UPDATE: Since writing this article in November it does not appear this fix works anymore. I am guessing the AES/3DES ciphers have been deprecated in modern browsers. I can confirm David’s comment using Internet Explorer mode in Microsoft Edge does work.
To enable IE mode, launch edge and type edge://settings/defaultBrowser in the address bar. From the Allow sites to be reloaded in Internet Explorer mode drop-down, select Allow.
Navigate to your iLO URL, select the three dots in the top right (Settings), and pick Reload in Internet Explorer mode from the menu. Edge will remember this setting on each subsequent visit.
If you are trying to connect a modern browser such as Microsoft Edge to HPe’s Integrated Lights Out 3 (iLO 3) management interface, you may receive the following error and be blocked from accessing the iLO webpage.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH Unsupported protocol The client or server don't support a common SSL protocol version or cipher suite.
To resolve this error, I recommend ensuring you are on the latest iLO 3 firmware from HPe. At the time of writing, 1.94 was the latest HPe firmware for iLO 3 (released Dec 17, 2020). Firmware can be updated in several ways, including uploading the BIN file via the iLO webpage or online from any number of operating systems, including Windows, Linux, and VMware. Also, refer to the HPe documentation on how to upgrade your firmware.
Once you have the latest firmware, log into the iLO webpage from an older browser, such as Internet Explorer. Then, from the left navigation menu, expand Administration and select Security.
From the Security page, select the Encryption tab.
Then, under the Encryption Enforcement Settings section, toggle the Enforce AES/3DES Encryption dropdown to Enabled.
Click Apply.
Once you have applied this setting, you should then be able to connect to iLO with any modern web browser including Microsoft Edge.
Have you run into this error before? What did you do to fix it? Drop a comment below or join the conversation on Twitter @SuperTekBoy.
Works for me using current Firefox, and security.tls.version.min set to 2.
I can even use the Java Remote Console using Web Start.
Thank you all, I wasted so much time on this. The IE solution in Edge works best for me because on Win 11 I have the .Net Framework installed, which allows me to do remote console. HUGE THANK YOU!
just bumping here as there is a really simple solution to this… sorry if its been posted
On ANY version of firefox:
enter “about:config” as your url
Accept warnings
Search for “tls”
change “security.tls.version.enable-deprecated” to “true”
possibly change “security.tls.version.min” to “1” or “1.2” but probably best not too
Enjoy
Thanks dude, that was the solution in my use case.
Windows 10>control panel>internet options>advanced – scroll down to the Security section and turn on tls 1.0 1.2…etc whatever is needed. Then run ILO from edge browser – should now work…will still get a warning “this is not a secure site” as you should…next click on ‘more information’ arrow and then click “go to the webpage (not recomm..). This should let you access older versions of hpe ilo from the MS edge browser
i navigate to the page like in the screenshot and this use to work for me before i didnt use my server for a while and had to reset the ilo, however now the setting is greyed out in the box and it wont let me click it to disable it even though i have admin perms
In Firefox “about:config”, set “security.tls.version.min” to 2 to re-enable TLS 1.1. (Set it to 1 for TLS 1.0 if needed for ILO 2 or something else.)
this will get you in to ILO but not able to run remote console with out MS edge for the first two remote console choices and the other two choices are not worth using…..IMO
Setting security.tls.version.enable-deprecated=true made it work for me in Firefox 103.0.2 on Linux.
Hi all,
Since writing this article in November it does not appear this fix works anymore. I am guessing even the AES/3DES ciphers have now been deprecated in modern browsers.
That said, I can confirm David’s recommendation of using Microsoft Edge, and launching the iLO site in Internet Explorer Mode does work. I will update the article with his recommendation in the coming days.
Anyone found a fix for this? Chrome never worked and now Firefox with the latest update won’t allow access anymore. Tried the settings above to no avail. The only way to get HTTP access is via my iPhone!
I’ve got two DL380 G7’s with iLO3 and the latest 1.94 firmware. I’ve forced AES/3DES and cannot connect to them with Edge anymore. I get a ‘ERR_SSL_VERSION_OR_CIPHER_MISMATCH’ error. I can open them in IE still. I know G7’s are EoL but it would be nice if HP would fix this.
Hi Andrew,
Looks like you are using the exact same server, iLO, and firmware I have.
Are you using the latest version of Edge? Once you made the change, did you log out, close all Edge browsers, and log back in?
Can anyone direct me how ot enable HTTP management? Currently the HTTP address is redirecting to HTTPS and I cant locate the setting to adjust this. My ILO is for internal lab use only so I dont care about HTTP vs HTTPS.
I am having the exact same issue. Same server model, firmware, etc. Ran the fix and tried Bjorn’s suggested command below, but the SSH console said the setting was already configured that way.
yup..same issue
UPDATE – I found when using MS Edge, if I use the three dots in the top right and choose “open in internet explorer mode” then it works as expected.
Unrelated, has anyone found a way to use the ILO remote console without the timeout due to not having a valid license?
Thanks for the tip David on the Internet Explorer mode.
I cant seem to find internet explorer mode in Edge … is that not included on macOS version of Edge?
Hai
If you run into this issue and yout unable to login to the https and http is disabeld conttect using ssh and run this command :
set /map1/config1 oemhp_enforce_aes=yes
thanks!
Thanks for the great tip Bjorn!
“conttect using ssh and run this command”
How can I do this?
Thanks
If you are running ILO3 1.94, you can just SSH via port 22. It takes about a minute for it to ask for creds though, at least if you are doing it via putty.
Unfortunately, this still does not fix the “ERR_SSL_VERSION_OR_CIPHER_MISMATCH” error on any modern browsers as it forces the cipher to be “DHE_RSA_WITH_AES_128_CBC_SHA”, which is not quite good enough anymore. More information on that here: https://ciphersuite.info/cs/TLS_DHE_RSA_WITH_AES_128_CBC_SHA/
Thankfully I have an old version of Firefox 45 ESR lying around which works fine when trying to manage via HTTPS.
This is the only solution right now. At least for me… Downloaded a portable version of firefox 45. Thank you.