Fixed Intel AMT TLS.

This commit is contained in:
Ylian Saint-Hilaire 2020-03-30 19:29:46 -07:00
parent 3c8a0bdc77
commit 90d5a3cd6f
8 changed files with 23 additions and 15 deletions

View File

@ -1022,7 +1022,8 @@ function startMeshCommander() {
} else { } else {
// If TLS is going to be used, setup a TLS socket // If TLS is going to be used, setup a TLS socket
var tls = require('tls'); var tls = require('tls');
var tlsoptions = { host: webargs.host, port: webargs.port, secureProtocol: ((webargs.tls1only == 1) ? 'TLSv1_method' : 'SSLv23_method'), rejectUnauthorized: false }; var tlsoptions = { host: webargs.host, port: webargs.port, rejectUnauthorized: false };
if (webargs.tls1only == 1) { tlsoptions.secureProtocol = 'TLSv1_method'; }
ws.forwardclient = tls.connect(tlsoptions, function () { debug(1, 'Connected TLS to ' + webargs.host + ':' + webargs.port + '.'); this.pipe(this.ws, { end: false }); this.ws.pipe(this, { end: false }); }); ws.forwardclient = tls.connect(tlsoptions, function () { debug(1, 'Connected TLS to ' + webargs.host + ':' + webargs.port + '.'); this.pipe(this.ws, { end: false }); this.ws.pipe(this, { end: false }); });
ws.forwardclient.on('error', function () { debug(1, 'TLS connection error to ' + webargs.host + ':' + webargs.port + '.'); try { this.ws.end(); } catch (e) { } }); ws.forwardclient.on('error', function () { debug(1, 'TLS connection error to ' + webargs.host + ':' + webargs.port + '.'); try { this.ws.end(); } catch (e) { } });
ws.forwardclient.ws = ws; ws.forwardclient.ws = ws;

View File

@ -150,7 +150,8 @@ module.exports.CreateAmtRedirect = function (module, domain, user, webserver, me
// TLSSocket to encapsulate TLS communication, which then tunneled via SerialTunnel an then wrapped through CIRA APF // TLSSocket to encapsulate TLS communication, which then tunneled via SerialTunnel an then wrapped through CIRA APF
const TLSSocket = require('tls').TLSSocket; const TLSSocket = require('tls').TLSSocket;
const tlsoptions = { secureProtocol: ((obj.tls1only == 1) ? 'TLSv1_method' : 'SSLv23_method'), ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE, rejectUnauthorized: false }; const tlsoptions = { ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE, rejectUnauthorized: false };
if (obj.tls1only == 1) { tlsoptions.secureProtocol = 'TLSv1_method'; }
const tlsock = new TLSSocket(ser, tlsoptions); const tlsock = new TLSSocket(ser, tlsoptions);
tlsock.on('error', function (err) { Debug(1, "CIRA TLS Connection Error ", err); }); tlsock.on('error', function (err) { Debug(1, "CIRA TLS Connection Error ", err); });
tlsock.on('secureConnect', function () { Debug(2, "CIRA Secure TLS Connection"); ws._socket.resume(); }); tlsock.on('secureConnect', function () { Debug(2, "CIRA Secure TLS Connection"); ws._socket.resume(); });
@ -207,7 +208,8 @@ module.exports.CreateAmtRedirect = function (module, domain, user, webserver, me
obj.forwardclient.setEncoding('binary'); obj.forwardclient.setEncoding('binary');
} else { } else {
// If TLS is going to be used, setup a TLS socket // If TLS is going to be used, setup a TLS socket
var tlsoptions = { secureProtocol: ((obj.tls1only == 1) ? 'TLSv1_method' : 'SSLv23_method'), ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE, rejectUnauthorized: false }; var tlsoptions = { ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE, rejectUnauthorized: false };
if (obj.tls1only == 1) { tlsoptions.secureProtocol = 'TLSv1_method'; }
obj.forwardclient = obj.tls.connect(port, node.host, tlsoptions, function () { obj.forwardclient = obj.tls.connect(port, node.host, tlsoptions, function () {
// The TLS connection method is the same as TCP, but located a bit differently. // The TLS connection method is the same as TCP, but located a bit differently.
Debug(2, 'TLS Intel AMT transport connected to ' + node.host + ':' + port + '.'); Debug(2, 'TLS Intel AMT transport connected to ' + node.host + ':' + port + '.');

View File

@ -179,7 +179,8 @@ var CreateWsmanComm = function (host, port, user, pass, tls, tlsoptions, parent,
obj.socket.connect(obj.port, obj.host, obj.xxOnSocketConnected); obj.socket.connect(obj.port, obj.host, obj.xxOnSocketConnected);
} else { } else {
// Connect with TLS // Connect with TLS
var options = { secureProtocol: ((obj.xtlsMethod == 0) ? 'SSLv23_method' : 'TLSv1_method'), ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: obj.constants.SSL_OP_NO_SSLv2 | obj.constants.SSL_OP_NO_SSLv3 | obj.constants.SSL_OP_NO_COMPRESSION | obj.constants.SSL_OP_CIPHER_SERVER_PREFERENCE, rejectUnauthorized: false }; var options = { ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: obj.constants.SSL_OP_NO_SSLv2 | obj.constants.SSL_OP_NO_SSLv3 | obj.constants.SSL_OP_NO_COMPRESSION | obj.constants.SSL_OP_CIPHER_SERVER_PREFERENCE, rejectUnauthorized: false };
if (obj.xtlsMethod != 0) { options.secureProtocol = 'TLSv1_method'; }
if (obj.xtlsoptions) { if (obj.xtlsoptions) {
if (obj.xtlsoptions.ca) options.ca = obj.xtlsoptions.ca; if (obj.xtlsoptions.ca) options.ca = obj.xtlsoptions.ca;
if (obj.xtlsoptions.cert) options.cert = obj.xtlsoptions.cert; if (obj.xtlsoptions.cert) options.cert = obj.xtlsoptions.cert;

View File

@ -371,7 +371,9 @@ module.exports.CreateAmtScanner = function (parent) {
} else { } else {
// Connect using TLS, we will switch from default TLS to TLS1-only and back if we get a connection error to support older Intel AMT. // Connect using TLS, we will switch from default TLS to TLS1-only and back if we get a connection error to support older Intel AMT.
if (scaninfo.tlsoption == null) { scaninfo.tlsoption = 0; } if (scaninfo.tlsoption == null) { scaninfo.tlsoption = 0; }
client = obj.tls.connect(port, host, scaninfo.tlsoption == 1 ? { secureProtocol: 'TLSv1_method', rejectUnauthorized: false, ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE } : { rejectUnauthorized: false, ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE }, function () { this.write('GET / HTTP/1.1\r\nhost: ' + host + '\r\n\r\n'); }); const tlsOptions = { rejectUnauthorized: false, ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE };
if (scaninfo.tlsoption == 1) { tlsOptions.secureProtocol = 'TLSv1_method'; }
client = obj.tls.connect(port, host, tlsOptions, function () { this.write('GET / HTTP/1.1\r\nhost: ' + host + '\r\n\r\n'); });
} }
client.scaninfo = scaninfo; client.scaninfo = scaninfo;
client.func = func; client.func = func;

View File

@ -508,7 +508,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
parent.cleanDevice(docs[i]); parent.cleanDevice(docs[i]);
// Remove any connectivity and power state information, that should not be in the database anyway. // Remove any connectivity and power state information, that should not be in the database anyway.
// TODO: Find why these are sometimes saves in the db. // TODO: Find why these are sometimes saved in the db.
if (docs[i].conn != null) { delete docs[i].conn; } if (docs[i].conn != null) { delete docs[i].conn; }
if (docs[i].pwr != null) { delete docs[i].pwr; } if (docs[i].pwr != null) { delete docs[i].pwr; }
if (docs[i].agct != null) { delete docs[i].agct; } if (docs[i].agct != null) { delete docs[i].agct; }
@ -2998,7 +2998,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
if (command.desc != null && (command.desc != node.desc)) { change = 1; node.desc = command.desc; changes.push('description'); } if (command.desc != null && (command.desc != node.desc)) { change = 1; node.desc = command.desc; changes.push('description'); }
if (command.intelamt != null) { if (command.intelamt != null) {
if ((command.intelamt.user != null) && (command.intelamt.pass != undefined) && ((command.intelamt.user != node.intelamt.user) || (command.intelamt.pass != node.intelamt.pass))) { change = 1; node.intelamt.user = command.intelamt.user; node.intelamt.pass = command.intelamt.pass; changes.push('Intel AMT credentials'); } if ((command.intelamt.user != null) && (command.intelamt.pass != undefined) && ((command.intelamt.user != node.intelamt.user) || (command.intelamt.pass != node.intelamt.pass))) { change = 1; node.intelamt.user = command.intelamt.user; node.intelamt.pass = command.intelamt.pass; changes.push('Intel AMT credentials'); }
if (command.intelamt.tls && (command.intelamt.tls != node.intelamt.tls)) { change = 1; node.intelamt.tls = command.intelamt.tls; changes.push('Intel AMT TLS'); } if ((command.intelamt.tls != null) && (command.intelamt.tls != node.intelamt.tls)) { change = 1; node.intelamt.tls = command.intelamt.tls; changes.push('Intel AMT TLS'); }
} }
if (command.tags) { // Node grouping tag, this is a array of strings that can't be empty and can't contain a comma if (command.tags) { // Node grouping tag, this is a array of strings that can't be empty and can't contain a comma
var ok = true, group2 = []; var ok = true, group2 = [];

View File

@ -2230,9 +2230,9 @@
if (amtuser == '') amtuser = 'admin'; if (amtuser == '') amtuser = 'admin';
var amtpass = Q('dp10password').value; var amtpass = Q('dp10password').value;
if (amtpass == '') amtuser = ''; if (amtpass == '') amtuser = '';
meshserver.send({ action: 'changedevice', nodeid: tag.node._id, intelamt: { user: amtuser, pass: amtpass, tls: Q('dp10tls').value } }); meshserver.send({ action: 'changedevice', nodeid: tag.node._id, intelamt: { user: amtuser, pass: amtpass, tls: parseInt(Q('dp10tls').value) } });
tag.node.intelamt.user = amtuser; tag.node.intelamt.user = amtuser;
tag.node.intelamt.tls = Q('dp10tls').value; tag.node.intelamt.tls = parseInt(Q('dp10tls').value);
if (tag.func) { setTimeout(tag.func, 300); } if (tag.func) { setTimeout(tag.func, 300); }
} }
} }

View File

@ -5352,9 +5352,9 @@
if (amtuser == '') amtuser = 'admin'; if (amtuser == '') amtuser = 'admin';
var amtpass = Q('dp10password').value; var amtpass = Q('dp10password').value;
if (amtpass == '') amtuser = ''; if (amtpass == '') amtuser = '';
meshserver.send({ action: 'changedevice', nodeid: tag.node._id, intelamt: { user: amtuser, pass: amtpass, tls: Q('dp10tls').value } }); meshserver.send({ action: 'changedevice', nodeid: tag.node._id, intelamt: { user: amtuser, pass: amtpass, tls: parseInt(Q('dp10tls').value) } });
tag.node.intelamt.user = amtuser; tag.node.intelamt.user = amtuser;
tag.node.intelamt.tls = Q('dp10tls').value; tag.node.intelamt.tls = parseInt(Q('dp10tls').value);
if (tag.func) { setTimeout(function () { tag.func(null, tag.arg); }, 300); } if (tag.func) { setTimeout(function () { tag.func(null, tag.arg); }, 300); }
} }
} }

View File

@ -2615,7 +2615,8 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
// TLSSocket to encapsulate TLS communication, which then tunneled via SerialTunnel an then wrapped through CIRA APF // TLSSocket to encapsulate TLS communication, which then tunneled via SerialTunnel an then wrapped through CIRA APF
const TLSSocket = require('tls').TLSSocket; const TLSSocket = require('tls').TLSSocket;
const tlsoptions = { secureProtocol: ((req.query.tls1only == 1) ? 'TLSv1_method' : 'SSLv23_method'), ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE, rejectUnauthorized: false }; const tlsoptions = { ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE, rejectUnauthorized: false };
if (req.query.tls1only == 1) { tlsoptions.secureProtocol = 'TLSv1_method'; }
const tlsock = new TLSSocket(ser, tlsoptions); const tlsock = new TLSSocket(ser, tlsoptions);
tlsock.on('error', function (err) { parent.debug('webrelay', "CIRA TLS Connection Error ", err); }); tlsock.on('error', function (err) { parent.debug('webrelay', "CIRA TLS Connection Error ", err); });
tlsock.on('secureConnect', function () { parent.debug('webrelay', "CIRA Secure TLS Connection"); ws._socket.resume(); }); tlsock.on('secureConnect', function () { parent.debug('webrelay', "CIRA Secure TLS Connection"); ws._socket.resume(); });
@ -2796,7 +2797,8 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
ws._socket.resume(); ws._socket.resume();
} else { } else {
// If TLS is going to be used, setup a TLS socket // If TLS is going to be used, setup a TLS socket
var tlsoptions = { secureProtocol: ((req.query.tls1only == 1) ? 'TLSv1_method' : 'SSLv23_method'), ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE, rejectUnauthorized: false }; var tlsoptions = { ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE, rejectUnauthorized: false };
if (req.query.tls1only == 1) { tlsoptions.secureProtocol = 'TLSv1_method'; }
ws.forwardclient = obj.tls.connect(port, node.host, tlsoptions, function () { ws.forwardclient = obj.tls.connect(port, node.host, tlsoptions, function () {
// The TLS connection method is the same as TCP, but located a bit differently. // The TLS connection method is the same as TCP, but located a bit differently.
parent.debug('webrelay', 'TLS connected to ' + node.host + ':' + port + '.'); parent.debug('webrelay', 'TLS connected to ' + node.host + ':' + port + '.');
@ -2827,13 +2829,13 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
// If the TCP connection closes, disconnect the associated web socket. // If the TCP connection closes, disconnect the associated web socket.
ws.forwardclient.on('close', function () { ws.forwardclient.on('close', function () {
parent.debug('webrelay', 'TCP relay disconnected from ' + node.host + '.'); parent.debug('webrelay', 'TCP relay disconnected from ' + node.host + ':' + port + '.');
try { ws.close(); } catch (e) { } try { ws.close(); } catch (e) { }
}); });
// If the TCP connection causes an error, disconnect the associated web socket. // If the TCP connection causes an error, disconnect the associated web socket.
ws.forwardclient.on('error', function (err) { ws.forwardclient.on('error', function (err) {
parent.debug('webrelay', 'TCP relay error from ' + node.host + ': ' + err.errno); parent.debug('webrelay', 'TCP relay error from ' + node.host + ':' + port + ': ' + err);
try { ws.close(); } catch (e) { } try { ws.close(); } catch (e) { }
}); });