Reverse proxy https for ipmi host

1. The problem I’m having:

Hello everyone. I need to set up IPMI access to a server (I don’t have physical access to it, and I cannot modify its configuration) using a domain. The only information I have is its IP, and it’s in the same network as Caddy.

The IPMI itself has a self-signed certificate (other information can be seen in the curl logs), so I initially wanted to use tls_insecure_skip_verify (as I did in Proxmox) to solve my issue, but it didn’t work.

The problem: Caddy returns a 502 error (details in the logs), and I tried the following:

  • Switching to HTTP/1
  • Changing TLS protocols
  • Changing encryption algorithms

None of these helped. However, if I access it directly using curl, it works, and I run curl inside the Caddy container.

Please help, the error remote error: tls: handshake failure is completely uninformative to me.

Curl to direct ip with https inside caddy docker container
❯ curl -vk https://192.168.1.62 --output - | gunzip -c
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 192.168.1.62:443...
* Connected to 192.168.1.62 (192.168.1.62) port 443
* ALPN: curl offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [81 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [1055 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [262 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / AES256-SHA / UNDEF / UNDEF
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: C=US; ST=Georgia; L=Atlanta; O=American Megatrends Inc; OU=Service Processors; CN=AMI; emailAddress=support@ami.com
*  start date: Jun  1 07:01:56 2016 GMT
*  expire date: May 30 07:01:56 2026 GMT
*  issuer: C=US; ST=Georgia; L=Atlanta; O=American Megatrends Inc; OU=Service Processors; CN=AMI; emailAddress=support@ami.com
*  SSL certificate verify result: self-signed certificate (18), continuing anyway.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/1.x
} [5 bytes data]
> GET / HTTP/1.1
> Host: 192.168.1.62
> User-Agent: curl/8.9.1
> Accept: */*
>
* Request completely sent off
{ [5 bytes data]
< HTTP/1.1 200 OK
< Content-Encoding: gzip
< X-Frame-Options: SAMEORIGIN
< Cache-Control: no-store, no-cache, must-revalidate, private
< Pragma: no-cache
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Content-Type: text/html
< Accept-Ranges: bytes
< ETag: "1429461342"
< Last-Modified: Thu, 01 Jan 1970 00:00:00 GMT
< Content-Length: 603
< Date: Wed, 11 Dec 2024 17:53:55 GMT
< Server: lighttpd
<
{ [5 bytes data]
100   603  100   603    0     0   1292      0 --:--:-- --:--:-- --:--:--  1293
* Connection #0 to host 192.168.1.62 left intact
<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <meta name="viewport" content="width=device-width,initial-scale=1">

    <title>MegaRAC SPX</title>

    <!-- Application styles. -->
    <link rel="stylesheet" href="/styles.min.css">

    <!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries -->
    <!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
    <!--[if lt IE 9]>
    <script src="/libs/js/html5shiv.js"></script>
    <script src="/libs/js/respond.min.js"></script>
  <![endif]-->
</head>

<body>
    <!-- Processing Icon container. -->

    <div class="processing_bg_outer" id="processing_layout" style="display:none">
        <div class="processing_bg_inner"></div>
    </div>
    <div class="processing_img_outer"  id="processing_image" style="display:none">
        <div>
            <img class="processing_img_inner" src="images/loading.GIF">
        </div>
        <div class="processing_content">Processing ... </div>
    </div>
    <!-- Application container. -->
    <main role="main" id="main"></main>

    <!-- Application source. -->
    <script data-main="/app/main" src="/source.min.js"></script>
</body>

</html>#
Curl to caddy domain
❯ curl -vk https://i1.homein.de
* Host i1.homein.de:443 was resolved.
* IPv6: (none)
* IPv4: 5.166.105.184
*   Trying 5.166.105.184:443...
* Connected to i1.homein.de (5.166.105.184) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256 / X25519 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=i1.homein.de
*  start date: Dec 10 01:00:25 2024 GMT
*  expire date: Mar 10 01:00:24 2025 GMT
*  issuer: C=US; O=Let's Encrypt; CN=E5
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384
*   Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://i1.homein.de/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: i1.homein.de]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.9.1]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: i1.homein.de
> User-Agent: curl/8.9.1
> Accept: */*
>
* Request completely sent off
< HTTP/2 502
< alt-svc: h3=":443"; ma=2592000
< server: Caddy
< content-length: 0
< date: Wed, 11 Dec 2024 17:59:39 GMT
<
* Connection #0 to host i1.homein.de left intact

2. Error messages and/or full log output:

caddy  | {"level":"info","ts":1733939764.7246702,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
caddy  | {"level":"info","ts":1733939764.7270849,"msg":"adapted config to JSON","adapter":"caddyfile"}
caddy  | {"level":"info","ts":1733939764.7329395,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
caddy  | {"level":"info","ts":1733939764.7357655,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
caddy  | {"level":"debug","ts":1733939764.736301,"logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{"subjects":["i1.homein.de"]},{}]}},"http":{"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","transport":{"protocol":"http","tls":{"insecure_skip_verify":true},"versions":["1"]},"upstreams":[{"dial":"192.168.1.62:443"}]}]}]}],"terminal":true}],"tls_connection_policies":[{"match":{"sni":["i1.homein.de"]},"cipher_suites":["TLS_AES_128_GCM_SHA256","TLS_CHACHA20_POLY1305_SHA256","TLS_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"],"protocol_min":"tls1.1","protocol_max":"tls1.2"},{}],"automatic_https":{}}}}}
caddy  | {"level":"info","ts":1733939764.739072,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
caddy  | {"level":"info","ts":1733939764.7404237,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
caddy  | {"level":"debug","ts":1733939764.740898,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":true}
caddy  | {"level":"info","ts":1733939764.741236,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
caddy  | {"level":"warn","ts":1733939764.7413325,"logger":"http","msg":"HTTP/3 skipped because it requires TLS","network":"tcp","addr":":80"}
caddy  | {"level":"debug","ts":1733939764.741612,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
caddy  | {"level":"warn","ts":1733939764.7419503,"logger":"http","msg":"HTTP/2 skipped because it requires TLS","network":"tcp","addr":":80"}
caddy  | {"level":"info","ts":1733939764.7420619,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
caddy  | {"level":"info","ts":1733939764.7421563,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["i1.homein.de"]}
caddy  | {"level":"debug","ts":1733939764.7427523,"logger":"tls","msg":"loading managed certificate","domain":"i1.homein.de","expiration":1741568425,"issuer_key":"acme-v02.api.letsencrypt.org-directory","storage":"FileStorage:/data/caddy"}
caddy  | {"level":"debug","ts":1733939764.743741,"logger":"tls.cache","msg":"added certificate to cache","subjects":["i1.homein.de"],"expiration":1741568425,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"8be3d2f298eb61278f46f04f19d422f8832bd5f820640ac5c9442d4f1df6063d","cache_size":1,"cache_capacity":10000}
caddy  | {"level":"debug","ts":1733939764.7446318,"logger":"events","msg":"event","name":"cached_managed_cert","id":"634f6aaa-d95b-4fba-9757-24cc75db40ac","origin":"tls","data":{"sans":["i1.homein.de"]}}
caddy  | {"level":"info","ts":1733939764.7449584,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
caddy  | {"level":"info","ts":1733939764.7450464,"msg":"serving initial configuration"}
caddy  | {"level":"info","ts":1733939764.7474809,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0000e2800"}
caddy  | {"level":"info","ts":1733939764.7529278,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"08cf7d57-20cc-41f7-8082-fc1c01ca974b","try_again":1734026164.7529256,"try_again_in":86399.99999955}
caddy  | {"level":"info","ts":1733939764.7530034,"logger":"tls","msg":"finished cleaning storage units"}
caddy  | {"level":"debug","ts":1733939767.9077349,"logger":"events","msg":"event","name":"tls_get_certificate","id":"864f1de6-250f-4ba2-a422-8eaf108d2f0f","origin":"tls","data":{"client_hello":{"CipherSuites":[31354,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"i1.homein.de","SupportedCurves":[43690,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[60138,772,771],"RemoteAddr":{"IP":"192.168.1.1","Port":49453,"Zone":""},"LocalAddr":{"IP":"192.168.1.102","Port":443,"Zone":""}}}}
caddy  | {"level":"debug","ts":1733939767.907949,"logger":"tls.handshake","msg":"choosing certificate","identifier":"i1.homein.de","num_choices":1}
caddy  | {"level":"debug","ts":1733939767.9079592,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"i1.homein.de","subjects":["i1.homein.de"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"8be3d2f298eb61278f46f04f19d422f8832bd5f820640ac5c9442d4f1df6063d"}
caddy  | {"level":"debug","ts":1733939767.9079723,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"192.168.1.1","remote_port":"49453","subjects":["i1.homein.de"],"managed":true,"expiration":1741568425,"hash":"8be3d2f298eb61278f46f04f19d422f8832bd5f820640ac5c9442d4f1df6063d"}
caddy  | {"level":"debug","ts":1733939770.9103293,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.1.62:443","total_upstreams":1}
caddy  | {"level":"debug","ts":1733939770.9731522,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.1.62:443","duration":0.06270778,"request":{"remote_ip":"192.168.1.1","remote_port":"49453","client_ip":"192.168.1.1","proto":"HTTP/2.0","method":"GET","host":"i1.homein.de","uri":"/","headers":{"Sec-Fetch-User":["?1"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Cache-Control":["max-age=0"],"X-Forwarded-For":["192.168.1.1"],"X-Forwarded-Proto":["https"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Mode":["navigate"],"Accept-Language":["ru,en;q=0.9,en-GB;q=0.8,en-US;q=0.7"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Ch-Ua":["\"Microsoft Edge\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\""],"Sec-Fetch-Site":["none"],"X-Forwarded-Host":["i1.homein.de"],"Sec-Fetch-Dest":["document"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"],"Priority":["u=0, i"],"Accept-Encoding":["gzip, deflate, br, zstd"]},"tls":{"resumed":false,"version":771,"cipher_suite":49195,"proto":"h2","server_name":"i1.homein.de"}},"error":"remote error: tls: handshake failure"}
caddy  | {"level":"error","ts":1733939770.9733064,"logger":"http.log.error","msg":"remote error: tls: handshake failure","request":{"remote_ip":"192.168.1.1","remote_port":"49453","client_ip":"192.168.1.1","proto":"HTTP/2.0","method":"GET","host":"i1.homein.de","uri":"/","headers":{"Sec-Ch-Ua-Mobile":["?0"],"Cache-Control":["max-age=0"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Accept-Encoding":["gzip, deflate, br, zstd"],"Accept-Language":["ru,en;q=0.9,en-GB;q=0.8,en-US;q=0.7"],"Sec-Fetch-Site":["none"],"Sec-Ch-Ua":["\"Microsoft Edge\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\""],"Priority":["u=0, i"],"Sec-Fetch-Mode":["navigate"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-User":["?1"],"Sec-Fetch-Dest":["document"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"]},"tls":{"resumed":false,"version":771,"cipher_suite":49195,"proto":"h2","server_name":"i1.homein.de"}},"duration":0.062943855,"status":502,"err_id":"pmijujmrb","err_trace":"reverseproxy.statusError (reverseproxy.go:1358)"}

3. Caddy version:

v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=

4. How I installed and ran Caddy:

Docker compose

a. System environment:

❯ uname -a && docker -v
Linux caddy 6.6.63-0-lts #1-Alpine SMP PREEMPT_DYNAMIC Mon, 25 Nov 2024 09:44:20 +0000 x86_64 Linux
Docker version 25.0.5, build d260a54c81efcc3f00fe67dee78c94b16c2f8692

b. Command:

docker-compose up -d

c. Service/unit/compose file:

services:
  caddy:
    container_name: caddy
    image: caddy:latest
    restart: unless-stopped
    network_mode: host
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - ./caddy_data:/data
      - ./caddy_config:/config
      - ./caddy_logs:/var/log/caddy

d. My complete Caddy config:

{
        debug

        log debug {
                output stdout
                format console
                include http.log.access
        }
}

i1.homein.de {
        reverse_proxy 192.168.1.62:443 {
                transport http {
                        versions 1
                        tls_insecure_skip_verify
                }
        }

        tls {
                protocols tls1.1 tls1.2 tls1.3 ssl3.0
                ciphers TLS_AES_128_GCM_SHA256 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHA      
        }
}

openssllog

❯ openssl s_client -connect 192.168.1.62:443
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = US, ST = Georgia, L = Atlanta, O = American Megatrends Inc, OU = Service Processors, CN = AMI, emailAddress = support@ami.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = Georgia, L = Atlanta, O = American Megatrends Inc, OU = Service Processors, CN = AMI, emailAddress = support@ami.com
   i:C = US, ST = Georgia, L = Atlanta, O = American Megatrends Inc, OU = Service Processors, CN = AMI, emailAddress = support@ami.com
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun  1 07:01:56 2016 GMT; NotAfter: May 30 07:01:56 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEETCCAvmgAwIBAgIJAJIEZCLJgOIGMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
VQQGEwJVUzEQMA4GA1UECAwHR2VvcmdpYTEQMA4GA1UEBwwHQXRsYW50YTEgMB4G
A1UECgwXQW1lcmljYW4gTWVnYXRyZW5kcyBJbmMxGzAZBgNVBAsMElNlcnZpY2Ug
UHJvY2Vzc29yczEMMAoGA1UEAwwDQU1JMR4wHAYJKoZIhvcNAQkBFg9zdXBwb3J0
QGFtaS5jb20wHhcNMTYwNjAxMDcwMTU2WhcNMjYwNTMwMDcwMTU2WjCBnjELMAkG
A1UEBhMCVVMxEDAOBgNVBAgMB0dlb3JnaWExEDAOBgNVBAcMB0F0bGFudGExIDAe
BgNVBAoMF0FtZXJpY2FuIE1lZ2F0cmVuZHMgSW5jMRswGQYDVQQLDBJTZXJ2aWNl
IFByb2Nlc3NvcnMxDDAKBgNVBAMMA0FNSTEeMBwGCSqGSIb3DQEJARYPc3VwcG9y
dEBhbWkuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsaoMWNul
yxe/4/TniuNIvweGec6ZVSkNyhSHqr/8lkPxsItvcxEy4WdwT+9XSrtLK6H78nGT
Z/PPPGf2nCJwrQCyjJkadE+f9a0Po0DPOAsyYXQLd6IEFIR5kiSjqZB0Z2Xs3G6q
WsYg3hDnOPSf2jEZri9zVUIl3lDY6pyFB6zaSEg4Mus0maVtYbdvR5i1PiYe5nAD
Wen6tsvNPgFErka9YxNiXMlef+5CeXignVHcn6s9NRxyEcn0Lua6w9MObOTqKL+b
T5nntf+1F4dlgTQvmm3S2VMKeE45VkoAG49dNnRaBbmywxdxuh07jjzCh48FqTat
ryjosWjl9JWnnwIDAQABo1AwTjAdBgNVHQ4EFgQUW9/3yxNqAudoofi+WREfpChA
jJ4wHwYDVR0jBBgwFoAUW9/3yxNqAudoofi+WREfpChAjJ4wDAYDVR0TBAUwAwEB
/zANBgkqhkiG9w0BAQsFAAOCAQEATcuoZuTv26+pmY+ebqv8E/qRUfGtQ+hOoN6z
PShmNiyJwjQy8if+g8zshkMMjekhVJPUp5Ydil7CfJDEjrvY2Eq5qoPHY7Mti+hB
+YPnCrHksGKlEA2QUiZbVC1nWpHKhw/J7sCrlY+jaAPJQ7rb0O8u0o7we/cqST3u
gBDhXAn10nlCn92ilgi4TQxNouY6ja4p5PujfUG64YFemqc5JKTqSJKhRXjTC6G7
bxvEtxJVJ5Xo9+KGJs4VfapEs/o627Pm8l79/wZvyvnxgRrJLdSasrAqjoYgCw59
ePkpgJyaQI3I1JJNBlKPGGsQtfOKapn+OHKRzrQyq9CdKO6eIA==
-----END CERTIFICATE-----
subject=C = US, ST = Georgia, L = Atlanta, O = American Megatrends Inc, OU = Service Processors, CN = AMI, emailAddress = support@ami.com
issuer=C = US, ST = Georgia, L = Atlanta, O = American Megatrends Inc, OU = Service Processors, CN = AMI, emailAddress = support@ami.com
---
No client certificate CA names sent
---
SSL handshake has read 1377 bytes and written 635 bytes
Verification: OK
---
New, SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-SHA
    Session-ID: 2CCED3F96781A84AB58D949DE68D2F69E6B6A1614AA897895AF8A48477958FE9
    Session-ID-ctx:
    Master-Key: 7B6DA8088EAB48777F2079DB159F8E05F17A7EC6B98E5F6E1A48745B49140CDB7B534304CBC6A9F171018C329A3BABCA
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 5b d8 f2 27 d2 10 83 5f-59 43 45 1a 18 1f d3 a9   [..'..._YCE.....
    0010 - d5 6d 7c 5e ef 23 78 58-cd fd 6c e7 7c 06 52 28   .m|^.#xX..l.|.R(
    0020 - 0f 8a a1 00 bb 60 89 51-e3 2b 4f 03 90 3e 8d eb   .....`.Q.+O..>..
    0030 - cb 33 fa 0b 03 83 d7 b5-dd 8e 0a d5 75 2c 06 32   .3..........u,.2
    0040 - ae e9 63 d1 c8 bd bc 82-2a 7e e0 15 c0 ef e1 08   ..c.....*~......
    0050 - 7e 15 af 22 8f 28 0c ad-4b ba 35 bc 8d ea ee 2c   ~..".(..K.5....,
    0060 - ab 4f e2 03 64 f0 f9 0e-25 53 de 97 49 72 bb 90   .O..d...%S..Ir..
    0070 - 52 d8 62 cb d0 05 fa 4e-c0 52 c4 ae bb 85 6c a5   R.b....N.R....l.
    0080 - b7 7d 4c be c1 5f 37 a3-26 04 9a 63 fe 1f dc 61   .}L.._7.&..c...a
    0090 - 85 90 f1 47 17 e5 2c 60-16 5c ed 95 2f 88 d8 ca   ...G..,`.\../...

    Start Time: 1733940568
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no

Hi @Home_Lab,

What version of AMI - MegaRAC do you have?
I am wondering if it is lacking proper support for the more modern cipher suites.

The self-signed certificate was issued

which is about 7.5 years old.

I’m thinking the is just a TLS (i.e. SSL) from that era might need some older configuration.

All this is just a thought from me; I did do IPMI development using AMI - MegaRAC and TLS seemed behind the times for then.

Build Date
Sep 13 2023

Build Time
21:12:55 CST

Firmware version
2.06.0
1 Like

i’ve already build caddy from sources with support all of the tls, started from 1.0, 0 effect

1 Like

and I assume at least one cipher suite will match as well.

Judging by curl, tls is still used tls1.2

(from log in header)

* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [81 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [1055 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [262 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]

Update a cert - do not resolve a problem, still tls handshake error, but curl is till ok

❯ curl -vk https://192.168.1.62 --output - | gunzip -c
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 192.168.1.62:443...
* Connected to 192.168.1.62 (192.168.1.62) port 443
* ALPN: curl offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [81 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [898 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [262 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / AES256-SHA / UNDEF / UNDEF
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: C=RU; ST=BRN; L=BRN; O=ORG; OU=OU; CN=Tim; emailAddress=my.dev@gmail.com
*  start date: Dec 11 18:50:33 2024 GMT
*  expire date: Feb 27 18:50:33 2033 GMT
*  issuer: C=RU; ST=BRN; L=BRN; O=ORG; OU=OU; CN=Tim; emailAddress=my.dev@gmail.com
*  SSL certificate verify result: self-signed certificate (18), continuing anyway.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/1.x
} [5 bytes data]
> GET / HTTP/1.1
> Host: 192.168.1.62
> User-Agent: curl/8.9.1
> Accept: */*
>
* Request completely sent off
{ [5 bytes data]
< HTTP/1.1 200 OK
< Content-Encoding: gzip
< X-Frame-Options: SAMEORIGIN
< Cache-Control: no-store, no-cache, must-revalidate, private
< Pragma: no-cache
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Content-Type: text/html
< Accept-Ranges: bytes
< ETag: "1429461342"
< Last-Modified: Thu, 01 Jan 1970 00:00:00 GMT
< Content-Length: 603
< Date: Thu, 12 Dec 2024 13:46:07 GMT
< Server: lighttpd
<
{ [5 bytes data]
100   603  100   603    0     0   3088      0 --:--:-- --:--:-- --:--:--  3092
* Connection #0 to host 192.168.1.62 left intact
<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <meta name="viewport" content="width=device-width,initial-scale=1">

    <title>MegaRAC SPX</title>

    <!-- Application styles. -->
    <link rel="stylesheet" href="/styles.min.css">

    <!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries -->
    <!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
    <!--[if lt IE 9]>
    <script src="/libs/js/html5shiv.js"></script>
    <script src="/libs/js/respond.min.js"></script>
  <![endif]-->
</head>

<body>
    <!-- Processing Icon container. -->

    <div class="processing_bg_outer" id="processing_layout" style="display:none">
        <div class="processing_bg_inner"></div>
    </div>
    <div class="processing_img_outer"  id="processing_image" style="display:none">
        <div>
            <img class="processing_img_inner" src="images/loading.GIF">
        </div>
        <div class="processing_content">Processing ... </div>
    </div>
    <!-- Application container. -->
    <main role="main" id="main"></main>

    <!-- Application source. -->
    <script data-main="/app/main" src="/source.min.js"></script>
</body>

</html>#

Hi @Home_Lab,

Clearly curl supports that cipher suite; but is it enabled for Caddy?

I don’t see it here (but I have a head cold with a fever today, so my word isn’t very strong).

no worry :slight_smile:
i write all possible ciphers, what do you mean to use?

Hi @Home_Lab,

Still feverish today and brain not functioning well.

Likely the AMI - MegaRAC has old (possibly very old) TLS (possibly even just SSL) encryption.

Also IPMI actually doesn’t support TLS (or SSL) it does its work by default on port 623 and the cipher suite choices are weak at best.

Now MegaRAC does often have a web interface available and that typically support HTTPS.

Here are some links that might help on the cipher suites

Hello, thanks for your replies.

I tested every available cipher in caddy, but still the same error, also build caddy from sources with ssl3.0

All ciphers, that i try to use:

TLS_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

Any other cipher show me the error “Unsupported cipher”

Can you enable more cipher suites on your IPMI machine?

Hello, sorry for late reply, work…

I think it impossible, i do not see any settings about ssl version, or os on


Hi @Home_Lab,

You might want to check with the hardware manufacture on supported TLS (SSL) cipher suites that they “implemented” using AMI - MegaRAC.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.