Search
Member List
Calendar
Help
|
Problem with certificates
|
|
2014-07-22, 16:17
Post: #17
|
|||
|
|||
RE: Problem with certificates
Quote:Could you please confirm that iPXE supports "full renegotiation" ? Because the difference between wget and iPXE is : Renegotiation is an optional part of TLS, and is not supported by iPXE. Since it is optional, servers should never be configured to require renegotiation. Michael [/quote] Thanks for the reply. Here is the log of the connexion : sleeping 3 sec . https://http.srv.bx//tftpboot_per_node/r...x86_64...^[[33mTLS 0xe56d4 using protocol version 3.3 ^[[0m^[[33mTLS 0xe56d4 selected rsa-aes_cbc-256-sha256 ^[[0m^[[33mTLS 0xe56d4 pre-master-secret: ^[[0m^[[33m000e575c : 03 03 c4 1d b4 eb 29 b6-11 e8 07 64 6b 50 67 74 : ......)....dkPgt 000e576c : ae a3 f0 f7 67 fd d4 22-91 58 a2 32 17 b7 48 87 : ....g..".X.2..H. 000e577c : f9 4d af 3a ab 11 99 3e-5c 3a b3 b8 0d 24 06 16 : .M.:...>\:...$.. ^[[0m^[[33mTLS 0xe56d4 client random bytes: ^[[0m^[[33m000e57dc : 24 7f ce 53 93 43 63 e8-97 4a d2 a2 fd 5a 35 50 : $..S.Cc..J...Z5P 000e57ec : 85 87 65 31 82 d4 bc 85-55 13 18 5f 57 83 3a 52 : ..e1....U.._W.:R ^[[0m^[[33mTLS 0xe56d4 server random bytes: ^[[0m^[[33m000e57bc : 53 ce 7f 0e bb 81 14 c6-18 d8 e3 64 2a 2c f3 fe : S..........d*,.. 000e57cc : d1 ba e2 9d ee a6 98 05-11 83 98 18 6f 05 d7 ce : ............o... ^[[0m^[[33mTLS 0xe56d4 generated master secret: ^[[0m^[[33m000e578c : 84 fb ce 25 e1 51 11 51-5a 62 1e c8 33 a5 d8 48 : ...%.Q.QZb..3..H 000e579c : ca e5 23 3a 31 63 55 ab-00 f0 4c 0d 43 f8 ae 40 : ..#:1cU...L.C..@ 000e57ac : c4 95 a0 27 c1 d1 38 0c-3e 42 55 db d5 39 b6 bf : ...'..8.>BU..9.. ^[[0m^[[33mTLS 0xe56d4 TX MAC secret: ^[[0m^[[33m00170bec : e1 18 a3 2d 64 4f 32 96-3b 5c 50 22 58 40 05 12 : ...-dO2.;\P"X@.. 00170bfc : 9a 34 e4 1c 38 de 7c 5a-0a c2 98 20 d6 29 22 65 : .4..8.|Z... .)"e ^[[0m^[[33mTLS 0xe56d4 RX MAC secret: ^[[0m^[[33m00170c0c : ff 3f 4e 97 65 24 38 b7-da 30 2a bb be 77 b5 ea : .?N.e$8..0*..w.. 00170c1c : 69 2b 2b a6 b2 cf 34 4d-fd 32 28 36 78 02 a4 74 : i++...4M.2(6x..t ^[[0m^[[33mTLS 0xe56d4 TX key: ^[[0m^[[33m00170c2c : e9 32 51 f5 d7 2a 25 38-78 d8 da 46 cf 07 7a 23 : .2Q..*%8x..F..z# 00170c3c : c4 47 9a 82 32 83 8b 9e-db 50 41 fa 86 39 03 22 : .G..2....PA..9." ^[[0m^[[33mTLS 0xe56d4 RX key: ^[[0m^[[33m00170c4c : 8f c4 10 c2 68 12 5a 1f-2d 55 de fd ad c5 77 e1 : ....h.Z.-U....w. 00170c5c : 04 98 a1 a8 7f a5 a5 a0-a9 e5 a0 4b 0d 4a 7c 41 : ...........K.J|A ^[[0m^[[33mTLS 0xe56d4 TX IV: ^[[0m^[[33m00170c6c : 5c f8 60 40 29 97 3a 79-65 83 e6 f8 ae 7a 43 b9 : \.`@).:ye....zC. ^[[0m^[[33mTLS 0xe56d4 RX IV: ^[[0m^[[33m00170c7c : 0a aa 5a 56 13 90 27 e2-9d ee 54 2a b2 4e b6 b3 : ..ZV..'...T*.N.. ^[[0m^[[32mCERTSTORE added certificate http.srv.bx ^[[0m^[[34mX509 chain 0xe43a4 added X509 0xe5ce4 "http.srv.bx" ^[[0m^[[33mTLS 0xe56d4 found certificate http.srv.bx ^[[0m^[[34mX509 chain 0xe43a4 added X509 0x15cb98 "DisklessRootCA" ^[[0m^[[33mTLS 0xe56d4 found certificate DisklessRootCA ^[[0m^[[35mX509 0x15cb98 "DisklessRootCA" is a root certificate ^[[0m^[[36mX509 0xe5ce4 "http.srv.bx" successfully validated using ^[[0m^[[36missuer 0x15cb98 "DisklessRootCA" ^[[0m^[[33mTLS 0xe56d4 certificate validation succeeded ^[[0m^[[33mTLS 0xe56d4 ignoring handshake type 0 ^[[0m.................... Connection reset (http://ipxe.org/0f0c6039) Could not boot image: Connection reset (http://ipxe.org/0f0c6039) No more network devices !ignoring handshake type 0! iPXE with http over SSL works well in its standard usage: the fact for a client to trust the connection with the server thanks to the root certificate embedded with the ipxe binary in order to get a trusted enciphered communication between those peers. But when we also embed client certificate (with a private key without passphrase) to authenticate it, it seems that the use of SSLVerifyClient in Apache (which is necessary to authenticate the client) leads to a SSL renegociation (this happens each time and we have no idea to avoid this behaviour). Since you say it is an optional feature of TLS and not implemented into ipxe, could we consider the client authentification is not a feature which is available in ipxe ? Or could you please give me a apache configuration to test, because I'm lost :-( https://devcentral.f5.com/articles/ssl-p...egotiation Thanks a lot ! Welty |
|||
|
|
« Next Oldest | Next Newest »
|
User(s) browsing this thread: 2 Guest(s)