The server requires an encryption mode that is not supported by this client.

Hi ,
I am currently using 5.8.2 inedo agent to talk to Azure windows servers 2016.
I am getting below error while trying to establish connection with the server via inedo agent.

Inedo.Agents.AgentConnectionException: The server requires an encryption mode that is not supported by this client.
at Inedo.Agents.ServerConnection.<SendHandshakeAsync>d__11.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Inedo.Agents.InedoAgentClientBase.<ConnectAsync>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Inedo.BuildMaster.Windows.ServiceApplication.AgentUpdater.<CheckAgentAsync>d__12.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Inedo.BuildMaster.Windows.ServiceApplication.AgentUpdater.<CheckServerAsync>d__10.MoveNext()

Product: BuildMaster
Version: 5.8.2

jjones

This post is deleted!

This post is deleted!

This post is deleted!

jjones

HI Jingesh,

What encryption type are you using on the agent? SSL or AES?

Thanks,
Jason

dustdevilms_6296

Hello,

I have the same problem. I use Otter+ProGet and InedoAgent on remote machine. The disk is not encrypted and I'm using AES.

atripp

If you're getting the same error, then it implies an AES key mismatch.

The server and client must share the same key; the agent's key is specified in a configuration file, and the BuildMaster/Otter key are specified in the server properties (Servers page).

dustdevilms_6296

Is there any other possibility? I've reinstalled Inedo Agent and copied the key that is provided at the end of the installation to the server properties page of Otter and still getting that.

atripp

I looked into this further; an AES key mismatch is different error.

So far as we can tell, this error only happens if BM/OT is configured to use "no encryption", but the agent server is configured to use AES. Can you go to Admin > Export Infrastructure and see if the expected AES keys are being exported in teh JSON?

dustdevilms_6296

Yes, I have "encryptionType": "aes" and "encryptionKey" is the same as in server settings.

atripp

Hello;

So, in this case, it sounds like the Agent is not configured.

There is only one place in our codebase where that message is thrown, and it's in this case:

else if (mode != AgentEncryptionMode.None)
{
    throw new AgentConnectionException(AgentConnectionError.BadHandshake, "The server requires an encryption mode that is not supported by this client.");
}

The only way for mode to be set to None is if the AGent is configured with no encryption. So, I recommend to edit the configuration file or to delete the agent, configuration file, and reinstall using that AES key.

dustdevilms_6296

This is my InedoAgent configuration file:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
<appSettings>
<add key="Otter.RootPath" value="C:\ProgramData\InedoAgent\Otter" />
<add key="BuildMaster.RootPath" value="C:\ProgramData\InedoAgent\BuildMaster" />
<add key="Hedgehog.RootPath" value="C:\ProgramData\InedoAgent\Hedgehog" />
<add key="Port" value="46336" />
<add key="ServiceName" value="INEDOAGENTSVC" />
<add key="Encryption" value="aes" />
<add key="EncryptionKey" value="hunter2" (*) />
</appSettings>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" />
</startup>
</configuration>

This is the configuration of that server in Otter:

{
  "active": true,
  "environments": [],
  "roles": [
    "Role1" (*)
  ],
  "serverType": "windows",
  "hostName": "1.1.1.1" (*),
  "port": 46336,
  "encryptionType": "aes",
  "encryptionKey": "hunter2" (*),
  "drift": "reportOnly",
  "name": "Name1" (*),
  "variables": {
    "vServerConfigured": "true"
  } (*)
},

(I've replaced or deleted some personal information and marked it with (*), but I've checked that the passwords match.)
I'm sorry for being a pain in the ass with this case, but these configurations still result in the error message above. Your code snippet shows that the error message is thrown when Agent is configured with encryption other than None, which matches my configuration, but what was the condition that else is part of and which leads here? Can you please look into it again?

atripp

Nice password ;)

Did you try restarting the agent service? (inedo.agent.exe)?

I looked again (feel free to request access as well), and compared this against the messaging protocol that we use. The error is happening during the handshake.

Now I'm starting to think that Otter isn't actually connecting to the Inedo Agent... but that other thing is sending back a different response? Normally the other thing would just disconnect, but I guess maybe not? Anyways Wireshark should tell you...

Here's the full handshake, where you can see that Otter assumes the first byte received is a valid encryption mode (0,1,2).

    internal async Task SendHandshakeAsync(AgentEndpoint endpoint)
    {
        if (this.disposed)
            throw new ObjectDisposedException(nameof(ServerConnection));

        var buffer = new MemoryStream();
        var writer = new BinaryWriter(buffer);
        writer.Write(ProtocolGuid.ToByteArray());
        writer.Write(AgentProtocolVerisons.Agent1);
        writer.Write(AgentProtocolVerisons.Agent2);

        try
        {
            var initialIV = new byte[16];

            using (var cts = new CancellationTokenSource(30 * 1000))
            {
                await this.Stream.WriteAsync(buffer.GetBuffer(), 0, (int)buffer.Length, cts.Token).ConfigureAwait(false);
                await this.Stream.FlushAsync(cts.Token).ConfigureAwait(false);

                var mode = (AgentEncryptionMode)this.Stream.ReadByte();
                if (mode == AgentEncryptionMode.Ssl)
                {
                    var stream = new SslStream(this.Stream, false);
                    try
                    {
                        await stream.AuthenticateAsClientAsync(endpoint.HostName).ConfigureAwait(false);
                    }
                    catch (Exception ex)
                    {
                        throw new AgentConnectionException(AgentConnectionError.BadCertificate, ex.Message, ex);
                    }

                    this.Stream = stream;
                }
                else if (mode == AgentEncryptionMode.Aes)
                {
                    if (endpoint.EncryptionKey == null)
                        throw new AgentConnectionException(AgentConnectionError.BadEncryptionKey, "The server requires an encryption key, but a key has not been configured.");

                    int count = await this.Stream.ReadBlockAsync(initialIV, 0, 16).ConfigureAwait(false);
                    if (count != 16)
                        throw new AgentConnectionException(AgentConnectionError.BadHandshake);

                    this.messageFormatter = new MessageFormatter.AesMessageFormatter(endpoint.EncryptionKey, initialIV);
                }
                else if (mode != AgentEncryptionMode.None)
                {
                    throw new AgentConnectionException(AgentConnectionError.BadHandshake, "The server requires an encryption mode that is not supported by this client.");
                }