Closed MichaelRiss closed 4 years ago
I looked at the communication on the network with wireshark and I can see that meshcommander
starts with a TLS Client Hello
advertising TLS v1.2:
TLSv1.1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 131
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 127
Version: TLS 1.2 (0x0303)
Random: 33ac681c46601b891bff0f4822410a1f3ae50ea73f2467db…
Session ID Length: 0
Cipher Suites Length: 22
Cipher Suites (11 suites)
Compression Methods Length: 1
Compression Methods (1 method)
Extensions Length: 64
Extension: session_ticket (len=0)
Extension: encrypt_then_mac (len=0)
Extension: extended_master_secret (len=0)
Extension: signature_algorithms (len=48)
The AMT box replies with a Server Hello
offering TLS v1.1
TLSv1.1 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.1 (0x0302)
Length: 46
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 42
Version: TLS 1.1 (0x0302)
Random: 319b11e424d65bff62bedadbe2ab5cd3bbfeb79eb0240d10…
Session ID Length: 4
Session ID: 17000000
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Compression Method: null (0)
which seems to get rejected by meshcommander
TLSv1.1 Record Layer: Alert (Level: Fatal, Description: Protocol Version)
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 2
Alert Message
Level: Fatal (2)
Description: Protocol Version (70)
I looked into the javascript code to see if TLS v1.1 gets excluded explicitly at some point, but no.
var tlsoptions = { secureProtocol: ((req.query.tls1only == 1) ? 'TLSv1_method' : 'SSLv23_method'), ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: obj.constants.SSL_OP_NO_SSLv2 | obj.constants.SSL_OP_NO_SSLv3 | obj.constants.SSL_OP_NO_COMPRESSION | obj.constants.SSL_OP_CIPHER_SERVER_PREFERENCE, rejectUnauthorized: false };
So far I can't see where the problem is located. Maybe TLSv1_method
has some implicit restriction to TLS v1.2++?
The crypto-policies
of my Fedora 31 is set to DEFAULT
which implies
MinProtocol = TLSv1
MaxProtocol = TLSv1.3
That should be ok then, too.
Indeed, with node --tls-min-v1.1 meshcommander
it works.
Fedora 31 defaults to nodejs 12 and this version disables TLS v1.0 and v1.1 without override, it seems.
That may also explain why "0.8.2" works on Windows, maybe it's not the newer version but just a different javascript engine on WIndows allowing TLS v1.1 connections?
However, with nodejs on Linux by default rejecting connections to TLS v1.1 servers means that it's not possible to connect to AMT machines with ME versions <12, which are still a lot out there, I think.
Catching the error better may be an option? Replace the Time Out
message with "TLS version error, you may need to start meshcommander with node --tls-min-v1.1 meshcommander
to connect to ME v11.X machines"?
Additional info: Later in the wireshark
capture I see that meshcommander
tries to open a SSLv3 connection which gets rejected by the v11 AMT machine.
Maybe the 2018 BIOS of this NUC7i7DNHE
machine allowed these connections and therefore the Digest/TLS
method worked before.
Latest version published on NPM. Indeed as stated above, if using the latest NodeJS with older Intel AMT, some switches may be needed.
Thanks!
Hi and thank you for this software! Is it possible to push 0.8.2 to github/npm? The reason is that I see a bug/problem with npm@0.8.0 on Linux (fedora31) that I don't see on msi@0.8.2 (Windows 10): When I connect with 0.8.0 to an AMT machine (ME v11.8.70, BIOS DNKBLi7v.86A.0068.2020.0312.1938) I can only do it with
Digest / None
. If I selectDigest / TLS
and thenConnect
I immediately (within a fraction of a second, so not a typical IP timeout) getTime Out
and aClose
button below. With 0.8.2 on Windows it works without problems. In the changelog I see that 0.8.1 may contain TLS fixes - maybe these solve my problem, too?Additional Info: with the original BIOS on this NUC from 2018,
Digest / TLS
did work with npm@0.8.0 on Linux, but after the BIOS upgrade this problem above showed up. It seems theDigest / TLS
handling changed in between the BIOS versions.