RMS TLS1.3 handshake fails

doerneal · April 25, 2024, 4:40pm

We have deployed over 100 LPWAN gateways with RUT955 routers for out-of-band remote access in case of unexpected downtime.

The latest firmware of these gateways requires TLS1.3 for all connections. Since then the connection via RMS to the web UI of the gateways (https / 443) no longer works and has error 502 Bad Gateway.

I did some testing and found that the RMS connection via the router does not negotiate a TLS1.3 connection. For testing I used a reverse proxy (mitmproxy / mitmdump ) on port 8088 that forwards to the internal https port 8443. Normal traffic to 443 is usually forwarded to 8443 with iptables dnat rules.

I can also provide the diagnostic logs file, but on the first glance it didnt really show the issue.

mitmdump settings:
–ssl-insecure is used due to self signed certificate on my test gateway and has nothing to do with the RMS connection
–set flow_detail=1 set the logging verbosity
–set tls_version_client_min=TLS1_3 enforces TLS1.3

192.168.1.1 is the router, 192.168.1.195 is the gateway

mitmdump -p 8088 --mode reverse:https://192.168.1.195:8443 --ssl-insecure --set flow_detail=1 --set tls_version_client_min=TLS1_3

Proxy server listening at *:8088
192.168.1.1:53652: client connect
192.168.1.1:53652: server connect 192.168.1.195:8443
192.168.1.1:53652: client disconnect
192.168.1.1:53652: server disconnect 192.168.1.195:8443
192.168.1.1:50084: client connect
192.168.1.1:50084: server connect 192.168.1.195:8443
**192.168.1.1:50084: Client TLS handshake failed. Client and mitmproxy cannot agree on a TLS version to use. You may need to adjust mitmproxy's tls_version_client_min option.**
192.168.1.1:50084: client disconnect
192.168.1.1:50084: server disconnect 192.168.1.195:8443

setting tls_version_client_min=TLS1_2 works as now the connection between RMS and my reverse proxy uses 1.2

mitmdump -p 8088 --mode reverse:https://192.168.1.195:8443 --ssl-insecure --set flow_detail=1 --set tls_version_client_min=TLS1_2

Proxy server listening at *:8088
192.168.1.1:39476: client connect
192.168.1.1:39476: server connect 192.168.1.195:8443
192.168.1.1:39476: client disconnect
192.168.1.1:39476: server disconnect 192.168.1.195:8443
192.168.1.1:33966: client connect
192.168.1.1:33966: server connect 192.168.1.195:8443
192.168.1.1:33966: GET https://192.168.1.195:8443/
                << 200 OK 4.1k
192.168.1.1:33966: server disconnect 192.168.1.195:8443

system · May 10, 2024, 4:40pm

This topic was automatically closed after 15 days. New replies are no longer allowed.