Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[tls] received overlength Handshake - GoDaddy certs
2018-12-14, 15:33
Post: #1
[tls] received overlength Handshake - GoDaddy certs
Hey,

we are using iPXE to chainload from HTTPS which works fine in most cases but fails with GoDaddy certificates.

Steps to reproduce:
  • clone latest ipxe git repo
  • enable DOWNLOAD_PROTO_HTTPS in general.h and maybe adjust other other defines for your needs
  • Download GoDaddy CA and intermediate cert: https://certs.godaddy.com/repository/gdroot-g2.crt and https://certs.godaddy.com/repository/gdig2.crt.pem
  • embedded script:
    Code:
    #!ipxe
    dhcp
    chain https://www.godaddy.com/
    (I know there is nothing to chainload there but it's just an example for a domain using a GoDaddy cert)
  • make bin/undionly.kpxe EMBED=chain DEBUG=tls TRUST=/path/to/gdroot-g2.crt,/path/to/gdig2.crt.pem

Now booting this fails with "Invalid argument (http://ipxe.org/1c0de802)". When disabling some of the debug dump output (src/net/tls.c line 1810) I see the last message to show TLS ... received overlength Handshake.

If I comment/skip the "return -EINVAL_HANDSHAKE" in line 1811 it proceeds but fails on TLS ... overlength certificate (src/net/tls.c line 1591)this time.

Seems like len/remaining variable is set to 4096 (iob_len) and that truncates the long (5286 bytes) SSL handshake record / certificate.

I have looked through the code a bit but I am afraid I will break things when I play with io buffer length stuff. Anyone an idea?

Thanks in advance,
Sebastian
Find all posts by this user
Quote this message in a reply
2018-12-14, 18:26
Post: #2
RE: [tls] received overlength Handshake - GoDaddy certs
You might want to send this to the ipxe-devel mailing list, it generally get's noticed faster by the right people that way. (but not always)

Read FAQ before first post!
Are relevant ipxe.org error urls and PCIIDs included?
Visit this user's website Find all posts by this user
Quote this message in a reply
2018-12-14, 18:45
Post: #3
RE: [tls] received overlength Handshake - GoDaddy certs
Thanks!
http://lists.ipxe.org/pipermail/ipxe-dev...06395.html

Read FAQ before first post!
Are relevant ipxe.org error urls and PCIIDs included?
Visit this user's website Find all posts by this user
Quote this message in a reply
Post Reply 




User(s) browsing this thread: 1 Guest(s)