2018-12-14, 15:33
Hey,
we are using iPXE to chainload from HTTPS which works fine in most cases but fails with GoDaddy certificates.
Steps to reproduce:
Now booting this fails with "Invalid argument (http://ipxe.org/1c0de802)". When disabling some of the debug dump output (src/net/tls.c line 1810) I see the last message to show TLS ... received overlength Handshake.
If I comment/skip the "return -EINVAL_HANDSHAKE" in line 1811 it proceeds but fails on TLS ... overlength certificate (src/net/tls.c line 1591)this time.
Seems like len/remaining variable is set to 4096 (iob_len) and that truncates the long (5286 bytes) SSL handshake record / certificate.
I have looked through the code a bit but I am afraid I will break things when I play with io buffer length stuff. Anyone an idea?
Thanks in advance,
Sebastian
we are using iPXE to chainload from HTTPS which works fine in most cases but fails with GoDaddy certificates.
Steps to reproduce:
- clone latest ipxe git repo
- enable DOWNLOAD_PROTO_HTTPS in general.h and maybe adjust other other defines for your needs
- Download GoDaddy CA and intermediate cert: https://certs.godaddy.com/repository/gdroot-g2.crt and https://certs.godaddy.com/repository/gdig2.crt.pem
- embedded script:
Code:
#!ipxe
dhcp
chain https://www.godaddy.com/ - make bin/undionly.kpxe EMBED=chain DEBUG=tls TRUST=/path/to/gdroot-g2.crt,/path/to/gdig2.crt.pem
Now booting this fails with "Invalid argument (http://ipxe.org/1c0de802)". When disabling some of the debug dump output (src/net/tls.c line 1810) I see the last message to show TLS ... received overlength Handshake.
If I comment/skip the "return -EINVAL_HANDSHAKE" in line 1811 it proceeds but fails on TLS ... overlength certificate (src/net/tls.c line 1591)this time.
Seems like len/remaining variable is set to 4096 (iob_len) and that truncates the long (5286 bytes) SSL handshake record / certificate.
I have looked through the code a bit but I am afraid I will break things when I play with io buffer length stuff. Anyone an idea?
Thanks in advance,
Sebastian