into address bar.  The user is presented with the following error message:
web unable to connect

Another example of this problem, via Internet Explorer, is below. A NetBotz Rack Monitor 200 (SKU# NBRK0201) is configured for HTTPS.  The user has Internet Explorer v11.0 installed. The user opens their web browser and types the IP address into address bar.  The user is presented with the following error message:
web unable to connect

Another example of this problem, via Chrome, is below. An AP9631 Network Management Card is configured for HTTPS. The user has Chrome v39 installed. The user opens their web browser and types the IP address into the address bar. The user is presented with the following error message:
web unable to connect


Browser error messages may include: ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION, ssl_error_no_cypher_overlap


Note: If you've receivedmozilla_pkix_error_inadequate_key_size, sec_error_invalid_key, or anything referring to invalid key size/length, please consider reviewing knowledge base article ID FA162031 as this may be due to a separate issue entirely or an additional issue.



Product Line
  • Network Management Card 1 (NMC1) - AP9617, AP9618, AP9619
    Devices with an embedded Network Management Card 1 include (but are not limited to): Metered/Switched Rack PDUs (AP78XX, AP79XX), Rack Automatic Transfer Switches (AP77XX), Environmental Monitoring Units (AP9320, AP9340, NBRK0201), AP9921X Battery Management System, ACFXXX Rack Air Removal Unit, PDPMXXX Modular Power Distribution, AP9361 Rack Access PX-HID, and ACRCXXX, ACRPXXX, ACRDXXX, ACSCXXX, RACSCXXX Cooling Units (except ACDA901, ACRC301H, ACRC301S).
  • Network Management Card 2 (NMC2) - AP9630/30CH, AP9631/31CH, AP9635/35CH
    Devices with an embedded Network Management Card 2 include (but are not limited to): 2G Metered/Switched Rack PDUs (AP84XX, AP86XX, AP88XX, AP89XX), G50 AV Units, Smart-UPS Online (SRT), and ACDA901, ACRC301H, ACRC301S Cooling Units,

Environment

Any customer who uses any one of the products mentioned previously and:
  • Configures their product for SSL (HTTPS).
  • Uses a web browser version that does not allow for web access via SSLv3.0.
Note: HTTP users are not affected. Meaning, if you have not enabled HTTPS (SSL), web browsing will work normally.


Cause

Companies such as Microsoft, Mozilla, and Google are disabling SSLv3.0 in their browser products due to numerous security vulnerabilities that exist. One such example is POODLE (https://www.openssl.org/~bodo/ssl-poodle.pdf). TLSv1.0, at a minimum, is the advised protocol.

Current NMC products have an inability to properly utilize TLS extensions recently released in several modern browsers. With this inability, the NMC device is unable to connect to the browser via TLS. While future versions of the NMC1 devices will not update the underlying cryptology engine, NMC2 devices will be updated to work with current TLS specification and and operate properly with modern browsers.


Resolution

A customer can avoid this problem either by utilizing other access methods on the Network Management Card or they can modify their web browser to allow SSLv3.0 usage (at their own discretion). Other access methods for the Network Management Card are as follows:
  • Local console
  • Web (HTTP)
  • Telnet/SSH
  • SNMPv1/v3

Modifying a web browser to allow SSLv3.0 usage should be addressed by the user’s network security team or facility manager. Schneider Electric will not provide users with instructions on modifying web browser settings. Some users may be prohibited from enabling SSLv3.0 through their web browser.

Any of the following NMC1 products do not currently have any firm future firmware update plans to address this or any future vulnerabilities:
  • AP9921X Battery Management System
  • AP7750, AP7722, AP7701 Rack Automatic Transfer Switches
  • AP9340, AP9320 Environmental Monitoring Units
  • S20BLK A/V Power Conditioner & Battery Backup
  • PDPMXXX Modular Power Distribution
  • FM35XX Network Air, ACDA901, Stulz C7000



Details regarding firmware availability for Network Management Card 1 (NMC1) based products, providing TLS 1.0, are shown in the table below:

NMC1 (AP9617/18/19/mini-NMC1) Application NameProduct(s) Firmware Application is used withAOS Version with TLS FixAvailable Now?
px2Symmetra PX 48/96/100/160 kVA embedded UPS brainAOS v3.9.0 and higherYes
rpduAP7XXX series Rack PDU (ex. AP7941)AOS v3.9.0 and higherYes
acrcACRCXXXX InRow Chilled Water (except ACRC3XXX)AOS v3.9.0 and higherYes (via your local APC Cooling Support team)
g2atsAP7XXX Rack Automatic Transfer Switch models except AP7701, AP7722, AP7750AOS v3.9.0 and higherYes
acrpACRC5XX, ACRP1XX, ACRP5XX, ACRD5XX InRow RC, RP, RDAOS v3.9.0 and higherYes (via your local APC Cooling Support team)
acscACSC1XX InRow SCAOS v3.9.0 and higherYes (via your local APC Cooling Support team)
raruACFXXX Rack Air Removal UnitAOS v3.9.0 and higherNo
acrptkACRD1XX, ACRD2XX InRow RDAOS v3.9.0 and higherYes (via your local APC Cooling Support team)
nb200NetBotz 200 Rack Monitor (NBRK0201)AOS v3.9.0 and higher.Yes
pxhidAP9361 Rack Access PX-HIDAOS v3.9.0 and higherYes

Note: Certain browsers may also require setting changes to allow TLS 1.0 or TLS 1.0 fallback too, such as Firefox v37+. Schneider Electric will not provide step by step instructions for modfying web browser settings for liability reasons but if you're comfortable modifying settings at your own risk, security.tls.version.fallback-limit within Firefox will likely need to be changed from a default value of 3 (forcing TLS 1.2) to a value of 1 to allow fallback to TLS 1.0. This setting also sometimes resets itself between Firefox browser upgrades. Newer Chrome versions may require --ssl-version-fallback-min=tls1 to be appended to the program shortcut.


A fix to address this problem in the Network Management Card 2 (NMC2) and NMC2 enabled devices has been implemented. The release date will be determined on a product by product basis. See below for available updates for NMC2 firmware applications. These updates provide TLS 1.0, TLS 1.1 and TLS 1.2 functionality.
NMC2 (AP9630/31/35/mini-NMC2) Application NameProduct(s) Firmware Application is used withAOS Version with TLS FixAvailable Now?
sumx1ph/3ph Smart-UPS, MGE Galaxy 3500, MatrixAOS v6.4 and higherYes
sy1ph Symmetra Power Array, Symmetra RM, Symmetra LXAOS v6.4 and higherYes
rpdu2gAP8XXX series Rack PDU 2G (ex. AP8941)AOS v6.4 higherYes
sypxSymmetra PX 250/500 kVA (w/AP9635 only)AOS v6.3.2 and higherYes (via your local 3-phase technical support team)
sy3pSymmetra PX 20/40/80 kVA
Note: See knowledge base ID FA245145 for more compatibility details
AOS v6.3.2 and higherYes
acrc2gACRC3XXXAOS v6.3.2 and higherNo, pending release tentatively for end of Q3 2015.
unflrleHDCV45XXX, HDCV50XXX, T(D/U)(A/D/E/T/W)VXXX Uniflair LETBDNo, pending release tentatively for Q2 2016.
g300Galaxy 300AOS 6.4 and higherYes








Can this problem be confused with other error messages generated by the Network Management Card?

Yes, a user may receive different error messages relating to SSL/TLS when configuring or accessing their Network Management Card device.  It is imperative that Schneider Electric and the user identify the exact error message that the user is receiving and confirm that it relates to this specific issue, related to SSLv3.0.

For example, similar symptoms could be experienced by the issue in knowledge base article ID FA162031 - Network Management Card 1 (NMC1) Information Bulletin: Effects of Microsoft Internet Explorer and other web browsers blocking key lengths less than 1024 bits​(blocking key lengths less than 1024 bits)


Note: If there are any questions, problems, or concerns related to the content of this article, please contact your local technical support team for further assistance.

Schneider Electric Belgium

En savoir plus
Gamme :
Articles utiles
En savoir plus
Gamme :