ipmitool 1.8.12 needs -C3 to work with lanplus

Bug #1176202 reported by Jason Sievert on 2013-05-03
This bug affects 1 person
Affects Status Importance Assigned to Milestone
The Open Compute Project
ipmitool (Debian)
Fix Released
ipmitool (Fedora)
Fix Released
ipmitool (Ubuntu)
Robie Basak

Bug Description

With the new version of ipmitool, 1.8.12, you need to include a default option of -C3 for lanplus to work with OCP. Without -C3 ipmitool comes back with invalid role. Using -vvvvvvv to debug there is a difference in the open session request.

Without -C3

IPMI Request Match found
removed list entry seq=0x00 cmd=0x38

>> sending packet (48 bytes)
 06 00 ff 07 06 10 00 00 00 00 00 00 00 00 20 00
 00 00 00 00 a4 a3 a2 a0 00 00 00 08 01 00 00 00
 01 00 00 08 00 00 00 00 02 00 00 08 00 00 00 00

With -C3

IPMI Request Match found
removed list entry seq=0x00 cmd=0x38

>> sending packet (48 bytes)
 06 00 ff 07 06 10 00 00 00 00 00 00 00 00 20 00
 00 00 00 00 a4 a3 a2 a0 00 00 00 08 01 00 00 00
 01 00 00 08 01 00 00 00 02 00 00 08 01 00 00 00

Description of problem:
"ipmitool sol activate" can not open session. Tried with Intel S1200BT & S3420GP & S5520HC MoBos. It was work in 17 and works again if I downgrade to ipmitool-1.8.11-11.fc17.x86_64 on f18.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. IPMI_PASSWORD=*** ipmitool -I lanplus -U <username> -E -H <ipmi_lan_addr> sol activate

Actual results:
"Info: cannot activate SOL payload with encryption"

Additional info:
I compiled upstream (unpatched) packages from Sourceforge with my f18 and I found the problem is at upstream: ipmitool-1.8.12 fails, 1.8.11 works - same configure options and exactly same environment. I have not found a working setup or any workaround with 1.8.12.


Could you please retry the ipmitool-1.8.12-5.fc18.x86_64 adding the option "-c 3" against the same hardware?

Thank you.

-C 3 (not -c 3) sorry for the confusion

ipmitool-1.8.12-6.fc18 has been submitted as an update for Fedora 18.

Option "-C 3" works! Thanks!

ipmitool-1.8.12-6.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.

Jason Sievert (jsievert) wrote :

Debug output with -C3

summary: - ipmitool 1.8.12 needs -C3 to work with labplus
+ ipmitool 1.8.12 needs -C3 to work with lanplus
Jason Sievert (jsievert) wrote :

Debug output without -C3 option

Changed in opencompute:
status: New → Confirmed

ipmitool 1.8.11-5ubuntu1 works with lanplus interface without specifying -C3.

listed cipher suites supported on the remote BMC

channel getciphers ipmi 0x1
ID IANA Auth Alg Integrity Alg Confidentiality Alg
3 N/A hmac_sha1 hmac_sha1_96 aes_cbc_128
8 N/A hmac_md5 hmac_md5_128 aes_cbc_128
17 N/A Unknown (0x03) Unknown (0x03) aes_cbc_128

current configuration on this channel
lan print
Set in Progress : Set Complete
Auth Type Support : MD5
Auth Type Enable : Callback :
                        : User : MD5
                        : Operator : MD5
                        : Admin : MD5
                        : OEM :
IP Address Source : DHCP Address
IP Address :
Subnet Mask :
MAC Address : 08:9e:01:62:af:cf
BMC ARP Control : ARP Responses Enabled, Gratuitous ARP Disabled
802.1q VLAN ID : Disabled
802.1q VLAN Priority : 0
RMCP+ Cipher Suites : 3,8,17
Cipher Suite Priv Max : aaaXXXXXXXXXXXX
                        : X=Cipher Suite Unused
                        : c=CALLBACK
                        : u=USER
                        : o=OPERATOR
                        : a=ADMIN
                        : O=OEM

Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

This sounds like a regression between 1.8.11-5ubuntu1 and 1.8.12 (please could you clarify the exact package version with the problem?). It seems likely to me that this has been carried through from an upstream regression. Or perhaps we've accidentally dropped a patch.

Please could you test the upstream version compiled from source, and file a bug upstream if appropriate? It would be better not to introduce a delta against upstream for this, so if this issues applies upstream and they can fix the issue, then that would be the best way to resolve this problem.

Marking Importance: Medium as a workaround is available.

tags: added: needs-upstream-report
Changed in ipmitool (Ubuntu):
importance: Undecided → Medium

It's been reported upstream:
Default lanplus ciphersuite is now 0 instead of 3 - ID: 3571371

The resolution is to revert the change.

Robie Basak (racb) on 2013-05-17
Changed in ipmitool (Ubuntu):
status: New → In Progress
assignee: nobody → Robie Basak (racb)
tags: removed: needs-upstream-report
Robie Basak (racb) wrote :

Thanks for tracking this down, Samantha.

I hadn't realised that we'd already synced with Debian in Saucy after they picked up our changes. I've filed a bug in Debian for a cherry-pick of this fix. We'll auto-sync as soon as Debian fixes the bug - that way we can stay synced.

If Debian haven't addressed the bug nearer Saucy release time, we can introduce an Ubuntu delta to fix this in time for release - please poke me if so and I'll get it done.

Changed in ipmitool (Ubuntu):
status: In Progress → Triaged
Robie Basak (racb) wrote :

I'm hesitant to suggest an SRU for this, since a fix would necessarily break users on Raring depending on -C0 as the default. Opinions welcome.

Changed in ipmitool (Debian):
status: Unknown → New
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ipmitool - 1.8.12-1ubuntu1

ipmitool (1.8.12-1ubuntu1) saucy; urgency=low

  * d/p/revert_default_cipher_suite_id: cherry-pick upstream reversion of
    regressed default protocol selection (LP: #1176202).
 -- Robie Basak <email address hidden> Thu, 01 Aug 2013 15:44:03 +0000

Changed in ipmitool (Ubuntu):
status: Triaged → Fix Released
Changed in ipmitool (Debian):
status: New → Fix Released
Changed in ipmitool (Fedora):
importance: Unknown → High
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.