No CIRA or AMT after update

[williamstlr]

I'm using the docker image from ghcr.io/ylianst/meshcentral and I noticed that after update to 1.1.1, AMT/CIRA devices aren't showing up in meshcentral anymore. The meshagents would still call in though. Watching 4433/tcp on my docker host I could see traffic from the devices still coming in.... they just weren't showing up or accessible anymore. I rolled back to the previous docker image (1.1.0) and the AMT devices popped right back up.

To Reproduce Steps to reproduce the behavior:

1. Use docker image 1.1.1

Expected behavior CIRA and AMT should be accessible/usable from meshcentral. Normally I see them as "Agent + CIRA" under "My Devices", "HW Connect" under the Desktop and Terminal tabs, and "Connect" on the Intel AMT tab. These are all gray and unclickable.

Server Software (please complete the following information):

• OS: Ubuntu 20.04
• Virtualization: Docker
• Network: WAN, using caddy as a reverse proxy for 443/tcp. 4433/tcp is exposed directly to the docker host.
• Version: 1.1.1
• Node: unsure, whatever is in the docker image?

Client Device (please complete the following information):

• Device: HP Desktop
• OS: Linux Mint
• Network: Remote over WAN
• Browser: Firefox
• MeshCentralRouter Version: N/A

Remote Device (please complete the following information):

• Device: HP ElilteDesk
• OS: Debian 11
• Network: Remote over WAN
• Current Core Version (if known): Nov 21 2022, 2347670262

Additional context Add any other context about the problem here.

Your config.json file

{
  "$schema": "http://info.meshcentral.com/downloads/meshcentral-config-schema.json",
  "settings": {
    "plugins":{"enabled": true},
    "_mongoDb": null,
    "cert": "meshcentral.mydomain.com",
    "WANonly": true,
    "_LANonly": true,
    "sessionKey": "Removed",
    "port": 443,
    "_aliasPort": 443,
    "redirPort": 80,
    "_redirAliasPort": 80,
    "AgentPong": 300,
    "TLSOffload": true,
    "SelfUpdate": false,
    "AllowFraming": false,
    "WebRTC": true
  },
  "domains": {
    "": {
      "_title": "MyServer",
      "_title2": "Servername",
      "minify": true,
      "NewAccounts": false,
      "localSessionRecording": false,
      "_userNameIsEmail": true,
      "certUrl": "meshcentral.mydomain.com"
    }
  },
  "smtp": {
    "host": "my.smtphost.com",
    "port": 25,
    "from": "someuser@mydomain.com",
    "user": "someuser",
    "pass": "somepassword",
    "tls": true
  }

}

[thermionic]

At a guess, this would be a TLS issue within the docker image, what AMT version are your clients, and what TLS versions are supported by the image?

[williamstlr]

AMT version on my clients is v9.1.42. How could I check what TLS versions are supported in the image?

[williamstlr]

I just checked release 1.1.2 as well, issue exists there as well. I've enabled tracing for the following and haven't seen anything seemingly related.

• Intel AMT manager
• Connection Relay
• CIRA Server
• CIRA Server Commands

Maybe I'm missing somewhere else that would potentially show more information though?

[thermionic]

Nort a clue what is in the docker image.

For a windows tool to see what TLS versions are enabled I use sslyze https://github.com/nabla-c0d3/sslyze

On AMT 9, there is no support for TLS 1.2 https://www.intel.co.uk/content/www/uk/en/support/articles/000038773/technologies/intel-active-management-technology-intel-amt.html

[jsastriawan]

Something to try probably to add TLS config maxVersion: "TLSv1.1" somewhere in mpsserver.js.

[neutronstriker]

I faced same issue with Meshcentral v1.1.2 and CIRA started working on rolling back to v1.1.0. Incidentally I discovered there is an official docker image (mentioned by OP of this issue :) ) for Meshcentral while debugging this.

[thermionic]

@neutronstriker somewhere in the docker image there will be something that sets the minimum TLS version, where I have not got a clue, I don't run meshcentral in docker for this reason...

[neutronstriker]

In think it can be changed in /etc/ssl/openssl.cnf as per https://discourse.ubuntu.com/t/default-to-tls-v1-2-in-all-tls-libraries-in-20-04-lts/12464/8

[thermionic]

https://github.com/Ylianst/MeshCentral/issues/4782

[neutronstriker]

Looks like default Alpine docker images from 3.17 onwards have disabled support for TLS1.0 and TLS1.1 as it has moved to OpenSSL3.0 from OpenSSL1.1 https://github.com/nginxinc/docker-nginx/issues/743#issuecomment-1419661587. So even after changing "CipherString = DEFAULT@SECLEVEL=0" in /etc/ssl/openssl.cnf TLS1.0 and TLS1.1 is not supported on the CIRA-mps server and older machines with AMT 11.0 and lower are not working any more. This issue is resolved by using Alpine docker image version 3.16 and tested it to be working with Meshcentral 1.1.6

[si458]

ok i have included the fix in the source code! i discovered this bug when trying to get working an AMT 7 device with node 18 on ubuntu 22.04, so its not just the docker image thats effected, but actually node unless u change the seclevel for the WHOLE OS/container OR include it in only the application!

[williamstlr]

Hey, this is awesome, thank you! Will that be an argument that I need to pass in somewhere or will it “just work” after that change is merged and the official docker image is built next?

[si458]

in theory it should just work out of the box! no extra arguments have merged the PR now, so a master test docker build should be available in about an 15mins https://github.com/Ylianst/MeshCentral/pkgs/container/meshcentral ghcr.io/ylianst/meshcentral:master github actions builds a master docker image every time we PUSH to the master branch so people can test the latest/greatest/fixes

sorry its took so long, ive only had 2 intel AMT machines for the past month, so im still learning/exploring, finding bug after bug, but thats what you get when intel decided to let @Ylianst go and not support the software anymore

[williamstlr]

Confirming that my AMT devices are showing up now and that I can connect to them. Thanks @si458!

[si458]

glad it worked! dont forget to sponsor! https://www.si458.co.uk/2024/01/05/donation/