iPXE discussion forum
https errors - TLS ciphers [Operation not supported] fatal error 40 - Printable Version

+- iPXE discussion forum (https://forum.ipxe.org)
+-- Forum: iPXE user forums (/forumdisplay.php?fid=1)
+--- Forum: General (/forumdisplay.php?fid=2)
+--- Thread: https errors - TLS ciphers [Operation not supported] fatal error 40 (/showthread.php?tid=11985)



https errors - TLS ciphers [Operation not supported] fatal error 40 - jrsmile - 2018-07-01 18:27

Hi There,

i come across more and more tls errors lately when using free webspace.

as ipxe only supports old ciphers
RSA_WITH_AES_256_CBC_SHA256,
RSA_WITH_AES_128_CBC_SHA256,
RSA_WITH_AES_256_CBC_SHA
RSA_WITH_AES_128_CBC_SHA

i wonder if it is planned to add:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA)

anytime soon?


RE: https errors - TLS ciphers [Operation not supported] fatal error 40 - NiKiZe - 2018-07-02 19:55

Since this is on the more technical level, I would suggest posting this to the ipxe mailing list for it to better reach the right audience.


RE: https errors - TLS ciphers [Operation not supported] fatal error 40 - dscoular@gmail.com - 2018-09-10 11:54

Hi Jrsmile,
I'm in the same boat... we have Red Hat's OpenShift in our company which appears to serve HTTPS only through these ciphers.

ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
DHE-RSA-AES256-SHA
DHE-RSA-CAMELLIA256-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
CAMELLIA256-SHA
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA
DHE-RSA-CAMELLIA128-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
CAMELLIA128-SHA
DES-CBC3-SHA

When I try and use ipxe (compiled to support DOWNLOAD_PROTO_HTTPS) I get the the same [Operation not supported] fatal error 40.

Since the documentation says only the following ciphers are supported:

RSA_WITH_AES_256_CBC_SHA256
RSA_WITH_AES_128_CBC_SHA256
RSA_WITH_AES_256_CBC_SHA
RSA_WITH_AES_128_CBC_SHA

I'd like to add my voice to the wish for support of more modern ciphers. I'd love to hear that developers were working on this as it seems critical to ipxe's healthy future.

Cheers,

Doug


Can ipxe support the ECDHE for TLS? - yiya1989 - 2019-04-13 02:48

http://ipxe.org/crypto

The exact list of supported cipher suites is
RSA_WITH_AES_256_CBC_SHA256,
RSA_WITH_AES_128_CBC_SHA256,
RSA_WITH_AES_256_CBC_SHA, and
RSA_WITH_AES_128_CBC_SHA.

but RSA_WITH_AES_xxx_CBC_SHAxx now is considered insecure algorithm, can ipxe support the ECDHE cipher suites?


I have saw the older thread, my question is same with this:
http://forum.ipxe.org/showthread.php?tid=11985&highlight=ECDHE


RE: https errors - TLS ciphers [Operation not supported] fatal error 40 - yiya1989 - 2019-04-13 03:12

(2018-07-02 19:55)NiKiZe Wrote:  Since this is on the more technical level, I would suggest posting this to the ipxe mailing list for it to better reach the right audience.

Is it possible to add these ciphers ?