feat: allow the use of insecure cipher suits (#492)

if configured by user to support older devices.

addresses device-management-toolkit/console#445

Co-authored-by: Ganesh Raikhelkar <[email protected]>

Author: rsdmike

pkg/wsman/client/types.go

@@ -7,15 +7,16 @@ import (
 
 // Parameters struct defines the connection settings for wsman client.
 type Parameters struct {
-	Target            string
-	Username          string
-	Password          string
-	UseDigest         bool
-	UseTLS            bool
-	SelfSignedAllowed bool
-	LogAMTMessages    bool
-	Transport         http.RoundTripper
-	IsRedirection     bool
-	PinnedCert        string
-	TlsConfig         *tls.Config
+	Target                    string
+	Username                  string
+	Password                  string
+	UseDigest                 bool
+	UseTLS                    bool
+	SelfSignedAllowed         bool
+	LogAMTMessages            bool
+	Transport                 http.RoundTripper
+	IsRedirection             bool
+	PinnedCert                string
+	TlsConfig                 *tls.Config
+	AllowInsecureCipherSuites bool
 }

pkg/wsman/client/wsman.go

@@ -21,9 +21,8 @@ import (
 	"sync"
 	"time"
 
-	"github.com/sirupsen/logrus"
-
 	"github.com/open-amt-cloud-toolkit/go-wsman-messages/v2/pkg/amterror"
+	"github.com/sirupsen/logrus"
 )
 
 const (
@@ -127,6 +126,21 @@ func NewWsman(cp Parameters) *Target {
 				config = res.tlsConfig
 			} else {
 				config = &tls.Config{InsecureSkipVerify: cp.SelfSignedAllowed}
+
+				if cp.AllowInsecureCipherSuites {
+					defaultCipherSuites := tls.CipherSuites()
+					config.CipherSuites = make([]uint16, 0, len(defaultCipherSuites)+3)
+
+					for _, suite := range defaultCipherSuites {
+						config.CipherSuites = append(config.CipherSuites, suite.ID)
+					}
+					// add the weak cipher suites
+					config.CipherSuites = append(config.CipherSuites,
+						tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+						tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+						tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+					)
+				}
 			}
 		}