Technical FAQs

Ask a Question

UPDATED MARCH-2016: Unable to access my APC Network Management Card (NMC) enabled device via HTTPS (SSL/TLS)


Issue

The user is unable to access their APC Network Management Card (NMC) products via HTTPS (SSL/TLS) secured web access.

There are two parts to this issue, both of which occur when the user has their Network Management Card product configured for SSL (HTTPS).
  1.  Companies such as Microsoft, Mozilla, and Google are disabling SSLv3.0 in their browser products due to numerous security vulnerabilities that exist. One such vulnerability is POODLE (https://www.openssl.org/~bodo/ssl-poodle.pdf).  TLSv1.0, at a minimum, is the advised protocol.
 
  1. TLS does not work on the current NMC products.  Therefore, the NMC will fall back to SSLv3.0 and as such, be vulnerable to POODLE.

Examples:
 
An example of this problem, shown via Firefox, is below. A NetBotz Rack Monitor 200 (SKU# NBRK0201) is configured for HTTPS. The user has Firefox v34.0 installed. The user opens their web browser and types the IP address into address bar.  The user is presented with the following error message:
 

Another example of this problem, via Internet Explorer, is below. A NetBotz Rack Monitor 200 (SKU# NBRK0201) is configured for HTTPS.  The user has Internet Explorer v11.0 installed. The user opens their web browser and types the IP address into address bar.  The user is presented with the following error message:
 

Another example of this problem, via Chrome, is below. An AP9631 Network Management Card is configured for HTTPS. The user has Chrome v39 installed. The user opens their web browser and types the IP address into the address bar. The user is presented with the following error message:
 


Browser error messages may include: ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION, ssl_error_no_cypher_overlap


Note: If you've received mozilla_pkix_error_inadequate_key_size, sec_error_invalid_key, or anything referring to invalid key size/length, please consider reviewing knowledge base article ID FA162031 as this may be due to a separate issue entirely or an additional issue.



Product Line
 
  • Network Management Card 1 (NMC1) - AP9617, AP9618, AP9619
    Devices with an embedded Network Management Card 1 include (but are not limited to): Metered/Switched Rack PDUs (AP78XX, AP79XX), Rack Automatic Transfer Switches (AP77XX), Environmental Monitoring Units (AP9320, AP9340, NBRK0201), AP9921X Battery Management System, ACFXXX Rack Air Removal Unit, PDPMXXX Modular Power Distribution, AP9361 Rack Access PX-HID, and ACRCXXX, ACRPXXX, ACRDXXX, ACSCXXX, RACSCXXX Cooling Units (except ACDA901, ACRC301H, ACRC301S).
 
  • Network Management Card 2 (NMC2) - AP9630/30CH, AP9631/31CH, AP9635/35CH
    Devices with an embedded Network Management Card 2 include (but are not limited to): 2G Metered/Switched Rack PDUs (AP84XX, AP86XX, AP88XX, AP89XX), G50 AV Units, Smart-UPS Online (SRT), and ACDA901, ACRC301H, ACRC301S Cooling Units, 

Environment

Any customer who uses any one of the products mentioned previously and:
  • Configures their product for SSL (HTTPS).
  • Uses a web browser version that does not allow for web access via SSLv3.0.
Note: HTTP users are not affected. Meaning, if you have not enabled HTTPS (SSL), web browsing will work normally.


Cause

Companies such as Microsoft, Mozilla, and Google are disabling SSLv3.0 in their browser products due to numerous security vulnerabilities that exist. One such example is POODLE (https://www.openssl.org/~bodo/ssl-poodle.pdf). TLSv1.0, at a minimum, is the advised protocol.

Current NMC products have an inability to properly utilize TLS extensions recently released in several modern browsers. With this inability, the NMC device is unable to connect to the browser via TLS. While future versions of the NMC1 devices will not update the underlying cryptology engine, NMC2 devices will be updated to work with current TLS specification and and operate properly with modern browsers.


Resolution

A customer can avoid this problem either by utilizing other access methods on the Network Management Card or they can modify their web browser to allow SSLv3.0 usage (at their own discretion). Other access methods for the Network Management Card are as follows:
  • Local console
  • Web (HTTP)
  • Telnet/SSH
  • SNMPv1/v3

Modifying a web browser to allow SSLv3.0 usage should be addressed by the user’s network security team or facility manager. Schneider Electric will not provide users with instructions on modifying web browser settings. Some users may be prohibited from enabling SSLv3.0 through their web browser.

Any of the following NMC1 products do not currently have any firm future firmware update plans to address this or any future vulnerabilities:
  • AP9921X Battery Management System
  • AP7750, AP7722, AP7701 Rack Automatic Transfer Switches
  • AP9340, AP9320 Environmental Monitoring Units
  • S20BLK A/V Power Conditioner & Battery Backup
  • PDPMXXX Modular Power Distribution
  • FM35XX Network Air, ACDA901, Stulz C7000



Details regarding firmware availability for Network Management Card 1 (NMC1) based products, providing TLS 1.0, are shown in the table below:

 
NMC1 (AP9617/18/19/mini-NMC1) Application Name Product(s) Firmware Application is used with AOS Version with TLS Fix Available Now?
px2 Symmetra PX 48/96/100/160 kVA embedded UPS brain AOS v3.9.0 and higher Yes
rpdu AP7XXX series Rack PDU (ex. AP7941) AOS v3.9.0 and higher Yes
acrc ACRCXXXX InRow Chilled Water (except ACRC3XXX) AOS v3.9.0 and higher Yes (via your local APC Cooling Support team)
g2ats AP7XXX Rack Automatic Transfer Switch models except AP7701, AP7722, AP7750 AOS v3.9.0 and higher Yes
acrp ACRC5XX, ACRP1XX, ACRP5XX, ACRD5XX InRow RC, RP, RD AOS v3.9.0 and higher Yes (via your local APC Cooling Support team)
acsc ACSC1XX InRow SC AOS v3.9.0 and higher Yes (via your local APC Cooling Support team)
raru ACFXXX Rack Air Removal Unit AOS v3.9.0 and higher No
acrptk ACRD1XX, ACRD2XX InRow RD AOS v3.9.0 and higher Yes (via your local APC Cooling Support team)
nb200 NetBotz 200 Rack Monitor (NBRK0201) AOS v3.9.0 and higher .Yes
pxhid AP9361 Rack Access PX-HID AOS v3.9.0 and higher Yes
 

Note: Certain browsers may also require setting changes to allow TLS 1.0 or TLS 1.0 fallback too, such as Firefox v37+. Schneider Electric will not provide step by step instructions for modfying web browser settings for liability reasons but if you're comfortable modifying settings at your own risk, security.tls.version.fallback-limit within Firefox will likely need to be changed from a default value of 3 (forcing TLS 1.2) to a value of 1 to allow fallback to TLS 1.0. This setting also sometimes resets itself between Firefox browser upgrades. Newer Chrome versions may require --ssl-version-fallback-min=tls1 to be appended to the program shortcut.


A fix to address this problem in the Network Management Card 2 (NMC2) and NMC2 enabled devices has been implemented. The release date will be determined on a product by product basis. See below for available updates for NMC2 firmware applications. These updates provide TLS 1.0, TLS 1.1 and TLS 1.2 functionality. 
 
 
NMC2 (AP9630/31/35/mini-NMC2) Application Name Product(s) Firmware Application is used with AOS Version with TLS Fix Available Now?
sumx 1ph/3ph Smart-UPS, MGE Galaxy 3500, Matrix AOS v6.4 and higher Yes
sy 1ph Symmetra Power Array, Symmetra RM, Symmetra LX AOS v6.4 and higher Yes
rpdu2g AP8XXX series Rack PDU 2G (ex. AP8941) AOS v6.4 higher Yes
sypx Symmetra PX 250/500 kVA (w/AP9635 only) AOS v6.3.2 and higher Yes (via your local 3-phase technical support team)
sy3p Symmetra PX 20/40/80 kVA
Note: See knowledge base ID FA245145 for more compatibility details
AOS v6.3.2 and higher Yes
acrc2g ACRC3XXX AOS v6.3.2 and higher No, pending release tentatively for end of Q3 2015.
unflrle HDCV45XXX, HDCV50XXX, T(D/U)(A/D/E/T/W)VXXX Uniflair LE TBD No, pending release tentatively for Q2 2016.
g300 Galaxy 300 AOS 6.4 and higher Yes








 Can this problem be confused with other error messages generated by the Network Management Card?

Yes, a user may receive different error messages relating to SSL/TLS when configuring or accessing their Network Management Card device.  It is imperative that Schneider Electric and the user identify the exact error message that the user is receiving and confirm that it relates to this specific issue, related to SSLv3.0.

For example, similar symptoms could be experienced by the issue in knowledge base article ID FA162031 - Network Management Card 1 (NMC1) Information Bulletin: Effects of Microsoft Internet Explorer and other web browsers blocking key lengths less than 1024 bits​(blocking key lengths less than 1024 bits)


Note: If there are any questions, problems, or concerns related to the content of this article, please contact your local technical support team for further assistance.

 
Was this helpful?
What can we do to improve the information ?