iPXE discussion forum
HTTPS - unrecognised algorithm - Printable Version

+- iPXE discussion forum (https://forum.ipxe.org)
+-- Forum: iPXE user forums (/forumdisplay.php?fid=1)
+--- Forum: General (/forumdisplay.php?fid=2)
+--- Thread: HTTPS - unrecognised algorithm (/showthread.php?tid=7734)



HTTPS - unrecognised algorithm - wimwerk - 2015-06-02 19:04

Hi,

I'm having issues with HTTPS.

When chaining a https URL I'm getting: "Operation not supported (http://ipxe.org/3c00e103)"
We're using "real" certificates, so not self-signed.

I also tested on e.g https://google.com and here it works (no error)

Recompiled with DEBUG=asn1 and it seems that the unrecognised algorithm is part of a certificate. See screenshot at http://snag.gy/j2i8a.jpg

I'm testing with ipxe current from git (commit 6b7157c233541a4cb3c90021e8ca219b0b5dd358)

iPXE 1.0.0+ (6b71) -- Open Source Network Boot Firmware -- http://ipxe.org
Features: DNS HTTP HTTPS iSCSI TFTP AoE ELF MBOOT PXE bzImage Menu PXEXT

Fiddling with the code, basically ignoring the errors, it works.

diff --git a/src/crypto/asn1.c b/src/crypto/asn1.c
index aca12bf..6715685 100644
--- a/src/crypto/asn1.c
+++ b/src/crypto/asn1.c
@@ -507,7 +507,8 @@ int asn1_algorithm ( const struct asn1_cursor *cursor,
if ( ! *algorithm ) {
DBGC ( cursor, "ASN1 %p unrecognised algorithm:\n", cursor );
DBGC_HDA ( cursor, 0, cursor->data, cursor->len );
- return -ENOTSUP_ALGORITHM;
+ //return -ENOTSUP_ALGORITHM;
+ return 0;
}

return 0;
diff --git a/src/crypto/x509.c b/src/crypto/x509.c
index 00eb226..c42bc52 100644
--- a/src/crypto/x509.c
+++ b/src/crypto/x509.c
@@ -1763,7 +1763,8 @@ int x509_validate_chain ( struct x509_chain *chain, time_t time,
}

DBGC ( chain, "X509 chain %p found no usable certificates\n", chain );
- return -EACCES_USELESS;
+ //return -EACCES_USELESS;
+ return 0;
}


RE: HTTPS - unrecognised algorithm - wimwerk - 2015-06-03 09:31

Update: Using uefi (snponly) the above 'fix' doesn't work and gives http://ipxe.org/err/3d00e1 error.
Do undionly and snponly do https/crypto in another way ?


RE: HTTPS - unrecognised algorithm - mastacontrola - 2015-06-03 16:45

I could be wrong, but what are the build parameters you're using to build your binary boot files?

I believe, you still need the CA Chain or something for iPXE to recognize it as being valid. Even though they're "real" I don't think the iPXE binaries have a default set of "trusted root authorities" built into them as I imagine it would significantly increase the size of the compiled files.

Again, this is just speculation, I don't have a means to test/verify this to further help you out so maybe one of the Devs of iPXE can help shed some light as well?


RE: HTTPS - unrecognised algorithm - wimwerk - 2015-06-04 08:59

Hi thanks for the reply.
The URL ipxe uses for this by default (http://ca.ipxe.org/auto/) is reachable from the client.
when chaining to eg https://google.com it works, but for some reason it doesn't work with our certificates. (signed by terena ssl ca 2)