HTTPS - unrecognised algorithm - Printable Version +- iPXE discussion forum (https://forum.ipxe.org) +-- Forum: iPXE user forums (/forumdisplay.php?fid=1) +--- Forum: General (/forumdisplay.php?fid=2) +--- Thread: HTTPS - unrecognised algorithm (/showthread.php?tid=7734) |
HTTPS - unrecognised algorithm - wimwerk - 2015-06-02 19:04 Hi, I'm having issues with HTTPS. When chaining a https URL I'm getting: "Operation not supported (http://ipxe.org/3c00e103)" We're using "real" certificates, so not self-signed. I also tested on e.g https://google.com and here it works (no error) Recompiled with DEBUG=asn1 and it seems that the unrecognised algorithm is part of a certificate. See screenshot at http://snag.gy/j2i8a.jpg I'm testing with ipxe current from git (commit 6b7157c233541a4cb3c90021e8ca219b0b5dd358) iPXE 1.0.0+ (6b71) -- Open Source Network Boot Firmware -- http://ipxe.org Features: DNS HTTP HTTPS iSCSI TFTP AoE ELF MBOOT PXE bzImage Menu PXEXT Fiddling with the code, basically ignoring the errors, it works. diff --git a/src/crypto/asn1.c b/src/crypto/asn1.c index aca12bf..6715685 100644 --- a/src/crypto/asn1.c +++ b/src/crypto/asn1.c @@ -507,7 +507,8 @@ int asn1_algorithm ( const struct asn1_cursor *cursor, if ( ! *algorithm ) { DBGC ( cursor, "ASN1 %p unrecognised algorithm:\n", cursor ); DBGC_HDA ( cursor, 0, cursor->data, cursor->len ); - return -ENOTSUP_ALGORITHM; + //return -ENOTSUP_ALGORITHM; + return 0; } return 0; diff --git a/src/crypto/x509.c b/src/crypto/x509.c index 00eb226..c42bc52 100644 --- a/src/crypto/x509.c +++ b/src/crypto/x509.c @@ -1763,7 +1763,8 @@ int x509_validate_chain ( struct x509_chain *chain, time_t time, } DBGC ( chain, "X509 chain %p found no usable certificates\n", chain ); - return -EACCES_USELESS; + //return -EACCES_USELESS; + return 0; } RE: HTTPS - unrecognised algorithm - wimwerk - 2015-06-03 09:31 Update: Using uefi (snponly) the above 'fix' doesn't work and gives http://ipxe.org/err/3d00e1 error. Do undionly and snponly do https/crypto in another way ? RE: HTTPS - unrecognised algorithm - mastacontrola - 2015-06-03 16:45 I could be wrong, but what are the build parameters you're using to build your binary boot files? I believe, you still need the CA Chain or something for iPXE to recognize it as being valid. Even though they're "real" I don't think the iPXE binaries have a default set of "trusted root authorities" built into them as I imagine it would significantly increase the size of the compiled files. Again, this is just speculation, I don't have a means to test/verify this to further help you out so maybe one of the Devs of iPXE can help shed some light as well? RE: HTTPS - unrecognised algorithm - wimwerk - 2015-06-04 08:59 Hi thanks for the reply. The URL ipxe uses for this by default (http://ca.ipxe.org/auto/) is reachable from the client. when chaining to eg https://google.com it works, but for some reason it doesn't work with our certificates. (signed by terena ssl ca 2) |