iPXE discussion forum

Full Version: HTTPS - unrecognised algorithm
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Hi,

I'm having issues with HTTPS.

When chaining a https URL I'm getting: "Operation not supported (http://ipxe.org/3c00e103)"
We're using "real" certificates, so not self-signed.

I also tested on e.g https://google.com and here it works (no error)

Recompiled with DEBUG=asn1 and it seems that the unrecognised algorithm is part of a certificate. See screenshot at http://snag.gy/j2i8a.jpg

I'm testing with ipxe current from git (commit 6b7157c233541a4cb3c90021e8ca219b0b5dd358)

iPXE 1.0.0+ (6b71) -- Open Source Network Boot Firmware -- http://ipxe.org
Features: DNS HTTP HTTPS iSCSI TFTP AoE ELF MBOOT PXE bzImage Menu PXEXT

Fiddling with the code, basically ignoring the errors, it works.

diff --git a/src/crypto/asn1.c b/src/crypto/asn1.c
index aca12bf..6715685 100644
--- a/src/crypto/asn1.c
+++ b/src/crypto/asn1.c
@@ -507,7 +507,8 @@ int asn1_algorithm ( const struct asn1_cursor *cursor,
if ( ! *algorithm ) {
DBGC ( cursor, "ASN1 %p unrecognised algorithm:\n", cursor );
DBGC_HDA ( cursor, 0, cursor->data, cursor->len );
- return -ENOTSUP_ALGORITHM;
+ //return -ENOTSUP_ALGORITHM;
+ return 0;
}

return 0;
diff --git a/src/crypto/x509.c b/src/crypto/x509.c
index 00eb226..c42bc52 100644
--- a/src/crypto/x509.c
+++ b/src/crypto/x509.c
@@ -1763,7 +1763,8 @@ int x509_validate_chain ( struct x509_chain *chain, time_t time,
}

DBGC ( chain, "X509 chain %p found no usable certificates\n", chain );
- return -EACCES_USELESS;
+ //return -EACCES_USELESS;
+ return 0;
}
Update: Using uefi (snponly) the above 'fix' doesn't work and gives http://ipxe.org/err/3d00e1 error.
Do undionly and snponly do https/crypto in another way ?
I could be wrong, but what are the build parameters you're using to build your binary boot files?

I believe, you still need the CA Chain or something for iPXE to recognize it as being valid. Even though they're "real" I don't think the iPXE binaries have a default set of "trusted root authorities" built into them as I imagine it would significantly increase the size of the compiled files.

Again, this is just speculation, I don't have a means to test/verify this to further help you out so maybe one of the Devs of iPXE can help shed some light as well?
Hi thanks for the reply.
The URL ipxe uses for this by default (http://ca.ipxe.org/auto/) is reachable from the client.
when chaining to eg https://google.com it works, but for some reason it doesn't work with our certificates. (signed by terena ssl ca 2)
Reference URL's