Intel AMT 11 TLS 1.1 wont connect

[thermionic]

Describe your issue

Writing this more to record it than anything else.

Unable to connect to MeshCentral on Ubuntu 20.04 with AMT 11.8.55.3510 or older, which from https://www.intel.co.uk/content/www/uk/en/support/articles/000038773/technologies/intel-active-management-technology-intel-amt.html looked like it might be the TLS version.

I tested with openssl s_client -connect MeshCentralHost:4433 -tls1_1 and got no response (testing with tls1_2 got a response).

After finding https://meshcentral-community.com/doku.php?id=howto:installation:manual:ubuntu:2004 which did not work, also found https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level which had the key part of
MinProtocol = TLSv1.2
Which I extrapolated from and changed to
MinProtocol = TLSv1.1

With the change in place openssl s_client -connect MeshCentralHost:4433 -tls1_1 connects, and the HP Z420 I was testing with has automatically connected.

I do not know yet why, but it also enabled TLS 1.

Instructions for Ubuntu 20.04

Edit /etc/ssl/openssl.cnf

At the top of the file add
openssl_conf = tls1_1_conf

At the bottom of the file add

[ tls1_1_conf ]
ssl_conf = ssl_sect
[ ssl_sect ]
system_default = system_default_sect
[ system_default_sect ]
MinProtocol = TLSv1.1
CipherString = DEFAULT:@SECLEVEL=1

Restart MeshCentral

If I get the time I will edit https://github.com/Ylianst/MeshCentral/blob/master/docs/docs/install/install2.md but the document is huge and IMHO should be split up into several documents at least at the base OS level.

[silversword411]

Yeah the first big push on docs was just getting the pdf into markdown which I did.

Still needs hours of cleanup, spell checking, formatting etc.

There's been new pages added...but before you consider splitting stuff..reading the entire doc to get an idea what's there would be a good idea. I've done that, and it's difficult to figure out where/how to cut down the biggest pages into more manageable parts. And if/when you do there is going to re-title leveling, and other stuff.

I've been percolating on it, but haven't found a path yet.

[thermionic]

@silversword411 starting from PDF is always "fun"

Agreed, it will need a lot of work to split up, but but the benefits are huge, each doc becomes manageable, which then make it simpler for people to do a PR instead of posting "updates", the Ubuntiu 20.04 can start off as a copy of the 18:04 and then be updated etc.

I've spent the past few weeks looking at it, and then finding something else to do...

As a first "draft" of splitting it up, I'll probably drop it into my internal xwiki (copy and paste with pictures, much simpler than playing with markdown) see how many pages I end up with, and then see how I get on converting to markdown (probably very badly...)

[si458]

PR to fix this issue for you!
basically the latest nodejs/OS's updated there openssl which sets the default seclevel=2 to only support tls 1.2,
which in turn effects AMTs below 12, https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Ftransportlayersecurity.htm
so we just set the seclevel to allow ALL to fix the issue!