Huawei HG8245W5 SSL handshake failure

Hi,

I’ve just setup genieacs within our company network, and we are having an issue with only a single device (Huawei HG8245W5). It never registers with genieacs and there’s nothing in the logs coming from the IP assigned to it. We have done extensive debugging on our side using tools like wireshark, tcpdump and ssldump. We have found that the device does initiate communication, but apparently there’s a failure at the SSL handshake. Here’s a sample of the exchange between device and ACS:

New TCP connection #1: 172.16.16.59(36355) ↔ 21b9153213ab(7547)
1 1 0.1055 (0.1055) C>S V3.0(105) Handshake
ClientHello
Version 3.3
random[32]=
64 99 8f 51 5d 82 4c 51 e3 b8 d7 1f 49 92 60 4f
3b e5 f8 ec 6f 3f fe bc 62 85 43 cd b9 eb 5b d8
cipher suites
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
compression methods
NULL
extensions
signature_algorithms
1 2 0.1148 (0.0093) S>C V3.3(2) Alert
level fatal
value handshake_failure
1 0.1197 (0.0049) C>S TCP FIN
1 0.1229 (0.0031) S>C TCP FIN

I don’t have sufficient access to the device to do something like disable HTTPS.

I originally had genieacs deployed behind haproxy, but changed that setup to troubleshoot the problem with this huawei. The problem remains the same. Haproxy logs were showing that there are no shared cipher even though there are shared ciphers suites.

2023-06-26T10:16:58+00:00 10.1.4.12 haproxy[27]: 172.16.16.59:44253 [26/Jun/2023:10:16:58.058] proxy-http/3: SSL handshake failure (error:0A0000C1:SSL routines::no shared cipher)
2023-06-26T10:25:06+00:00 10.1.4.12 haproxy[42]: 172.16.16.59:56081 [26/Jun/2023:10:25:06.738] proxy-http/3: SSL handshake failure (error:0A0000C1:SSL routines::no shared cipher)

Any help on this will be appreciated.

This right there tells you what the issue is. The NodeJS server (and the ha proxy) do not have a cipher that overlaps with what the Huawei can do. So you will either need to add a bunch of old and insecure ciphers, upgrade the firmware on the CPE to support newer/better cipher suites, or trick the box to switching to http.

If the cpe gets an IP via DHCP you can try and see if DHCP option 43 is enabled in the CPE. DHCP option 43 allows you to send the ACS URL via DHCP.

Thanks for the reply.

I thought the cipher suite was the issue here but upon inspection of haproxy ciphers and the huawei ciphers I can see there are several overlapping ciphers, We have a nokia ONT that uses the very same cipher that the huawei lists in it’s client hello. I know for sure this is an issue with the huawei. We’ll try the firmware upgrade route. DHCP may not be an option at least in the meantime, but thanks for that info.