[tls] received overlength Handshake - GoDaddy certs

[SebastianRoth]

Hey,

we are using iPXE to chainload from HTTPS which works fine in most cases but fails with GoDaddy certificates.

Steps to reproduce:

• clone latest ipxe git repo
• enable DOWNLOAD_PROTO_HTTPS in general.h and maybe adjust other other defines for your needs
• Download GoDaddy CA and intermediate cert: https://certs.godaddy.com/repository/gdroot-g2.crt and https://certs.godaddy.com/repository/gdig2.crt.pem
• embedded script:
  
  Code:
  

  #!ipxe
dhcp
chain https://www.godaddy.com/
  (I know there is nothing to chainload there but it's just an example for a domain using a GoDaddy cert)
• make bin/undionly.kpxe EMBED=chain DEBUG=tls TRUST=/path/to/gdroot-g2.crt,/path/to/gdig2.crt.pem
  

Now booting this fails with "Invalid argument (http://ipxe.org/1c0de802)". When disabling some of the debug dump output (src/net/tls.c line 1810) I see the last message to show TLS ... received overlength Handshake.

If I comment/skip the "return -EINVAL_HANDSHAKE" in line 1811 it proceeds but fails on TLS ... overlength certificate (src/net/tls.c line 1591)this time.

Seems like len/remaining variable is set to 4096 (iob_len) and that truncates the long (5286 bytes) SSL handshake record / certificate.

I have looked through the code a bit but I am afraid I will break things when I play with io buffer length stuff. Anyone an idea?

Thanks in advance,
Sebastian

[NiKiZe]

You might want to send this to the ipxe-devel mailing list, it generally get's noticed faster by the right people that way. (but not always)

[NiKiZe]

Thanks!
http://lists.ipxe.org/pipermail/ipxe-dev...06395.html