UPDATED MARCH-2016: Unable to access my APC Network Management Card (NMC) enabled device via HTTPS (SSL/TLS)
The user is unable to access their APC Network Management Card (NMC) products via HTTPS (SSL/TLS) secured web access.
There are two parts to this issue, both of which occur when the user has their Network Management Card product configured for SSL (HTTPS).
- Companies such as Microsoft, Mozilla, and Google are disabling SSLv3.0 in their browser products due to numerous security vulnerabilities that exist. One such vulnerability is POODLE (https://www.openssl.org/~bodo/ssl-poodle.pdf). TLSv1.0, at a minimum, is the advised protocol.
- TLS does not work on the current NMC products. Therefore, the NMC will fall back to SSLv3.0 and as such, be vulnerable to POODLE.
An example of this problem, shown via Firefox, is below. A NetBotz Rack Monitor 200 (SKU# NBRK0201) is configured for HTTPS. The user has Firefox v34.0 installed. The user opens their web browser and types the IP address into address bar. The user is presented with the following error message:
Another example of this problem, via Internet Explorer, is below. A NetBotz Rack Monitor 200 (SKU# NBRK0201) is configured for HTTPS. The user has Internet Explorer v11.0 installed. The user opens their web browser and types the IP address into address bar. The user is presented with the following error message:
Another example of this problem, via Chrome, is below. An AP9631 Network Management Card is configured for HTTPS. The user has Chrome v39 installed. The user opens their web browser and types the IP address into the address bar. The user is presented with the following error message:
Browser error messages may include: ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION, ssl_error_no_cypher_overlap
Note: If you've receivedmozilla_pkix_error_inadequate_key_size, sec_error_invalid_key, or anything referring to invalid key size/length, please consider reviewing knowledge base article ID FA162031 as this may be due to a separate issue entirely or an additional issue.
- Network Management Card 1 (NMC1) - AP9617, AP9618, AP9619
Devices with an embedded Network Management Card 1 include (but are not limited to): Metered/Switched Rack PDUs (AP78XX, AP79XX), Rack Automatic Transfer Switches (AP77XX), Environmental Monitoring Units (AP9320, AP9340, NBRK0201), AP9921X Battery Management System, ACFXXX Rack Air Removal Unit, PDPMXXX Modular Power Distribution, AP9361 Rack Access PX-HID, and ACRCXXX, ACRPXXX, ACRDXXX, ACSCXXX, RACSCXXX Cooling Units (except ACDA901, ACRC301H, ACRC301S).
- Network Management Card 2 (NMC2) - AP9630/30CH, AP9631/31CH, AP9635/35CH
Devices with an embedded Network Management Card 2 include (but are not limited to): 2G Metered/Switched Rack PDUs (AP84XX, AP86XX, AP88XX, AP89XX), G50 AV Units, Smart-UPS Online (SRT), and ACDA901, ACRC301H, ACRC301S Cooling Units,
Any customer who uses any one of the products mentioned previously and:
- Configures their product for SSL (HTTPS).
- Uses a web browser version that does not allow for web access via SSLv3.0.
Companies such as Microsoft, Mozilla, and Google are disabling SSLv3.0 in their browser products due to numerous security vulnerabilities that exist. One such example is POODLE (https://www.openssl.org/~bodo/ssl-poodle.pdf). TLSv1.0, at a minimum, is the advised protocol.
Current NMC products have an inability to properly utilize TLS extensions recently released in several modern browsers. With this inability, the NMC device is unable to connect to the browser via TLS. While future versions of the NMC1 devices will not update the underlying cryptology engine, NMC2 devices will be updated to work with current TLS specification and and operate properly with modern browsers.
A customer can avoid this problem either by utilizing other access methods on the Network Management Card or they can modify their web browser to allow SSLv3.0 usage (at their own discretion). Other access methods for the Network Management Card are as follows:
- Local console
- Web (HTTP)
Modifying a web browser to allow SSLv3.0 usage should be addressed by the user’s network security team or facility manager. Schneider Electric will not provide users with instructions on modifying web browser settings. Some users may be prohibited from enabling SSLv3.0 through their web browser.
Any of the following NMC1 products do not currently have any firm future firmware update plans to address this or any future vulnerabilities:
- AP9921X Battery Management System
- AP7750, AP7722, AP7701 Rack Automatic Transfer Switches
- AP9340, AP9320 Environmental Monitoring Units
- S20BLK A/V Power Conditioner & Battery Backup
- PDPMXXX Modular Power Distribution
- FM35XX Network Air, ACDA901, Stulz C7000
Details regarding firmware availability for Network Management Card 1 (NMC1) based products, providing TLS 1.0, are shown in the table below:
|NMC1 (AP9617/18/19/mini-NMC1) Application Name||Product(s) Firmware Application is used with||AOS Version with TLS Fix||Available Now?|
|px2||Symmetra PX 48/96/100/160 kVA embedded UPS brain||AOS v3.9.0 and higher||Yes|
|rpdu||AP7XXX series Rack PDU (ex. AP7941)||AOS v3.9.0 and higher||Yes|
|acrc||ACRCXXXX InRow Chilled Water (except ACRC3XXX)||AOS v3.9.0 and higher||Yes (via your local APC Cooling Support team)|
|g2ats||AP7XXX Rack Automatic Transfer Switch models except AP7701, AP7722, AP7750||AOS v3.9.0 and higher||Yes|
|acrp||ACRC5XX, ACRP1XX, ACRP5XX, ACRD5XX InRow RC, RP, RD||AOS v3.9.0 and higher||Yes (via your local APC Cooling Support team)|
|acsc||ACSC1XX InRow SC||AOS v3.9.0 and higher||Yes (via your local APC Cooling Support team)|
|raru||ACFXXX Rack Air Removal Unit||AOS v3.9.0 and higher||No|
|acrptk||ACRD1XX, ACRD2XX InRow RD||AOS v3.9.0 and higher||Yes (via your local APC Cooling Support team)|
|nb200||NetBotz 200 Rack Monitor (NBRK0201)||AOS v3.9.0 and higher||.Yes|
|pxhid||AP9361 Rack Access PX-HID||AOS v3.9.0 and higher||Yes|
Note: Certain browsers may also require setting changes to allow TLS 1.0 or TLS 1.0 fallback too, such as Firefox v37+. Schneider Electric will not provide step by step instructions for modfying web browser settings for liability reasons but if you're comfortable modifying settings at your own risk, security.tls.version.fallback-limit within Firefox will likely need to be changed from a default value of 3 (forcing TLS 1.2) to a value of 1 to allow fallback to TLS 1.0. This setting also sometimes resets itself between Firefox browser upgrades. Newer Chrome versions may require --ssl-version-fallback-min=tls1 to be appended to the program shortcut.
A fix to address this problem in the Network Management Card 2 (NMC2) and NMC2 enabled devices has been implemented. The release date will be determined on a product by product basis. See below for available updates for NMC2 firmware applications. These updates provide TLS 1.0, TLS 1.1 and TLS 1.2 functionality.
|NMC2 (AP9630/31/35/mini-NMC2) Application Name||Product(s) Firmware Application is used with||AOS Version with TLS Fix||Available Now?|
|sumx||1ph/3ph Smart-UPS, MGE Galaxy 3500, Matrix||AOS v6.4 and higher||Yes|
|sy||1ph Symmetra Power Array, Symmetra RM, Symmetra LX||AOS v6.4 and higher||Yes|
|rpdu2g||AP8XXX series Rack PDU 2G (ex. AP8941)||AOS v6.4 higher||Yes|
|sypx||Symmetra PX 250/500 kVA (w/AP9635 only)||AOS v6.3.2 and higher||Yes (via your local 3-phase technical support team)|
|sy3p||Symmetra PX 20/40/80 kVA|
Note: See knowledge base ID FA245145 for more compatibility details
|AOS v6.3.2 and higher||Yes|
|acrc2g||ACRC3XXX||AOS v6.3.2 and higher||No, pending release tentatively for end of Q3 2015.|
|unflrle||HDCV45XXX, HDCV50XXX, T(D/U)(A/D/E/T/W)VXXX Uniflair LE||TBD||No, pending release tentatively for Q2 2016.|
|g300||Galaxy 300||AOS 6.4 and higher||Yes|
Can this problem be confused with other error messages generated by the Network Management Card?
Yes, a user may receive different error messages relating to SSL/TLS when configuring or accessing their Network Management Card device. It is imperative that Schneider Electric and the user identify the exact error message that the user is receiving and confirm that it relates to this specific issue, related to SSLv3.0.
For example, similar symptoms could be experienced by the issue in knowledge base article ID FA162031 - Network Management Card 1 (NMC1) Information Bulletin: Effects of Microsoft Internet Explorer and other web browsers blocking key lengths less than 1024 bits(blocking key lengths less than 1024 bits)
Note: If there are any questions, problems, or concerns related to the content of this article, please contact your local technical support team for further assistance.
Released for:APC Canada