Hi HPE community,
I have a few suggestions on the SSL/TLS configuration of the HPE 1920S OfficeConnect Switch Series which I would like to share with HPE. I know, this is a community forum, but maybe this post is read by someone in the development team of that switch series and he/she takes a look into the issue.
There are a few security problems with the SSL/TLS (HTTPS) configuration on this particular switch series:
- Only Diffie-Hellman key exchange with 1024 bits is supported, this is considered very insecure. The switch should support at least 2048 bits for Diffie-Hellman key exchange or it should support ECDHE (e.g. P-256).
- The switch supports ECC certificates (you can upload a certificate with P-256 as key type), but the cipher suite configured on the switch's webserver does not list any ECDSA cipher suite, so the handshake with a browser fails. In case you are adding ECDHE key exchange, please consider adding (at least some) ECDSA cipher suites as well (e.g. ECDHE-ECDSA-AES128-SHA256). This way, a user can upload and use ECC keys for HTTPS which would be nice to have.
I do not know which SSL/TLS library is used on the switch, in case OpenSSL is used, theese changes should not be too difficult to implement.