Welcome to our peer-to-peer forums, where owners help owners. Need help now? Visit eSupport here.

English Community

Software and Operating SystemPre-Installed Lenovo Software and Applications
All Forum Topics
Options

169 Posts

03-12-2012

Canada

142 Signins

1656 Page Views

  • Posts: 169
  • Registered: ‎03-12-2012
  • Location: Canada
  • Views: 1656
  • Message 1 of 32

Lenovo ThinkVantage Toolbox 5.05.0009 - SSL problem

2014-04-21, 22:01 PM

Since updating to Lenovo ThinkVantage System Update 5.05.0009, I cannot install any updates using TVSU from the office.  Checking for updates always stops at "Dowloading Package Information" and a box pops up that says "There are no applicable packages found for your system."  This is not normal because it should download pacakge information and then process it, and report if there are any updates or not.  From home, TVSU runs normally.

 

I think I have finally found the issue: it is something in the way TVSU is redirecting to Lenovo's Content Delivery Network (Akamai).  I know very little about SSL, and even less about Content Delivery Networks (CDN), so I could be wrong and be over-reacting.  Maybe it's just a problem with the CDN but I will post my analysis to get that ball rolling.

 

My Analysis

Our firewall blocks invalid SSL requests, to make sure that all software, not just web browsers, obey SSL best practices.  Rarely have I had programs malfunction due to this, and when I do it is usally do an expired certificate.  For TVSU, in the firewall logs and using Wireshark, I can find that TVSU is making two SSL requests when it searches for updates:

1. To download.lenovo.com.  This request passes the firewall no problem.

2. To 23.193.172.20, which is the CNAME record that my computer happens to resolve download.lenovo.com right now (as it is a CDN, it may be another IP later today or tomorrow).  This request does not pass the firewall because the certificate is issued for download.lenovo.com.

 

Why is TVSU trying to make SSL connections against an IP address directly instead of against the CNAME or A record name that matches the certificate?  Connecting to 23.193.172.20 in my browser shows a certificate issued to download.lenovo.com.

 

This seems like extremely poor security practice to me: In the absense of our corporate firewall stopping the behaviour, what I see happening is: TVSU is taking whatever the CNAME lookup returns and connecting to that IP directly over SSL.  It is ignoring the certificate error that creates.  I am guessing the certificate could say just about anything and it would establish a connection.  So if DNS is poisioned - say in a particular country or at a public location - TVSU will connect to whatever IP it is told to using whatever certificate that IP is using.  It could be possible for malicious updates to be delivered this way.  E.g., I have several ThinkPads roaming around China on a regular basis - if China poisons the DNS record for download.lenovo.com, my users could get who-knows-what delivered as an update and TVSU would display it and install it.

 

This behaviour never happened until I updated TVSU to 5.05.0009.  I can't say the implementation in earlier versions was totally sound, rather all I know is our firewalls didn't stop it before, and they have been in used for four or five years.

 

 

__________________________________________________
Current: ThinkPad Tablet 2 | 64GB // ThinkPad T440s | i7-4600U | 12GB | 512GB SSD | FHD MT
Previous: ThinkPad T420s // ThinkPad T410s
Reply
Options

169 Posts

03-12-2012

Canada

142 Signins

1656 Page Views

  • Posts: 169
  • Registered: ‎03-12-2012
  • Location: Canada
  • Views: 1656
  • Message 2 of 32

Re: Lenovo ThinkVantage Toolbox 5.05.0009 - SSL problem

2014-04-21, 22:18 PM

One further comment that is definitely a software issue: the error message certainly doesn't reflect what the actual error is in this case.  In my opinion, failure to contact the update server should not generate "There are no applicable packages found for your system."

 

TVSU-NoPackagesError.JPG

__________________________________________________
Current: ThinkPad Tablet 2 | 64GB // ThinkPad T440s | i7-4600U | 12GB | 512GB SSD | FHD MT
Previous: ThinkPad T420s // ThinkPad T410s
Reply
Options

5067 Posts

11-22-2011

United States of America

5783 Signins

89698 Page Views

  • Posts: 5067
  • Registered: ‎11-22-2011
  • Location: United States of America
  • Views: 89698
  • Message 3 of 32

Re: Lenovo ThinkVantage Toolbox 5.05.0009 - SSL problem

2014-04-21, 23:50 PM

The current Su release is 5.05..0008

Lenovo Thinkvantage Toolbox is another product,ie, discontinued PC-Doctor. Now replaced with Lenovo Solution Center.

==

All that aside, your issue seems to be:

(1) You are at the office, and try to remotely run SU on another PC , ie at home. -or-

(2) You take your at home pc to work  , and try to run SU through your corporate networks.  << i thnk this 1.

It fails with false screen of NO updates applicable.

 

WIthout regard to Akami, CDname, SSL. (maybe a touch of overthinking. more is better documentation wise, thanks)

SU

(1) will contact a website to see if it needs to self update.

(2) will contact a website with Machine type(not model number)  to get a .XML with check digits(crc).

(3) it will use the .XMl downloaded in item 2  to download a second .XML, ie the machine package.

Within the package is lots of websites and logic to determine the packages to install.  It will use the check digits from item 2 to verify 2nd package is correct.  

==

That is the basics. SU also does dont like to be run on a network share. During the install it will attempt to update windows task scheduler and do .reg entries, which fail (not on local machine).

==

My conclusion:

SU is not designed to be run on a corporate network. (Thin installer, update retriever).

Bottom line: better feedback screen,not no updates applicable.

Maybe Lenovo or other forum users can add comment. 

==

Side note:

A manual install of SU will create a entry in "start programs". Otherwise your launch point is the Levono Thinkvantage

tools,clumsy, printer interface:

Control Panel\Hardware and Sound\Devices and Printers\*your id*\Lenovo ThinkVantage Tools

now we have 1. Lenovo thinkvantage tools. 2. Lenovo thinkvantage toolbox..confusing.

 

Just browse to:

 "C:\Program Files (x86)\Lenovo\System Update\tvsu.exe

right click . create shortcut. Create it on the desktop.  (this works),

drag this to (cut/paste):C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lenovo

It will now be available on start programs list. (this works better).

 

Reply
Options

169 Posts

03-12-2012

Canada

142 Signins

1656 Page Views

  • Posts: 169
  • Registered: ‎03-12-2012
  • Location: Canada
  • Views: 1656
  • Message 4 of 32

Re: Lenovo ThinkVantage Toolbox 5.05.0009 - SSL problem

2014-04-22, 0:00 AM

scelxman,

 

Proof of version 5.05.0009:

TVSU-Version.JPG

 

No disrespect intended, but TVSU "not being designed to run on a corporate network" is not a solution; that is an extremely lazy answer.  I would never provide one of my users such an answer.  If Windows Update didn't work on my network, and I provided no other info, would you tell me the only solution must be to use WSUS?!

 

I do not use ThinInstaller nor Update Retreiver - most of my users are mobile laptop users so a central repository at one office is not all that helpful to me.

 

If Lenovo support needs specific logs from me to confirm this problem, I am happy to work with them on that.

__________________________________________________
Current: ThinkPad Tablet 2 | 64GB // ThinkPad T440s | i7-4600U | 12GB | 512GB SSD | FHD MT
Previous: ThinkPad T420s // ThinkPad T410s
Reply
Options

169 Posts

03-12-2012

Canada

142 Signins

1656 Page Views

  • Posts: 169
  • Registered: ‎03-12-2012
  • Location: Canada
  • Views: 1656
  • Message 5 of 32

Re: Lenovo ThinkVantage Toolbox 5.05.0009 - SSL problem

2014-04-22, 0:19 AM

Here are some logs:

 

FIREWALL

date=2014-04-21 time=18:04:45 devname= device_id= log_id=0315013317 type=webfilter subtype=urlfilter pri=notice vd="root" policyid=10 intf_policyid=0 identidx=0 serial=5533364 user="DXXX" group="N/A" src=10.XX.XX.104 sport=59671 src_port=59671 src_int="internal" dst=23.193.172.20 dport=443 dst_port=443 dst_int="wan1" service="https" hostname="download.lenovo.com" carrier_ep="N/A" profiletype="Webfilter_Profile" profilegroup="N/A" profile="default" status="passthrough" req_type="direct" url="/" sent=911 rcvd=4140 msg="URL has been visited" method=domain class="0" class_desc="N/A" cat=0 cat_desc="N/A"

 

date=2014-04-21 time=18:04:45 devname= device_id= log_id=0315012555 type=webfilter subtype=urlfilter pri=notice vd="root" policyid=10 intf_policyid=0 identidx=0 serial=5533367 user="DXXX" group="N/A" src=10.XX.XX.104 sport=59674 src_port=59674 dst=23.193.172.20 dport=443 dst_port=443 carrier_ep="N/A" profiletype="Webfilter_Profile" profilegroup="N/A" profile="default" service="https" status="blocked" msg="The SSL session was blocked because the server certificate was missing or invalid." sent=303 rcvd=113

 

The second log entry shows a connection is attempted over HTTPS directly to an IP address.  This should never happen in any proper SSL implementation because SSL certificates are issued to hostnames, not IPs.  It is possible to issue an SSL certificate to an IP address, but this is rarely done.

 

WIRESHARK

45    7.400123000    10.XX.XX.104    10.XX.XX.10    DNS    79    Standard query 0xd151  A download.lenovo.com

49    8.400757000    10.XX.XX.104    10.XX.XX.10    DNS    79    Standard query 0xd151  A download.lenovo.com

51    9.401638000    10.XX.XX.104    10.XX.XX.10    DNS    79    Standard query 0xd151  A download.lenovo.com

55    11.111006000    10.XX.XX.10    10.XX.XX.104    DNS    173    Standard query response 0xd151  CNAME download.lenovo.com.edgekey.net CNAME e1947.b.akamaiedge.net A 23.209.8.27

56    11.113362000    10.XX.XX.104    10.XX.XX.10    DNS    79    Standard query 0xd523  A download.lenovo.com

57    11.581058000    10.XX.XX.10    10.XX.XX.104    DNS    173    Standard query response 0xd523  CNAME download.lenovo.com.edgekey.net CNAME e1947.b.akamaiedge.net A 23.193.172.20

 

 

__________________________________________________
Current: ThinkPad Tablet 2 | 64GB // ThinkPad T440s | i7-4600U | 12GB | 512GB SSD | FHD MT
Previous: ThinkPad T420s // ThinkPad T410s
Reply
Options

5067 Posts

11-22-2011

United States of America

5783 Signins

89698 Page Views

  • Posts: 5067
  • Registered: ‎11-22-2011
  • Location: United States of America
  • Views: 89698
  • Message 6 of 32

Re: Lenovo ThinkVantage Toolbox 5.05.0009 - SSL problem

2014-04-22, 0:27 AM

I agree. blah blah 9 --- not showing on my end )yet). They release 1 daily LOL. thanks for the nice screen shot.

great documentation.

Could you post the SU log?

C:\Program Files (x86)\Lenovo\System Update\logs

Try dropbox.com  link to post what brain SU uses.

This is a Lenovo issue, not us.

Reply
Options

169 Posts

03-12-2012

Canada

142 Signins

1656 Page Views

  • Posts: 169
  • Registered: ‎03-12-2012
  • Location: Canada
  • Views: 1656
  • Message 7 of 32

Re: Lenovo ThinkVantage Toolbox 5.05.0009 - SSL problem

2014-04-22, 1:25 AM

This is not the whole log file, rather where the problem happens:


Info    2014-04-21 , 06:12:46
    at Tvsu.ConnectionSettings.ConnectionSettings.GetConnectionForURL(String url)
    Message: Connection settings bean found for download.lenovo.com

Info    2014-04-21 , 06:12:46
    at Tvsu.FileDownloader.HttpsDownload.GetProxy(ConnectionSettingsBean connBean)
    Message: Connection type set to DIRECT in ConnectionSettingsBean

Severe    2014-04-21 , 06:12:46
    at Tvsu.FileDownloader.HttpsDownload.Init(FileDownloadInfo fileInfo)
    Message: Debug Log: Init method:GET

Severe    2014-04-21 , 06:12:46
    at Tvsu.FileDownloader.HttpsDownload.doDownloadByHttps(FileDownloadInfo fileInfo, downloadingDelegate downDelegate)
    Message: Debug Log: doDownloadByHttps InterException is null, uri:https://download.lenovo.com/catalog//20AQ_Win8_DESC.xml

Severe    2014-04-21 , 06:12:46
    at Tvsu.FileDownloader.HttpsDownload.doDownloadByHttps(FileDownloadInfo fileInfo, downloadingDelegate downDelegate)
    Message: Debug Log doDownloadByHttps webException message:The request was aborted: Could not create SSL/TLS secure channel.

Severe    2014-04-21 , 06:12:46
    at Tvsu.FileDownloader.HttpsDownload.doDownloadByHttps(FileDownloadInfo fileInfo, downloadingDelegate downDelegate)
    Message: Debug Log server path: https://download.lenovo.com/catalog//20AQ_Win8_DESC.xml webException.StackTrace:   at System.Net.HttpWebRequest.GetResponse()
   at Tvsu.FileDownloader.HttpsDownload.doDownloadByHttps(FileDownloadInfo fileInfo, downloadingDelegate downDelegate)

Severe    2014-04-21 , 06:12:46
    at Tvsu.Engine.Process.HelpCenterQuestProcess.DownloadCatalogDescriptorFile()
    Message: Debug Log: failed to download catalog descriptor file

Severe    2014-04-21 , 06:12:46
    at Tvsu.Engine.Process.HelpCenterQuestProcess.LaunchHelpCenterProcess()
    Message: An error ocurred while contacting the help center
    Exception:
        Message: Failed to download catalog descriptor file.
        Type: System.Exception
           at Tvsu.Engine.Process.HelpCenterQuestProcess.DownloadCatalogDescriptorFile()
   at Tvsu.Engine.Process.HelpCenterQuestProcess.LaunchHelpCenterProcess()

Info    2014-04-21 , 06:12:46
    at Tvsu.Engine.Task.Task.Start()
    Message: Executing the PostProcess HelpCenterQuestProcess

Severe    2014-04-21 , 06:12:46
    at Tvsu.Engine.Task.Task.StartExecution()
    Message: An error occurred while the task: ApplicableUpdatesTask executed the process: HelpCenterQuestProcessthe message from exception isException of type 'Tvt.Helpcenter.Quest.CatalogNotFoundException' was thrown.
    Exception:
        Message: Exception of type 'Tvt.Helpcenter.Quest.CatalogNotFoundException' was thrown.
        Type: Tvt.Helpcenter.Quest.CatalogNotFoundException
           at Tvsu.Engine.Task.Task.Start()
   at Tvsu.Engine.Task.Task.StartExecution()

Info    2014-04-21 , 06:12:46
    at Tvsukernel.CustomControls.Step.<>c__DisplayClass7.<set_Image>b__6()
    Message: Setting FAILED status.

Info    2014-04-21 , 06:12:46
    at Tvsukernel.Logic.GUIController.ShowErrorMessage(Exception e)
    Message: Error trying to connect to an invalid Server.
    Exception:
        Message: Exception of type 'Tvt.Helpcenter.Quest.CatalogNotFoundException' was thrown.
        Type: Tvt.Helpcenter.Quest.CatalogNotFoundException
           at Tvsu.Engine.Task.Task.StartExecution()
   at Tvsu.Sdk.SuSdk.GetApplicableUpdates(searchingFolderDelegate spd, showErrMsgDelegate sed)
   at Tvsukernel.Logic.ProgressThread.InitSearch()

Info    2014-04-21 , 06:12:46
    at Tvsukernel.Dialogs.Messages.ShowStaticMessage(String message, String title, MessageType t, Boolean check)
    Message: Showing ERROR Message: < There are no applicable packages found for your system. >

 

This log does shed more light:

- I don't see any reference to the IP address in the log.

- It aborted when it couldn't establish the https connection.

 

In my web browser I can connect to https://download.lenovo.com/catalog//20AQ_Win8_DESC.xml with no issue and the SSL certificate is valid. This could be a CDN problem?

__________________________________________________
Current: ThinkPad Tablet 2 | 64GB // ThinkPad T440s | i7-4600U | 12GB | 512GB SSD | FHD MT
Previous: ThinkPad T420s // ThinkPad T410s
Reply
Options

5067 Posts

11-22-2011

United States of America

5783 Signins

89698 Page Views

  • Posts: 5067
  • Registered: ‎11-22-2011
  • Location: United States of America
  • Views: 89698
  • Message 8 of 32

Re: Lenovo ThinkVantage Toolbox 5.05.0009 - SSL problem

2014-04-22, 2:06 AM

https://download.lenovo.com/catalog//20AQ_Win8_DESC.xml

 

This is the 1st handshake. Then the dummy message.

Message: Showing ERROR Message: < There are no applicable packages found for your system. >

Reply
Options

191 Posts

04-21-2011

China

313 Signins

1314 Page Views

  • Posts: 191
  • Registered: ‎04-21-2011
  • Location: China
  • Views: 1314
  • Message 9 of 32

Re: Lenovo ThinkVantage Toolbox 5.05.0009 - SSL problem

2014-04-22, 9:30 AM

Hi Veechee,

 

would you please provide a mail address  ? I want to transfer the previous version TVSU5.03 to you(after you installed 5.03 ,please modify the hellolevel value ,otherwise if will be force updated to 5.05 again, my colleague will tell you how to mofify) , please have a try again to see if it works? as you said ,the issue only happens on 5.05, we did not changed anything regarding the SLL request.Thanks.

Reply
Options

7263 Posts

10-29-2009

United States of America

17930 Signins

168610 Page Views

  • Posts: 7263
  • Registered: ‎10-29-2009
  • Location: United States of America
  • Views: 168610
  • Message 10 of 32

Re: Lenovo ThinkVantage Toolbox 5.05.0009 - SSL problem

2014-04-22, 16:57 PM

Veechee,

 

Let me start by saying that currently we have no idea if this is System Update problem, or if it's just the way the content distribution network works (because you may be redirected to one of many different servers).

 

As jerrycq said, could you please try a previous version of System Update to confirm whether this is really new behavior or not?

 

https://dl.dropboxusercontent.com/u/62276273/TVSU5.03/systemupdate503-10-31-2013.exe

 

To prevent this version from immediately self-updating to the latest version, you have to set a registry entry:

"HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Lenovo\System Update"

Change "HelloClientLevel" to "HelloLevel/9.10.00"

 

1.  uninstall current version of System Update

2.  reboot

3.  install 10-31-2013 version of System Update from my above link

4.  change the HelloClientLevel in registry

5.  run System Update to check for updates

 

So would you please try this and let us know?

Reply
Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop
X

Save

X

Delete

X

No, I don’t want to share ideas Yes, I agree to these terms