Scanning hosts with weak old encryption

[Aleksey-Maksimov]

Hello.

We have several devices on our network that use old, weak encryption. For example, old HP servers with iLO2 controllers where SHA-1 with RSA Encryption certificates are used. The problem is that when scanning, the x509 module detects only new iLO3, iLO4, iLO5 controllers and does not find controllers with iLO2.

This may be due to the fact that we are performing the scan from a new monitoring server on Debian 12 and there are some system SSL restrictions occurring. At the same time, we added options to the /etc/ssl/openssl.cnf file for working with the old encryption

MinProtocol = TLSv1
CipherString = DEFAULT:@SECLEVEL=0
Options = UnsafeLegacyRenegotiation

And that’s why some other things work successfully for us with the old encryption. For example, we have successful monitoring plugins that poll iLO2 controllers via HTTPS.

Please tell me how to diagnose and fix the problem with the x509 module and old encryption.

[Aleksey-Maksimov]

Increasing the timeout in /library/X509/Job.php from 5.0 to 60.0 solved the problem and the old iLO2 modules began to be polled successfully.

Therefore, there are 2 wishes:

1. Add to the global settings of the x509 module the ability to specify the tls request timeout in seconds (for the value in TimeoutConnector).

2. Add to the global settings of the x509 module the ability to specify the minimum connection security level - Livel 0 ... Level 5 according to https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_get_security_level.html. (to add an additional security_level option to SecureConnector)

Thank you.