Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Horgster
New Contributor I
852 Views

Intel SCS - Intel(R) AMT connection error 0xc000521f: An SSL error occurred.

Jump to solution

Hi!

When using PKI provisioning against Intel AMT 9.1.43.3000 devices we get this error:
ACU Configurator, Category: Exit Source: c:\buildagent\work\b66b95229891d8f9\products\scs\components\acu\src\activatormain.cpp : configurator::LogAndExit Line: 227: ***********Exit with code 75. Details: Failed to complete remote configuration of this Intel(R) AMT device. Failed while calling WS-Management call GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error 0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable. Valid certificate for PKI configuration not found.

 

If we perform same PKI provisioning to Intel AMT 11.x devices, the provisioning works perfect!

0. PKI Provisioning is run with this command:

ACUConfig.exe /verbose configViaRCSOnly servername.fqdn Test /WMIUser username@fqdn /WMIUserPassword Password

1. We are using internal Microsoft CA, and have created the Intel AMT Provisioning Certificate with the correct AMT OID and Server Auth OID.


2. The RCS Service is running in NetworkService and the AMT Provisioning Certificate is uploaded correctly to the certificate store of NetworkService.

2a)The certificate chain is OK and the certificate contains private key and AMT OID and Server Auth OID

2b)Certificate details: CN=FQDN of machine

2c) Certificate details: Subject Alternate Name = DNS=FQDN of machine


3. The trusted Root CA HASH is registered manually and correctly in the MBEX of Intel AMT 9.x device.

4. The TLS DNS PKI Suffix is registered correctly matching the domain for the AMT certificate and the DHCP Option 15 (DNS Suffix).

5. The machine with Intel AMT 9, has installed "Intel Management Engine Software 11.7.0.1068

6. Windows Firewall is opened to for TCP/UDP 16992, 16993 (was not needed for Intel AMT 11 devices)

7. Intel SCS running latest version 12.x

8. Intel SCS running only with TLS 1.1 and TLS 1.2

9. Intel SCS is running on Windows Server 2019 in Database mode

During the provisioning I can see from the logs that it successful completes the partial provisioning but fails with above error. 

What is going on here? Please 

Thanks for your kind help!
Best Regards
Horgster

 

0 Kudos

Accepted Solutions
Horgster
New Contributor I
495 Views

Hi!

Let me fill in with more details and correct information about this case.

It happens to be, that our manufacturer of the hardware has disabled TLS support in Intel AMT by mistake. To verify if your Intel AMT does support TLS or not, simply run this command:

ACUConfig.exe systemdiscovery

The utility will generate an XML file in the root directory of the tool.

Open the XML file and verify the "isTLSSupported" flag.

If isTLSSupported = false, then Intel AMT can't be provisioning with TLS
If isTLSSupported = true, then Intel AMT can be provisioning with TLS

You must have Intel Management Engine Software installed on the device in order to export this data.


isTLSSupported = true is the default setting that all corporate OEM manufacturer shall have set during fabrication of the device unless the equipment is to be exported outside USA/EU to countries that is on blacklist for export of cryptography. Contact your manufacturer if you happen to have such devices. 

The setting is irreversible. 

View solution in original post

14 Replies
IntelSupport
Community Manager
826 Views

Hello Horgster,


Thank you for posting your question on this Intel® Community.


Please allow us to review the information and logs provided. We will update this thread as soon as possible.


While we review the logs attached to this thread, please provide us with the following details:

  • How many devices are being affected by this issue?
  • Did it occur before?


Wanner G.

Intel Customer Support Technician


Horgster
New Contributor I
815 Views

Hi @IntelSupport 

 

This happens consequently on all our 800 Intel AMT devices running version 9.1.43.3004.

All of our Intel AMT 11.x devices, it works perfect.

If I enter the Intel MBEx BIOS and enable "Active Network Access" then we get this error message:
2021-01-20 11:21:00: Thread:2776(ERROR) : WMI Protocol, Category: ConfigAMT Source: c:\buildagent\work\b66b95229891d8f9\products\scs\components\rcsserver\methodcalldata.h : SCS_WMI::WMICallDetails::SendErrorReport Line: 92: Finished operation with Error. (0xc0001c89). Final status of Intel(R) AMT is unknown because a failure occurred when configuring the system. (0xc000271b). Aborting configuration because the profile contains TLS settings but Cryptography is disabled on the system. (0xc00007da).

So what is going on here? 

Horgster
New Contributor I
801 Views

Hi!

I am afraid that the issue we are facing here with the Intel AMT 9 devices is that these devices only support TLS 1.0..?

So when Intel SCS running on Windows Server 2019 tries to test the connection to Intel AMT 9 devices, the SSL connection failes due to TLS 1.0. I have tested the recommendation here with no sucess

https://www.intel.com/content/www/us/en/support/articles/000038773/technologies/intel-active-managem...

 

 

Your assistance is highly needed.

Best Regards
Horgster

IntelSupport
Community Manager
764 Views

Hello Horgster,


Thank you for providing additional details about your Intel® AMT environment.


We are currently reviewing the information provided to help you as soon as possible. We will update this thread soon.


Wanner G.

Intel Customer Support Technician


IntelSupport
Community Manager
756 Views

Hello Horgster,


The reason for the configuration failures is due to the fact that Intel® AMT 9.1.43.3000 only supports TLS 1.0; TLS 1.1 support came in 9.1.45.3000.


It is still possible for you to configure these computers into Admin Control Mode (ACM), but that will require you to modify each device (MEBx or USB Key configuration), and you would still be limited to TLS 1.0.


Based on the information provided, the Original Equipment Manufacturer (OEM) may have released another Intel® AMT firmware update for these 800 computers after the firmware version 9.1.43.3000. If it is not listed on the OEM’s site, our recommendation is that you open a support case to see if a newer firmware version is available.


Wanner G.

Intel Customer Support Technician


Horgster
New Contributor I
739 Views

Hi @IntelSupport 

Thank your for this update!
Are you able to provide us with following:

1. The latest Firmware version of Intel MBEx that we can expect to get for Intel AMT 9?

2. The changelog of Intel AMT 9 FW

3. What Chipers, Key Exchangers does the latest Intel AMT 9.x firmware support?

We do see on an computer that has 9.1.45.3000, that Internet Explorer refuses to open the HTTPS site of the Intel AMT Web Site at https://computername:16993 

See attached screen shot clearly having an TLS 1.1 with Chiper issue on Windows 10 machine.
Therefore it is important to know what chipers / key exchanger that is isued by the Intel AMT Firmware so that we can install Intel SCS on a Windows Server that support this

Thanks for your kind answer!
Best Regards
Horgster

IntelSupport
Community Manager
712 Views

Hello Horgster,


We are currently reviewing the information provided. 


We will update this thread soon.


Wanner G.

Intel Customer Support Technician


Horgster
New Contributor I
704 Views

Hi @IntelSupport 

 

After upgrading to Intel Management Engine MBEx version 9.1.45.3000 that includes TLS 1.1 support, we do have the same error and problem.

This tells me that this firmware uses old unsecure PKI chipers that is removed from all modern operating system. I have tried to provision this device with Intel SCS installed on Windows Server 2019 and Windows Server 2016 (tls 1.0, 1.1 and 1.2 is enabled) with no luck.

Does there exist any newer version?

Cheers
Horgster

 

Horgster
New Contributor I
694 Views

Hi @IntelSupport 

 

We just ran an PKI SSL Chiper scan on the Intel AMT Device running Intel ME 9.1.45.3000.
The Intel AMT device in this version, provides TLS 1.1 but we see that it uses "NULL CHIPERS"!

This is the reason why it don't work, as this chiper i END OF LIFE in all Windows operating system!

Is there any newer firmware that includes better and newer chiper?

We can't not accept to dispose / throw away 900 functional computers just to get Intel AMT 9 version to work. Please assist us and provide an firmware that includes chipers that is not end of life!


Here is the result of the PKI SSL Chiper  scann:

###########################################################

    testssl.sh       3.0 from https://testssl.sh/

 

      This program is free software. Distribution and

             modification under GPLv2 permitted.

      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

 

       Please file bugs @ https://testssl.sh/bugs/

 

###########################################################

 

Using "OpenSSL 1.0.2g  1 Mar 2016" [~104 ciphers]

on tshark-ixia:/usr/bin/openssl

(built: "reproducible build, date unspecified", platform: "debian-amd64")

 

 

Start 2021-01-22 09:54:28        -->> 10.178.213.29:16993 (10.178.213.29) <<--

 

rDNS (10.178.213.29):   -- 

 Your OpenSSL cannot connect to 10.178.213.29:16993

The results might look ok but they could be nonsense. Really proceed ? ("yes" to continue) --> yes

Service detected:       Couldn't determine what's running on port 16993, assuming no HTTP service => skipping all HTTP checks

 

 

Testing protocols via sockets except NPN+ALPN

 

SSLv2      not offered (OK)

SSLv3      not offered (OK)

TLS 1      not offered

TLS 1.1    offered (deprecated)

TLS 1.2    not offered and downgraded to a weaker protocol

TLS 1.3    not offered -- connection failed rather than downgrading to TLSv1.1

NPN/SPDY   not offered

ALPN/HTTP2 not offered

 

Testing cipher categories

 

NULL ciphers (no encryption)                  offered (NOT ok)

Anonymous NULL Ciphers (no authentication)    not offered (OK)

Export ciphers (w/o ADH+NULL)                 not offered (OK)

LOW: 64 Bit + DES, RC[2,4] (w/o export)       not offered (OK)

Triple DES Ciphers / IDEA                     not offered

Obsolete: SEED + 128+256 Bit CBC cipher       not offered

Strong encryption (AEAD ciphers)              not offered

 

 

Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4

 

No ciphers supporting Forward Secrecy offered

 

 

Testing server preferences

 

Has server cipher order?     Handshake error!no matching cipher in this list found (pls report this): DHE-RSA-SEED-SHA:SEED-SHA:DES-CBC3-SHA:RC4-MD5:RC4-SHA:AES128-SHA:AES128-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES256-SHA256:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:ADH-AES256-GCM-SHA384:AECDH-AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-AES128-SHA  .

 

Testing server defaults (Server Hello)

 

TLS extensions (standard)    (none)

Session Ticket RFC 5077 hint no -- no lifetime advertised

SSL Session ID support       yes

Session Resumption           Tickets no, ID resumption test failed

TLS clock skew               Random values, no fingerprinting possible

Signature Algorithm          SHA256 with RSA

Server key size              RSA 2047 bits

Server key usage             Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Certificate Sign

Server extended key usage    TLS Web Server Authentication

Serial / Fingerprints        031379 / SHA1 E06F63E196D78FEFDE4DFEC0E3A3D402356C6996

                              SHA256 A64BD7DACF76C94488801F1F781530B613BEB36997DA726B910688C8FC78EC47

Common Name (CN)             GM-L02-W9846.lok.avinor.no

 subjectAltName (SAN)         missing -- no SAN is deprecated

Issuer                       Test Root (Avinor from NO)

Trust (hostname)             certificate does not match supplied URI

Chain of trust               NOT ok (self signed CA in chain)

EV cert (experimental)       no

ETS/"eTLS", visibility info  not present

Certificate Validity (UTC)   10569 >= 60 days (2018-01-01 00:00 --> 2049-12-31 00:00)

                              >= 10 years is way too long

# of certificates provided   2

Certificate Revocation List  --

OCSP URI                     --

                              NOT ok -- neither CRL nor OCSP URI provided

OCSP stapling                not offered

OCSP must staple extension   --

DNS CAA RR (experimental)    not offered

Certificate Transparency     N/A

 

 

Testing vulnerabilities

 

Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension

CCS (CVE-2014-0224)                       not vulnerable (OK)

Ticketbleed (CVE-2016-9244), experiment.  --   (applicable only for HTTPS)

ROBOT                                     Fixme: Conversion of public key failed around line 16630

Secure Renegotiation (RFC 5746)           OpenSSL handshake didn't succeed

Secure Client-Initiated Renegotiation     not vulnerable (OK)

CRIME, TLS (CVE-2012-4929)                not vulnerable (OK) (not using HTTP anyway)

POODLE, SSL (CVE-2014-3566)               not vulnerable (OK), no SSLv3 support

TLS_FALLBACK_SCSV (RFC 7507)              No fallback possible, no protocol below TLS 1.1 offered (OK)

SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)

FREAK (CVE-2015-0204)                     not vulnerable (OK)

DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)

                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services

                                           https://censys.io/ipv4?q=A64BD7DACF76C94488801F1F781530B613BEB36997DA726B910688C8FC78EC47 could help you to find out

LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2

BEAST (CVE-2011-3389)                     not vulnerable (OK), no SSL3 or TLS1

LUCKY13 (CVE-2013-0169), experimental     not vulnerable (OK)

RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)



Please help!
Cheers
Horgster

 

IntelSupport
Community Manager
658 Views

Hello Horgster,


Thank you for your detailed response. 


Please allow us to review this information to better assist you as soon as possible.


Wanner G.

Intel Customer Support Technician


Horgster
New Contributor I
607 Views

Hi @IntelSupport 

Do you have have any updates for us?

I would be great if Intel could confirm what expected cipher suite that we should expect to see on Intel AMT 9.1.45.3000 devices. 

Since we only see the "TLS_RSA_WITH_NULL_SHA" chiper, does that mean the device is limited to the U.S export regulation and Intel AMT is configured with CRYPTO_ENA = FALSE in the machine SKU ?

Should we expect to see following ciphers for Intel AMT 9.1.45.3000 devices?
TLS_RSA_WITH_NULL_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA

Please confirm!

MichaelA_Intel
Moderator
510 Views

To close on this thread for the community, we met with customer for troubleshooting and found that TLS was disabled by the OEM on the systems exhibiting the issues with AMT v.9xx


Horgster
New Contributor I
496 Views

Hi!

Let me fill in with more details and correct information about this case.

It happens to be, that our manufacturer of the hardware has disabled TLS support in Intel AMT by mistake. To verify if your Intel AMT does support TLS or not, simply run this command:

ACUConfig.exe systemdiscovery

The utility will generate an XML file in the root directory of the tool.

Open the XML file and verify the "isTLSSupported" flag.

If isTLSSupported = false, then Intel AMT can't be provisioning with TLS
If isTLSSupported = true, then Intel AMT can be provisioning with TLS

You must have Intel Management Engine Software installed on the device in order to export this data.


isTLSSupported = true is the default setting that all corporate OEM manufacturer shall have set during fabrication of the device unless the equipment is to be exported outside USA/EU to countries that is on blacklist for export of cryptography. Contact your manufacturer if you happen to have such devices. 

The setting is irreversible. 

View solution in original post

MichaelA_Intel
Moderator
467 Views

Thank you Horgster for updating.  Just a bit more:

The configurator can be downloaded here if needed:

https://downloadcenter.intel.com/download/26505/Intel-Setup-and-Configuration-Software-Intel-SCS-

The command to run is:  ACUConfig /verbose /output console systemdiscovery

As Horgster has stated, the output file will be in .xml format and will be created in the folder that contains the acuconfig.

You can open the file with Internet Explorer and search for "IsTLSSupported":

 

IsTLSSupported.png

 In this example, it shows "True" as I do not have a system with it disabled but in customer's case, this value was "False".

Regards,
Michael