iPXE discussion forum
[tls] received overlength Handshake - GoDaddy certs - Printable Version

+- iPXE discussion forum (https://forum.ipxe.org)
+-- Forum: iPXE user forums (/forumdisplay.php?fid=1)
+--- Forum: General (/forumdisplay.php?fid=2)
+--- Thread: [tls] received overlength Handshake - GoDaddy certs (/showthread.php?tid=16998)

[tls] received overlength Handshake - GoDaddy certs - SebastianRoth - 2018-12-14 15:33

Hey,

we are using iPXE to chainload from HTTPS which works fine in most cases but fails with GoDaddy certificates.

Steps to reproduce:
  • clone latest ipxe git repo
  • enable DOWNLOAD_PROTO_HTTPS in general.h and maybe adjust other other defines for your needs
  • Download GoDaddy CA and intermediate cert: https://certs.godaddy.com/repository/gdroot-g2.crt and https://certs.godaddy.com/repository/gdig2.crt.pem
  • embedded script:
    Code:
    #!ipxe
    dhcp
    chain https://www.godaddy.com/
    (I know there is nothing to chainload there but it's just an example for a domain using a GoDaddy cert)
  • make bin/undionly.kpxe EMBED=chain DEBUG=tls TRUST=/path/to/gdroot-g2.crt,/path/to/gdig2.crt.pem

Now booting this fails with "Invalid argument (http://ipxe.org/1c0de802)". When disabling some of the debug dump output (src/net/tls.c line 1810) I see the last message to show TLS ... received overlength Handshake.

If I comment/skip the "return -EINVAL_HANDSHAKE" in line 1811 it proceeds but fails on TLS ... overlength certificate (src/net/tls.c line 1591)this time.

Seems like len/remaining variable is set to 4096 (iob_len) and that truncates the long (5286 bytes) SSL handshake record / certificate.

I have looked through the code a bit but I am afraid I will break things when I play with io buffer length stuff. Anyone an idea?

Thanks in advance,
Sebastian

RE: [tls] received overlength Handshake - GoDaddy certs - NiKiZe - 2018-12-14 18:26

You might want to send this to the ipxe-devel mailing list, it generally get's noticed faster by the right people that way. (but not always)

RE: [tls] received overlength Handshake - GoDaddy certs - NiKiZe - 2018-12-14 18:45

Thanks!
http://lists.ipxe.org/pipermail/ipxe-devel/2018-December/006395.html