Post Reply 
 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
HTTPS - unrecognised algorithm
2015-06-02, 19:04
Post: #1
HTTPS - unrecognised algorithm
Hi,

I'm having issues with HTTPS.

When chaining a https URL I'm getting: "Operation not supported (http://ipxe.org/3c00e103)"
We're using "real" certificates, so not self-signed.

I also tested on e.g https://google.com and here it works (no error)

Recompiled with DEBUG=asn1 and it seems that the unrecognised algorithm is part of a certificate. See screenshot at http://snag.gy/j2i8a.jpg

I'm testing with ipxe current from git (commit 6b7157c233541a4cb3c90021e8ca219b0b5dd358)

iPXE 1.0.0+ (6b71) -- Open Source Network Boot Firmware -- http://ipxe.org
Features: DNS HTTP HTTPS iSCSI TFTP AoE ELF MBOOT PXE bzImage Menu PXEXT

Fiddling with the code, basically ignoring the errors, it works.

diff --git a/src/crypto/asn1.c b/src/crypto/asn1.c
index aca12bf..6715685 100644
--- a/src/crypto/asn1.c
+++ b/src/crypto/asn1.c
@@ -507,7 +507,8 @@ int asn1_algorithm ( const struct asn1_cursor *cursor,
if ( ! *algorithm ) {
DBGC ( cursor, "ASN1 %p unrecognised algorithm:\n", cursor );
DBGC_HDA ( cursor, 0, cursor->data, cursor->len );
- return -ENOTSUP_ALGORITHM;
+ //return -ENOTSUP_ALGORITHM;
+ return 0;
}

return 0;
diff --git a/src/crypto/x509.c b/src/crypto/x509.c
index 00eb226..c42bc52 100644
--- a/src/crypto/x509.c
+++ b/src/crypto/x509.c
@@ -1763,7 +1763,8 @@ int x509_validate_chain ( struct x509_chain *chain, time_t time,
}

DBGC ( chain, "X509 chain %p found no usable certificates\n", chain );
- return -EACCES_USELESS;
+ //return -EACCES_USELESS;
+ return 0;
}
Find all posts by this user
Quote this message in a reply
2015-06-03, 09:31
Post: #2
RE: HTTPS - unrecognised algorithm
Update: Using uefi (snponly) the above 'fix' doesn't work and gives http://ipxe.org/err/3d00e1 error.
Do undionly and snponly do https/crypto in another way ?
Find all posts by this user
Quote this message in a reply
2015-06-03, 16:45
Post: #3
RE: HTTPS - unrecognised algorithm
I could be wrong, but what are the build parameters you're using to build your binary boot files?

I believe, you still need the CA Chain or something for iPXE to recognize it as being valid. Even though they're "real" I don't think the iPXE binaries have a default set of "trusted root authorities" built into them as I imagine it would significantly increase the size of the compiled files.

Again, this is just speculation, I don't have a means to test/verify this to further help you out so maybe one of the Devs of iPXE can help shed some light as well?
Visit this user's website Find all posts by this user
Quote this message in a reply
2015-06-04, 08:59
Post: #4
RE: HTTPS - unrecognised algorithm
Hi thanks for the reply.
The URL ipxe uses for this by default (http://ca.ipxe.org/auto/) is reachable from the client.
when chaining to eg https://google.com it works, but for some reason it doesn't work with our certificates. (signed by terena ssl ca 2)
Find all posts by this user
Quote this message in a reply
Post Reply 




User(s) browsing this thread: 1 Guest(s)