search

Ylianst / MeshCommander

MeshCommander is a Intel(R) Active Management Technology (Intel(R) AMT) remote management tool. It's feature rich and includes a built-in remote desktop viewer for Hardware-KVM, a Serial-over-LAN terminal, IDER-Redirection support and much more. MeshCommander is built on web technologies and runs on many plaforms. In addition to being available as a stand-alone tool, MeshCommander was built to be very space efficient to that it can be uploaded into Intel AMT flash space to have it served diretly from the Intel AMT web serve.
Apache License 2.0
334 stars 72 forks source link

0.8.2 for npm? #8

Closed MichaelRiss closed 4 years ago

MichaelRiss commented 4 years ago

Hi and thank you for this software! Is it possible to push 0.8.2 to github/npm? The reason is that I see a bug/problem with npm@0.8.0 on Linux (fedora31) that I don't see on msi@0.8.2 (Windows 10): When I connect with 0.8.0 to an AMT machine (ME v11.8.70, BIOS DNKBLi7v.86A.0068.2020.0312.1938) I can only do it with Digest / None. If I select Digest / TLS and then Connect I immediately (within a fraction of a second, so not a typical IP timeout) get Time Out and a Close button below. With 0.8.2 on Windows it works without problems. In the changelog I see that 0.8.1 may contain TLS fixes - maybe these solve my problem, too?

Additional Info: with the original BIOS on this NUC from 2018, Digest / TLS did work with npm@0.8.0 on Linux, but after the BIOS upgrade this problem above showed up. It seems the Digest / TLS handling changed in between the BIOS versions.

MichaelRiss commented 4 years ago

I looked at the communication on the network with wireshark and I can see that meshcommander starts with a TLS Client Hello advertising TLS v1.2:

TLSv1.1 Record Layer: Handshake Protocol: Client Hello
    Content Type: Handshake (22)
    Version: TLS 1.0 (0x0301)
    Length: 131
    Handshake Protocol: Client Hello
        Handshake Type: Client Hello (1)
        Length: 127
        Version: TLS 1.2 (0x0303)
        Random: 33ac681c46601b891bff0f4822410a1f3ae50ea73f2467db…
        Session ID Length: 0
        Cipher Suites Length: 22
        Cipher Suites (11 suites)
        Compression Methods Length: 1
        Compression Methods (1 method)
        Extensions Length: 64
        Extension: session_ticket (len=0)
        Extension: encrypt_then_mac (len=0)
        Extension: extended_master_secret (len=0)
        Extension: signature_algorithms (len=48)

The AMT box replies with a Server Hello offering TLS v1.1

TLSv1.1 Record Layer: Handshake Protocol: Server Hello
    Content Type: Handshake (22)
    Version: TLS 1.1 (0x0302)
    Length: 46
    Handshake Protocol: Server Hello
        Handshake Type: Server Hello (2)
        Length: 42
        Version: TLS 1.1 (0x0302)
        Random: 319b11e424d65bff62bedadbe2ab5cd3bbfeb79eb0240d10…
        Session ID Length: 4
        Session ID: 17000000
        Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
        Compression Method: null (0)

which seems to get rejected by meshcommander

TLSv1.1 Record Layer: Alert (Level: Fatal, Description: Protocol Version)
    Content Type: Alert (21)
    Version: TLS 1.2 (0x0303)
    Length: 2
    Alert Message
        Level: Fatal (2)
        Description: Protocol Version (70)

I looked into the javascript code to see if TLS v1.1 gets excluded explicitly at some point, but no.

var tlsoptions = { secureProtocol: ((req.query.tls1only == 1) ? 'TLSv1_method' : 'SSLv23_method'), ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: obj.constants.SSL_OP_NO_SSLv2 | obj.constants.SSL_OP_NO_SSLv3 | obj.constants.SSL_OP_NO_COMPRESSION | obj.constants.SSL_OP_CIPHER_SERVER_PREFERENCE, rejectUnauthorized: false };

So far I can't see where the problem is located. Maybe TLSv1_method has some implicit restriction to TLS v1.2++? The crypto-policies of my Fedora 31 is set to DEFAULT which implies

MinProtocol = TLSv1
MaxProtocol = TLSv1.3

That should be ok then, too.

MichaelRiss commented 4 years ago

Indeed, with node --tls-min-v1.1 meshcommander it works. Fedora 31 defaults to nodejs 12 and this version disables TLS v1.0 and v1.1 without override, it seems. That may also explain why "0.8.2" works on Windows, maybe it's not the newer version but just a different javascript engine on WIndows allowing TLS v1.1 connections? However, with nodejs on Linux by default rejecting connections to TLS v1.1 servers means that it's not possible to connect to AMT machines with ME versions <12, which are still a lot out there, I think. Catching the error better may be an option? Replace the Time Out message with "TLS version error, you may need to start meshcommander with node --tls-min-v1.1 meshcommander to connect to ME v11.X machines"?

MichaelRiss commented 4 years ago

Additional info: Later in the wireshark capture I see that meshcommander tries to open a SSLv3 connection which gets rejected by the v11 AMT machine. Maybe the 2018 BIOS of this NUC7i7DNHE machine allowed these connections and therefore the Digest/TLS method worked before.

Ylianst commented 4 years ago

Latest version published on NPM. Indeed as stated above, if using the latest NodeJS with older Intel AMT, some switches may be needed.

MichaelRiss commented 4 years ago

Thanks!