iPXE discussion forum

Full Version: [tls] received overlength Handshake - GoDaddy certs
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Hey,

we are using iPXE to chainload from HTTPS which works fine in most cases but fails with GoDaddy certificates.

Steps to reproduce:
  • clone latest ipxe git repo
  • enable DOWNLOAD_PROTO_HTTPS in general.h and maybe adjust other other defines for your needs
  • Download GoDaddy CA and intermediate cert: https://certs.godaddy.com/repository/gdroot-g2.crt and https://certs.godaddy.com/repository/gdig2.crt.pem
  • embedded script:
    Code:
    #!ipxe
    dhcp
    chain https://www.godaddy.com/
    (I know there is nothing to chainload there but it's just an example for a domain using a GoDaddy cert)
  • make bin/undionly.kpxe EMBED=chain DEBUG=tls TRUST=/path/to/gdroot-g2.crt,/path/to/gdig2.crt.pem

Now booting this fails with "Invalid argument (http://ipxe.org/1c0de802)". When disabling some of the debug dump output (src/net/tls.c line 1810) I see the last message to show TLS ... received overlength Handshake.

If I comment/skip the "return -EINVAL_HANDSHAKE" in line 1811 it proceeds but fails on TLS ... overlength certificate (src/net/tls.c line 1591)this time.

Seems like len/remaining variable is set to 4096 (iob_len) and that truncates the long (5286 bytes) SSL handshake record / certificate.

I have looked through the code a bit but I am afraid I will break things when I play with io buffer length stuff. Anyone an idea?

Thanks in advance,
Sebastian
You might want to send this to the ipxe-devel mailing list, it generally get's noticed faster by the right people that way. (but not always)
Reference URL's