Invalid PKCS/Bad Signature cause?

[kevinh-csalabs]

I am seeing "Invalid PKCS signature" and "Bad Signature" in the server info, but don't see any documentation on what would cause this or what needs to be done to resolve it. Any suggestions?

[vitko-bg]

Same here... After latest update to 0.7.48

[vitko-bg]

@kevinh-csalabs I am using currently this line in config.json to get agents connected and will try to update all agents, will see what will be the result "ignoreagenthashcheck": [ "86.134.X.X", "86.128.X.X", "86.8.X.X" ],

To get the IPs - run systemctl status meshcentral - it will show you which IPs are problematic.

[Ylianst]

By crazy chance, if you are using MongoDB, what version are you using? Also, try updating to v0.7.55 and let me know if it fixes it. I had MongoDB performance improvements starting in v0.7.46 and just pulled them all out in v0.7.55. I would love to know if it makes a difference.

As for documentation of this issue, I had never planned to see this error except if a hacker is purposefully trying to connect and inject junk into the websocket. In that case, the agent authentication signature would fail. This is certainly not something that should be happening.

[LPJon]

By crazy chance, if you are using MongoDB, what version are you using? Also, try updating to v0.7.55 and let me know if it fixes it. I had MongoDB performance improvements starting in v0.7.46 and just pulled them all out in v0.7.55. I would love to know if it makes a difference.

As for documentation of this issue, I had never planned to see this error except if a hacker is purposefully trying to connect and inject junk into the websocket. In that case, the agent authentication signature would fail. This is certainly not something that should be happening.

@Ylianst I agree. Man in the middle attacks could produce this as well as certain firewalls or compromised firewalls.

[Allowee]

Interesting. I run everything on the same port, could it be port scanners or other tools trying to break in?

are there settings so I can log this and figure out what is happening?

[kevinh-csalabs]

I am running mongo, but still seeing entries after 0.7.55 upgrade:

Invalid PKCS signature: 9

Could this be due to running behind cloudflare?

[black3dynamite]

I am running mongo, but still seeing entries after 0.7.55 upgrade:

Invalid PKCS signature: 9

Could this be due to running behind cloudflare?

It's possible. I was originally using Lets Encrypt with nginx (reverse proxy) but switched to cloudflare certs with nginx and started noticing the errors.

[kevinh-csalabs]

I’m using cloudflare but still using lets encrypt on the backend (confirmed cert are working and renewing as expected before turning on cloudflare)

---

From: black3dynamite notifications@github.com Sent: Thursday, January 28, 2021 8:45:43 PM To: Ylianst/MeshCentral MeshCentral@noreply.github.com Cc: Kevin Hart kevinh@csalabs.com; Mention mention@noreply.github.com Subject: Re: [Ylianst/MeshCentral] Invalid PKCS/Bad Signature cause? (#2197)

I am running mongo, but still seeing entries after 0.7.55 upgrade:

Invalid PKCS signature: 9

Could this be due to running behind cloudflare?

It's possible. I was originally using Lets Encrypt with nginx (reverse proxy) but switched to cloudflare certs with nginx and started noticing the errors.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/Ylianst/MeshCentral/issues/2197#issuecomment-769516635, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ARHBLPMSWAXZVOUDTAZULTDS4IHMPANCNFSM4WNDKXYA.

[Smiley-k]

I have the same problem on the latest version 1.1.22

Is it a bug or a bug in my configuration . ? (I am using meshcentral behind reverse proxy nginx)

[Smiley-k]

I solved the problem by changing mesh.doman.com to remote.domain.com and the certificate problem disappeared...

[Smiley-k]

Nope, didn't end up resolving the issue @Ylianst We need your help...

[si458]

@Smiley-k what message are you actually seeing? as the messages all mean different things.

[Smiley-k]

attached the image below

[si458]

part of the code is below but basically its taking the signature an agent has given it, and verifying it against its certificate. you can read about it here https://ylianst.github.io/MeshCentral/design/#agent-to-server-handshake

const p7 = forge.pkcs7.messageFromAsn1(msgDer);
const sig = p7.rawCapture.signature;
// Verify with key hash
var buf = Buffer.from(obj.agentSeenCerthash + obj.nonce + obj.agentnonce, 'binary');
var verifier = parent.crypto.createVerify('RSA-SHA384');
verifier.update(buf);
verified = verifier.verify(obj.unauth.nodeCertPem, sig, 'binary');
if (verified !== true) {
  // Not a valid signature
  parent.agentStats.invalidPkcsSignatureCount++;
  parent.setAgentIssue(obj, "invalidPkcsSignature");
  return false;
}

[Smiley-k]

Dear @si458 I didn't quite understand what I need to do?

[si458]

@Smiley-k nothing. Basically meshcentral is just telling u remote devices are trying to connect BUT something is wrong with the agents, so u need to uninstall the meshagent on the remote devices, redownload the agents and then reinstall

[Smiley-k]

this is a problem to do on 2000 devices) but I have the same situation on another installation where there are 10 PCs, ... how to understand why this is so...

is there any functionality in the mesh itself to force agents to upgrade to the same version by simply reinstalling?

[si458]

@Smiley-k the only thing u COULD try (not 100% sure if it will work but case of trying it). Set ignoreagenthashcheck: true to allow all ur devices to connect. Then go into a device then the console tab and run agentupdate. This should force download a copy of the agent and then restart it! Then once that machine has restarted, try setting ignoreagenthashcheck: false and see if the device is online?

[si458]

@Smiley-k but it could also be a problem with ur reverse proxy/meshcentral setup if u use this, as the webserver ssl cert is different the meshagent ssl cert. So without knowing a little more about ur setup/config.json it's hard to diagnose the problem

[Smiley-k]

@Smiley-k but it could also be a problem with ur reverse proxy/meshcentral setup if u use this, as the webserver ssl cert is different the meshagent ssl cert. So without knowing a little more about ur setup/config.json it's hard to diagnose the problem

Yes, you are right to point out , I use reverse proxy nginx

[si458]

@Smiley-k so it could just be a config issue with nginx or ur meshcentral, again, plz share ur config.json and ur nginx config and th3 community can belp

[Smiley-k]

@si458 I'm sorry for the slight delay, I attached the configuration files mesh.json nginx-domain.conf.txt

[si458]

@Smiley-k

your tlsoffload should be the IP address of your reverse nginx server, not the website url 192.168.1.123

agentidletimeout shouldn't really be set as its default is 150 seconds anyway before it disconnects remote devices as they didn't send any web socket traffic

Only 2 issues I can find from a quick read, try those, restart meshcentral and see if it helps

[Smiley-k]

yes tlsoffload set IP address nginx server

agentidletimeout - i disable

but alas, it did not help

[si458]

Try the following,

Backup then delete the agents, signedagents folders from inside meshcentral-data Restart meshcentral and Make sure it says its resigning the exes. then completely uninstall the agent from a device, then redownload the agent from the web ui on the remote device, Then reinstall

It might be corrupt exes that have bee signed?

[Xevichr]

Currently having an "Invalid PKCS signature" and a "bad signature" along with it. Is there a way to tell which machine has these errors?

I'm aware of agentstats and agentissues, but they don't help me determine which machine is having the errors. At least not with my knowledge. Maybe it is not possible in the first place?

I'm going to assume simply reinstalling the Agent will fix it once the machine having the issue is found.

[si458]

sadly the code only simply logs the remote ipaddress and port of the connection that had the Invalid PKCS signature we would need to add a method into the code to store this extra info

[Xevichr]

When running agentissues I have the following result: 6/26/2024, 4:56:00 AM, , invalidPkcsSignature 6/26/2024, 4:56:00 AM, , BadSignature2 6/26/2024, 8:17:10 AM, , invalidPkcsSignature 6/26/2024, 8:17:10 AM, , BadSignature2

So this information is the only thing that will be send to MeshCentral, or is there a way I can find in MeshCentral, which IP had this issue? Because we are currently running MeshCentral LAN only, IP address would be more than enough to find the machine having the issue.

Besides that, considering I haven't even found the machines that have the issue yet, what are the consquences? I'm assuming simply no MeshAgent to MeshCentral connection?

[si458]

@Xevichr yes this has been notied in the past ive spotted with a few issue, i have never been able to find out WHY it does this?

its meant to insert the ip address, similar to my production system

one thing you can try is run meshcentral in debug mode with agent set, then watch its output and see if it inserts the ip/port into the logs node node_modules/meshcentral --debug agent

as the code shows its meant to do this, then after insert the badsignature2 into the db for the agentissues

parent.setAgentIssue(obj, "BadSignature2");
parent.parent.debug('agent', 'Agent connected with bad signature, holding connection (' + obj.remoteaddrport + ').');

[Xevichr]

With "duplicateAgent" agentissues, it will show the IP address: 6/27/2024, 9:44:00 AM, 000.000.000.000:55632, duplicateAgent. It is pretty much 100% accurate when the IP is sent with this as note.

I ran node node_modules/meshcentral --debug <agentMachineName> in PowerShell (MeshCentral on Windows Server). I am wondering if I did it correctly, because as a test I abruptly disconnected myself. In the MeshCentral console, on the webportal I can see the duplicateAgent message displaying for my laptop, my IP address, but I don't see it in the terminal where I ran the debugging.

PS C:\Program Files\Open Source\MeshCentral> node node_modules/meshcentral --debug <agentMachineName>
MeshCentral HTTP redirection server running on port 81.
MeshCentral v1.1.24, Hybrid (LAN + WAN) mode.
ERR: ERROR: MeshCentral Intel(R) AMT server port 4433 is not available. Check if the MeshCentral is already running.
MeshCentral HTTPS server running on mesh.___.___:444.

[si458]

@Xevichr yes sorry, if you used the meshcentralinstaller, you need to STOP the meshcentral service in the windows services THEN run that command, otherwise it runs on the next available port if the port it wants isnt available

[si458]

@Xevichr also you need to run node node_modules/meshcentral --debug agent dont change the word agent! the --debug has multiple options to debug things like --debug web,amt,agent

[Xevichr]

Yeah, that both makes a lot of sense. In any case, thanks, I'll try it out and let you know if I find anything.