UPDATED MARCH-2016: Unable to access my APC Network Management Card (NMC) enabled device via HTTPS (SSL/TLS)

Issue

The user is unable to access their APC Network Management Card (NMC) products via HTTPS (SSL/TLS) secured web access.

There are two parts to this issue, both of which occur when the user has their Network Management Card product configured for SSL (HTTPS).

1. Companies such as Microsoft, Mozilla, and Google are disabling SSLv3.0 in their browser products due to numerous security vulnerabilities that exist. One such vulnerability is POODLE (https://www.openssl.org/~bodo/ssl-poodle.pdf).  TLSv1.0, at a minimum, is the advised protocol.

2. TLS does not work on the current NMC products.  Therefore, the NMC will fall back to SSLv3.0 and as such, be vulnerable to POODLE.

Examples:


Browser error messages may include: ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION, ssl_error_no_cypher_overlap


Note: If you've receivedmozilla_pkix_error_inadequate_key_size, sec_error_invalid_key, or anything referring to invalid key size/length, please consider reviewing knowledge base article ID FA162031 as this may be due to a separate issue entirely or an additional issue.



Product Line

• Network Management Card 1 (NMC1) - AP9617, AP9618, AP9619
  Devices with an embedded Network Management Card 1 include (but are not limited to): Metered/Switched Rack PDUs (AP78XX, AP79XX), Rack Automatic Transfer Switches (AP77XX), Environmental Monitoring Units (AP9320, AP9340, NBRK0201), AP9921X Battery Management System, ACFXXX Rack Air Removal Unit, PDPMXXX Modular Power Distribution, AP9361 Rack Access PX-HID, and ACRCXXX, ACRPXXX, ACRDXXX, ACSCXXX, RACSCXXX Cooling Units (except ACDA901, ACRC301H, ACRC301S).

• Network Management Card 2 (NMC2) - AP9630/30CH, AP9631/31CH, AP9635/35CH
  Devices with an embedded Network Management Card 2 include (but are not limited to): 2G Metered/Switched Rack PDUs (AP84XX, AP86XX, AP88XX, AP89XX), G50 AV Units, Smart-UPS Online (SRT), and ACDA901, ACRC301H, ACRC301S Cooling Units,

Environment

Any customer who uses any one of the products mentioned previously and:

• Configures their product for SSL (HTTPS).
• Uses a web browser version that does not allow for web access via SSLv3.0.

Note: HTTP users are not affected. Meaning, if you have not enabled HTTPS (SSL), web browsing will work normally.


Cause

Companies such as Microsoft, Mozilla, and Google are disabling SSLv3.0 in their browser products due to numerous security vulnerabilities that exist. One such example is POODLE (https://www.openssl.org/~bodo/ssl-poodle.pdf). TLSv1.0, at a minimum, is the advised protocol.

Current NMC products have an inability to properly utilize TLS extensions recently released in several modern browsers. With this inability, the NMC device is unable to connect to the browser via TLS. While future versions of the NMC1 devices will not update the underlying cryptology engine, NMC2 devices will be updated to work with current TLS specification and and operate properly with modern browsers.


Resolution

A customer can avoid this problem either by utilizing other access methods on the Network Management Card or they can modify their web browser to allow SSLv3.0 usage (at their own discretion). Other access methods for the Network Management Card are as follows:

• Local console
• Web (HTTP)
• Telnet/SSH
• SNMPv1/v3

Modifying a web browser to allow SSLv3.0 usage should be addressed by the user’s network security team or facility manager. Schneider Electric will not provide users with instructions on modifying web browser settings. Some users may be prohibited from enabling SSLv3.0 through their web browser.

Any of the following NMC1 products do not currently have any firm future firmware update plans to address this or any future vulnerabilities:

• AP9921X Battery Management System
• AP7750, AP7722, AP7701 Rack Automatic Transfer Switches
• AP9340, AP9320 Environmental Monitoring Units
• S20BLK A/V Power Conditioner & Battery Backup
• PDPMXXX Modular Power Distribution
• FM35XX Network Air, ACDA901, Stulz C7000

Details regarding firmware availability for Network Management Card 1 (NMC1) based products, providing TLS 1.0, are shown in the table below:

NMC1 (AP9617/18/19/mini-NMC1) Application Name	Product(s) Firmware Application is used with	AOS Version with TLS Fix	Available Now?
px2	Symmetra PX 48/96/100/160 kVA embedded UPS brain	AOS v3.9.0 and higher	Yes
rpdu	AP7XXX series Rack PDU (ex. AP7941)	AOS v3.9.0 and higher	Yes
acrc	ACRCXXXX InRow Chilled Water (except ACRC3XXX)	AOS v3.9.0 and higher	Yes (via your local APC Cooling Support team)
g2ats	AP7XXX Rack Automatic Transfer Switch models except AP7701, AP7722, AP7750	AOS v3.9.0 and higher	Yes
acrp	ACRC5XX, ACRP1XX, ACRP5XX, ACRD5XX InRow RC, RP, RD	AOS v3.9.0 and higher	Yes (via your local APC Cooling Support team)
acsc	ACSC1XX InRow SC	AOS v3.9.0 and higher	Yes (via your local APC Cooling Support team)
raru	ACFXXX Rack Air Removal Unit	AOS v3.9.0 and higher	No
acrptk	ACRD1XX, ACRD2XX InRow RD	AOS v3.9.0 and higher	Yes (via your local APC Cooling Support team)
nb200	NetBotz 200 Rack Monitor (NBRK0201)	AOS v3.9.0 and higher	.Yes
pxhid	AP9361 Rack Access PX-HID	AOS v3.9.0 and higher	Yes

Note: Certain browsers may also require setting changes to allow TLS 1.0 or TLS 1.0 fallback too, such as Firefox v37+. Schneider Electric will not provide step by step instructions for modfying web browser settings for liability reasons but if you're comfortable modifying settings at your own risk, security.tls.version.fallback-limit within Firefox will likely need to be changed from a default value of 3 (forcing TLS 1.2) to a value of 1 to allow fallback to TLS 1.0. This setting also sometimes resets itself between Firefox browser upgrades. Newer Chrome versions may require --ssl-version-fallback-min=tls1 to be appended to the program shortcut.


A fix to address this problem in the Network Management Card 2 (NMC2) and NMC2 enabled devices has been implemented. The release date will be determined on a product by product basis. See below for available updates for NMC2 firmware applications. These updates provide TLS 1.0, TLS 1.1 and TLS 1.2 functionality.

NMC2 (AP9630/31/35/mini-NMC2) Application Name	Product(s) Firmware Application is used with	AOS Version with TLS Fix	Available Now?
sumx	1ph/3ph Smart-UPS, MGE Galaxy 3500, Matrix	AOS v6.4 and higher	Yes
sy	1ph Symmetra Power Array, Symmetra RM, Symmetra LX	AOS v6.4 and higher	Yes
rpdu2g	AP8XXX series Rack PDU 2G (ex. AP8941)	AOS v6.4 higher	Yes
sypx	Symmetra PX 250/500 kVA (w/AP9635 only)	AOS v6.3.2 and higher	Yes (via your local 3-phase technical support team)
sy3p	Symmetra PX 20/40/80 kVA Note: See knowledge base ID FA245145 for more compatibility details	AOS v6.3.2 and higher	Yes
acrc2g	ACRC3XXX	AOS v6.3.2 and higher	No, pending release tentatively for end of Q3 2015.
unflrle	HDCV45XXX, HDCV50XXX, T(D/U)(A/D/E/T/W)VXXX Uniflair LE	TBD	No, pending release tentatively for Q2 2016.
g300	Galaxy 300	AOS 6.4 and higher	Yes

Can this problem be confused with other error messages generated by the Network Management Card?

Yes, a user may receive different error messages relating to SSL/TLS when configuring or accessing their Network Management Card device.  It is imperative that Schneider Electric and the user identify the exact error message that the user is receiving and confirm that it relates to this specific issue, related to SSLv3.0.

For example, similar symptoms could be experienced by the issue in knowledge base article ID FA162031 - Network Management Card 1 (NMC1) Information Bulletin: Effects of Microsoft Internet Explorer and other web browsers blocking key lengths less than 1024 bits​(blocking key lengths less than 1024 bits)


Note: If there are any questions, problems, or concerns related to the content of this article, please contact your local technical support team for further assistance.

Released for:Schneider Electric USA