diff --git a/agents/MeshCmd-signed.exe b/agents/MeshCmd-signed.exe
index 37fd7a90..3fde67be 100644
Binary files a/agents/MeshCmd-signed.exe and b/agents/MeshCmd-signed.exe differ
diff --git a/agents/MeshCmd64-signed.exe b/agents/MeshCmd64-signed.exe
index 98112846..7e429030 100644
Binary files a/agents/MeshCmd64-signed.exe and b/agents/MeshCmd64-signed.exe differ
diff --git a/agents/meshcmd.js b/agents/meshcmd.js
index 2ac43bd9..e50c1c2a 100644
--- a/agents/meshcmd.js
+++ b/agents/meshcmd.js
@@ -57,7 +57,13 @@ var Small_IntelAmtWebApp = "H4sIAAAAAAAEAHq/e7+Noou/c0hkgCuA0+pcchQHwq9CeXNgFzwZ
function onVerifyServer(clientName, certs) {
if (certs == null) { certs = clientName; } // Temporary thing until we fix duktape
try { for (var i in certs) { if (certs[i].fingerprint.replace(/:/g, '') == settings.serverhttpshash) { return; } } } catch (e) { }
- if (serverhash != null) { console.log('Error: Failed to verify server certificate.'); throw 'Invalid server certificate'; }
+ console.log(settings.serverhttpshash);
+ if (settings.serverhttpshash != null) {
+ console.log('Error: Failed to verify server certificate.');
+ console.log('Server TLS hash: ' + certs[i].fingerprint.replace(/:/g, ''));
+ exit(255);
+ throw 'Invalid server certificate';
+ }
}
// Various utility functions
@@ -927,7 +933,8 @@ function activeToACMEx(fwNonce, dnsSuffix, digestRealm, uuid) {
// Establish WebSocket connection to activation server
var options = http.parseUri(settings.url);
- options.checkServerIdentity = function (clientName, certs) { }; // TODO
+ //options.checkServerIdentity = function (clientName, certs) { }; // TODO
+ options.checkServerIdentity = onVerifyServer;
options.rejectUnauthorized = false;
var connection = http.request(options);
connection.on('upgrade', function (response, socket) {
diff --git a/agents/meshcmd.min.js b/agents/meshcmd.min.js
index 2ac43bd9..e50c1c2a 100644
--- a/agents/meshcmd.min.js
+++ b/agents/meshcmd.min.js
@@ -57,7 +57,13 @@ var Small_IntelAmtWebApp = "H4sIAAAAAAAEAHq/e7+Noou/c0hkgCuA0+pcchQHwq9CeXNgFzwZ
function onVerifyServer(clientName, certs) {
if (certs == null) { certs = clientName; } // Temporary thing until we fix duktape
try { for (var i in certs) { if (certs[i].fingerprint.replace(/:/g, '') == settings.serverhttpshash) { return; } } } catch (e) { }
- if (serverhash != null) { console.log('Error: Failed to verify server certificate.'); throw 'Invalid server certificate'; }
+ console.log(settings.serverhttpshash);
+ if (settings.serverhttpshash != null) {
+ console.log('Error: Failed to verify server certificate.');
+ console.log('Server TLS hash: ' + certs[i].fingerprint.replace(/:/g, ''));
+ exit(255);
+ throw 'Invalid server certificate';
+ }
}
// Various utility functions
@@ -927,7 +933,8 @@ function activeToACMEx(fwNonce, dnsSuffix, digestRealm, uuid) {
// Establish WebSocket connection to activation server
var options = http.parseUri(settings.url);
- options.checkServerIdentity = function (clientName, certs) { }; // TODO
+ //options.checkServerIdentity = function (clientName, certs) { }; // TODO
+ options.checkServerIdentity = onVerifyServer;
options.rejectUnauthorized = false;
var connection = http.request(options);
connection.on('upgrade', function (response, socket) {
diff --git a/meshuser.js b/meshuser.js
index 053525e6..1636fdce 100644
--- a/meshuser.js
+++ b/meshuser.js
@@ -291,6 +291,15 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
// Build server information object
var serverinfo = { name: domain.dns ? domain.dns : parent.certificates.CommonName, mpsname: parent.certificates.AmtMpsName, mpsport: mpsport, mpspass: args.mpspass, port: httpport, emailcheck: ((parent.parent.mailserver != null) && (domain.auth != 'sspi') && (domain.auth != 'ldap') && (args.lanonly != true) && (parent.certificates.CommonName != null) && (parent.certificates.CommonName.indexOf('.') != -1)), domainauth: ((domain.auth == 'sspi') || (domain.auth == 'ldap')) };
+ serverinfo.tlshash = Buffer.from(parent.webCertificateHashs[domain.id], 'binary').toString('hex').toUpperCase(); // SHA384 of server HTTPS certificate
+ if ((parent.parent.config.domains[domain.id].amtacmactivation != null) && (parent.parent.config.domains[domain.id].amtacmactivation.acmmatch != null)) {
+ var matchingDomains = [];
+ for (var i in parent.parent.config.domains[domain.id].amtacmactivation.acmmatch) {
+ var cn = parent.parent.config.domains[domain.id].amtacmactivation.acmmatch[i].cn;
+ if ((cn != '*') && (matchingDomains.indexOf(cn) == -1)) { matchingDomains.push(cn); }
+ }
+ if (matchingDomains.length > 0) { serverinfo.amtAcmFqdn = matchingDomains; }
+ }
if (args.notls == true) { serverinfo.https = false; } else { serverinfo.https = true; serverinfo.redirport = args.redirport; }
if (typeof domain.userconsentflags == 'number') { serverinfo.consent = domain.userconsentflags; }
if ((typeof domain.usersessionidletimeout == 'number') && (domain.usersessionidletimeout > 0)) { serverinfo.timeout = (domain.usersessionidletimeout * 60 * 1000); }
diff --git a/views/default.handlebars b/views/default.handlebars
index e5f1c76e..922fcc2f 100644
--- a/views/default.handlebars
+++ b/views/default.handlebars
@@ -2577,6 +2577,9 @@
r += ' Add Local';
r += ' Scan Network';
}
+ if ((features & 0x00100000) != 0) { // ACM activation
+ r += ' Activation';
+ }
}
if (mesh.mtype == 2) {
r += ' Add Agent';
@@ -2599,6 +2602,27 @@
Q('dp1devicename').focus();
}
+ // Intel AMT Activation
+ function showAcmActivation(meshid) {
+ if (xxdialogMode) return;
+ var servername = serverinfo.name, mesh = meshes[meshid];
+ if ((servername.indexOf('.') == -1) || ((features & 2) != 0)) { servername = window.location.hostname; } // If the server name is not set or it's in LAN-only mode, use the URL hostname as server name.
+ var url, domainUrlNoSlash = domainUrl.substring(0, domainUrl.length - 1);
+ if (serverinfo.https == true) {
+ var portStr = (serverinfo.port == 443) ? '' : (":" + serverinfo.port);
+ url = "wss://" + servername + portStr + domainUrl;
+ } else {
+ var portStr = (serverinfo.port == 80) ? '' : (":" + serverinfo.port);
+ url = "ws://" + servername + portStr + domainUrl;
+ }
+ var x = "Perform Intel AMT admin control mode (ACM) activation to group \"" + EscapeHtml(mesh.name) + "\" by downloading the MeshCMD tool and running it like this:
";
+ x += '';
+ if (serverinfo.amtAcmFqdn != null) {
+ x += 'Intel AMT will need to be set with a Trusted FQDN in MEBx or have a wired LAN on the network: ' + serverinfo.amtAcmFqdn.join(', ') + '
';
+ }
+ setDialogMode(2, "Intel® AMT activation", 9, null, x);
+ }
+
// Display the Intel AMT scanning dialog box
function addAmtScanToMesh(meshid) {
if (xxdialogMode) return;
diff --git a/webserver.js b/webserver.js
index dfc2112b..3bf12629 100644
--- a/webserver.js
+++ b/webserver.js
@@ -2164,7 +2164,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
const mesh = obj.meshes[ws.meshid];
if (mesh == null) { delete ws.meshid; ws.send(JSON.stringify({ errorText: 'Invalid device group' })); ws.close(); return; }
if (mesh.mtype != 1) { ws.send(JSON.stringify({ errorText: 'Invalid device group type' })); ws.close(); return; }
-
+
// Fetch the remote IP:Port for logging
const remoteaddr = (req.ip.startsWith('::ffff:')) ? (req.ip.substring(7)) : req.ip;
ws.remoteaddrport = remoteaddr + ':' + ws._socket.remotePort;
@@ -2215,7 +2215,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
// Agent is asking the server to sign an Intel AMT ACM activation request
var signResponse = parent.certificateOperations.signAcmRequest(domain, cmd, 'admin', amtpassword, ws.remoteaddrport, null, ws.meshid, null, null);
- ws.send(JSON.stringify(signResponse));
+ //ws.send(JSON.stringify(signResponse)); // DEBUG***************************
break;
}
default: {