diff --git a/amt/amt-redir-mesh.js b/amt/amt-redir-mesh.js index 2c46c793..0dae49a1 100644 --- a/amt/amt-redir-mesh.js +++ b/amt/amt-redir-mesh.js @@ -170,8 +170,12 @@ module.exports.CreateAmtRedirect = function (module, domain, user, webserver, me // TLSSocket to encapsulate TLS communication, which then tunneled via SerialTunnel an then wrapped through CIRA APF const TLSSocket = require('tls').TLSSocket; - const tlsoptions = { minVersion: 'TLSv1', ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE | constants.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, rejectUnauthorized: false }; - // if (obj.tls1only == 1) { tlsoptions.secureProtocol = 'TLSv1_method'; } + const tlsoptions = { ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE | constants.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, rejectUnauthorized: false }; + if (obj.tls1only == 1) { + tlsoptions.secureProtocol = 'TLSv1_method'; + } else { + tlsoptions.minVersion = 'TLSv1'; + } const tlsock = new TLSSocket(ser, tlsoptions); tlsock.on('error', function (err) { Debug(1, "CIRA TLS Connection Error ", err); }); tlsock.on('secureConnect', function () { Debug(2, "CIRA Secure TLS Connection"); ws._socket.resume(); }); @@ -228,8 +232,12 @@ module.exports.CreateAmtRedirect = function (module, domain, user, webserver, me obj.forwardclient.setEncoding('binary'); } else { // If TLS is going to be used, setup a TLS socket - var tlsoptions = { minVersion: 'TLSv1', ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE | constants.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, rejectUnauthorized: false }; - // if (obj.tls1only == 1) { tlsoptions.secureProtocol = 'TLSv1_method'; } + var tlsoptions = { ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE | constants.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, rejectUnauthorized: false }; + if (obj.tls1only == 1) { + tlsoptions.secureProtocol = 'TLSv1_method'; + } else { + tlsoptions.minVersion = 'TLSv1'; + } obj.forwardclient = obj.tls.connect(port, node.host, tlsoptions, function () { // The TLS connection method is the same as TCP, but located a bit differently. Debug(2, 'TLS Intel AMT transport connected to ' + node.host + ':' + port + '.'); diff --git a/amt/amt-wsman-comm.js b/amt/amt-wsman-comm.js index c6e38ae8..7cba962b 100644 --- a/amt/amt-wsman-comm.js +++ b/amt/amt-wsman-comm.js @@ -236,8 +236,12 @@ var CreateWsmanComm = function (host, port, user, pass, tls, tlsoptions, mpsConn if (state == 0) { obj.xxOnSocketClosed(); } if (state == 2) { // TLSSocket to encapsulate TLS communication, which then tunneled via SerialTunnel an then wrapped through CIRA APF - var options = { minVersion: 'TLSv1', socket: ser, ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: obj.constants.SSL_OP_NO_SSLv2 | obj.constants.SSL_OP_NO_SSLv3 | obj.constants.SSL_OP_NO_COMPRESSION | obj.constants.SSL_OP_CIPHER_SERVER_PREFERENCE | obj.constants.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, rejectUnauthorized: false }; - // if (obj.xtlsMethod == 1) { options.secureProtocol = 'TLSv1_method'; } + var options = { socket: ser, ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: obj.constants.SSL_OP_NO_SSLv2 | obj.constants.SSL_OP_NO_SSLv3 | obj.constants.SSL_OP_NO_COMPRESSION | obj.constants.SSL_OP_CIPHER_SERVER_PREFERENCE | obj.constants.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, rejectUnauthorized: false }; + if (obj.xtlsMethod == 1) { + options.secureProtocol = 'TLSv1_method'; + } else { + options.minVersion = 'TLSv1'; + } if (obj.xtlsoptions) { if (obj.xtlsoptions.ca) { options.ca = obj.xtlsoptions.ca; } if (obj.xtlsoptions.cert) { options.cert = obj.xtlsoptions.cert; } @@ -274,8 +278,12 @@ var CreateWsmanComm = function (host, port, user, pass, tls, tlsoptions, mpsConn obj.socket.connect(obj.port, obj.host, obj.xxOnSocketConnected); } else { // Direct connect with TLS - var options = { minVersion: 'TLSv1', ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: obj.constants.SSL_OP_NO_SSLv2 | obj.constants.SSL_OP_NO_SSLv3 | obj.constants.SSL_OP_NO_COMPRESSION | obj.constants.SSL_OP_CIPHER_SERVER_PREFERENCE | obj.constants.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, rejectUnauthorized: false }; - // if (obj.xtlsMethod != 0) { options.secureProtocol = 'TLSv1_method'; } + var options = { ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: obj.constants.SSL_OP_NO_SSLv2 | obj.constants.SSL_OP_NO_SSLv3 | obj.constants.SSL_OP_NO_COMPRESSION | obj.constants.SSL_OP_CIPHER_SERVER_PREFERENCE | obj.constants.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, rejectUnauthorized: false }; + if (obj.xtlsMethod == 1) { + options.secureProtocol = 'TLSv1_method'; + } else { + options.minVersion = 'TLSv1'; + } if (obj.xtlsoptions) { if (obj.xtlsoptions.ca) { options.ca = obj.xtlsoptions.ca; } if (obj.xtlsoptions.cert) { options.cert = obj.xtlsoptions.cert; } diff --git a/amtscanner.js b/amtscanner.js index dcd0122a..ae558f8a 100644 --- a/amtscanner.js +++ b/amtscanner.js @@ -387,8 +387,12 @@ module.exports.CreateAmtScanner = function (parent) { } else { // Connect using TLS, we will switch from default TLS to TLS1-only and back if we get a connection error to support older Intel AMT. if (scaninfo.tlsoption == null) { scaninfo.tlsoption = 0; } - const tlsOptions = { minVersion: 'TLSv1', rejectUnauthorized: false, ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE | constants.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION }; - // if (scaninfo.tlsoption == 1) { tlsOptions.secureProtocol = 'TLSv1_method'; } + const tlsOptions = { rejectUnauthorized: false, ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE | constants.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION }; + if (scaninfo.tlsoption == 1) { + tlsOptions.secureProtocol = 'TLSv1_method'; + } else { + tlsOptions.minVersion = 'TLSv1'; + } client = obj.tls.connect(port, host, tlsOptions, function () { this.write('GET / HTTP/1.1\r\nhost: ' + host + '\r\n\r\n'); }); } client.scaninfo = scaninfo; diff --git a/webserver.js b/webserver.js index 61f7178b..6b0d5d22 100644 --- a/webserver.js +++ b/webserver.js @@ -4854,8 +4854,12 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF if (state == 0) { try { ws.close(); } catch (e) { } } if (state == 2) { // TLSSocket to encapsulate TLS communication, which then tunneled via SerialTunnel an then wrapped through CIRA APF - const tlsoptions = { minVersion: 'TLSv1', socket: ser, ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE | constants.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, rejectUnauthorized: false }; - // if (req.query.tls1only == 1) { tlsoptions.secureProtocol = 'TLSv1_method'; } + const tlsoptions = { socket: ser, ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE | constants.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, rejectUnauthorized: false }; + if (req.query.tls1only == 1) { + tlsoptions.secureProtocol = 'TLSv1_method'; + } else { + tlsoptions.minVersion = 'TLSv1'; + } var tlsock = obj.tls.connect(tlsoptions, function () { parent.debug('webrelay', "CIRA Secure TLS Connection"); ws._socket.resume(); }); tlsock.chnl = chnl; tlsock.setEncoding('binary'); @@ -5177,8 +5181,12 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF ws._socket.resume(); } else { // If TLS is going to be used, setup a TLS socket - var tlsoptions = { minVersion: 'TLSv1', ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE | constants.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, rejectUnauthorized: false }; - // if (req.query.tls1only == 1) { tlsoptions.secureProtocol = 'TLSv1_method'; } + var tlsoptions = { ciphers: 'RSA+AES:!aNULL:!MD5:!DSS', secureOptions: constants.SSL_OP_NO_SSLv2 | constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_COMPRESSION | constants.SSL_OP_CIPHER_SERVER_PREFERENCE | constants.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, rejectUnauthorized: false }; + if (req.query.tls1only == 1) { + tlsoptions.secureProtocol = 'TLSv1_method'; + } else { + tlsoptions.minVersion = 'TLSv1'; + } ws.forwardclient = obj.tls.connect(port, node.host, tlsoptions, function () { // The TLS connection method is the same as TCP, but located a bit differently. parent.debug('webrelay', user.name + ' - TLS connected to ' + node.host + ':' + port + '.');