Comment 11 for bug 1916860

bmc_config.py is incorrect.

It assumes that the index into the string is equal to the cipher suite id.

In reality, the cipher suites that are implemented indicate the mapping from that string to cipher.

In Lenovo's case, we removed cipher suite 0 as it is unacceptably insecure and cannot be hardened:

RMCP+ Cipher Suites : 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16

So when bmc_config.py thinks it's being helpful disabling cipher suite 2, it is disabling cipher suite 3 (and also is force enabling cipher suite 4, an relatively less secure cipher suite).

As an aside, note that cipher suites apart from cipher suite 0 are only particularly insecure if someone explicitly uses them. Having them be passively available doesn't actually constitute a significant risk. They all require knowledge of the password or a crackable password (RAKP-1 offers a challenge first, so offline attack is possible against even the strongest cipher suites) before they can be activated.