HTTPS - unrecognised algorithm
|
2015-06-02, 19:04
Post: #1
|
|||
|
|||
HTTPS - unrecognised algorithm
Hi,
I'm having issues with HTTPS. When chaining a https URL I'm getting: "Operation not supported (http://ipxe.org/3c00e103)" We're using "real" certificates, so not self-signed. I also tested on e.g https://google.com and here it works (no error) Recompiled with DEBUG=asn1 and it seems that the unrecognised algorithm is part of a certificate. See screenshot at http://snag.gy/j2i8a.jpg I'm testing with ipxe current from git (commit 6b7157c233541a4cb3c90021e8ca219b0b5dd358) iPXE 1.0.0+ (6b71) -- Open Source Network Boot Firmware -- http://ipxe.org Features: DNS HTTP HTTPS iSCSI TFTP AoE ELF MBOOT PXE bzImage Menu PXEXT Fiddling with the code, basically ignoring the errors, it works. diff --git a/src/crypto/asn1.c b/src/crypto/asn1.c index aca12bf..6715685 100644 --- a/src/crypto/asn1.c +++ b/src/crypto/asn1.c @@ -507,7 +507,8 @@ int asn1_algorithm ( const struct asn1_cursor *cursor, if ( ! *algorithm ) { DBGC ( cursor, "ASN1 %p unrecognised algorithm:\n", cursor ); DBGC_HDA ( cursor, 0, cursor->data, cursor->len ); - return -ENOTSUP_ALGORITHM; + //return -ENOTSUP_ALGORITHM; + return 0; } return 0; diff --git a/src/crypto/x509.c b/src/crypto/x509.c index 00eb226..c42bc52 100644 --- a/src/crypto/x509.c +++ b/src/crypto/x509.c @@ -1763,7 +1763,8 @@ int x509_validate_chain ( struct x509_chain *chain, time_t time, } DBGC ( chain, "X509 chain %p found no usable certificates\n", chain ); - return -EACCES_USELESS; + //return -EACCES_USELESS; + return 0; } |
|||
2015-06-03, 09:31
Post: #2
|
|||
|
|||
RE: HTTPS - unrecognised algorithm
Update: Using uefi (snponly) the above 'fix' doesn't work and gives http://ipxe.org/err/3d00e1 error.
Do undionly and snponly do https/crypto in another way ? |
|||
2015-06-03, 16:45
Post: #3
|
|||
|
|||
RE: HTTPS - unrecognised algorithm
I could be wrong, but what are the build parameters you're using to build your binary boot files?
I believe, you still need the CA Chain or something for iPXE to recognize it as being valid. Even though they're "real" I don't think the iPXE binaries have a default set of "trusted root authorities" built into them as I imagine it would significantly increase the size of the compiled files. Again, this is just speculation, I don't have a means to test/verify this to further help you out so maybe one of the Devs of iPXE can help shed some light as well? |
|||
2015-06-04, 08:59
Post: #4
|
|||
|
|||
RE: HTTPS - unrecognised algorithm
Hi thanks for the reply.
The URL ipxe uses for this by default (http://ca.ipxe.org/auto/) is reachable from the client. when chaining to eg https://google.com it works, but for some reason it doesn't work with our certificates. (signed by terena ssl ca 2) |
|||
« Next Oldest | Next Newest »
|
User(s) browsing this thread: 1 Guest(s)