+- iPXE discussion forum (https://forum.ipxe.org)
+-- Forum: iPXE user forums (/forumdisplay.php?fid=1)
+--- Forum: General (/forumdisplay.php?fid=2)
+--- Thread: TLS received oversize handshake (/showthread.php?tid=17631)
TLS received oversize handshake - dscoular@gmail.com - 2019-03-24 23:33
Hi All,
Our Red Hat OpenShift/Kubernetes servers appear to have been upgraded over the last few days and iPXE started giving me the following error. I've pulled the latest sources and compiled with DEBUG=tls:1 and disabled OCSP.
Here's a screen dump of the error with tls debug enabled:
https://pasteboard.co/I6XJBPp.png
Any thoughts hugely appreciated. I can provide packet traces if that helps too.
Cheers,
Doug
RE: TLS received oversize handshake - mcb30 - 2019-03-25 01:22
(2019-03-24 23:33)dscoular@gmail.com Wrote: Our Red Hat OpenShift/Kubernetes servers appear to have been upgraded over the last few days and iPXE started giving me the following error. I've pulled the latest sources and compiled with DEBUG=tls:1 and disabled OCSP.
Here's a screen dump of the error with tls debug enabled:
https://pasteboard.co/I6XJBPp.png
Any thoughts hugely appreciated. I can provide packet traces if that helps too.
There was a recent feature enhancement to add support for RFC5077 stateless session resumption (aka session tickets). This may cause the server to send a longer ServerHello message, and it's plausible that this causes the handshake message to be split across multiple records. iPXE doesn't currently handle TLS record reassembly and would instead give the message that you are seeing.
Michael