Post Reply 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
HTTPS - unrecognised algorithm
2015-06-02, 19:04
Post: #1
HTTPS - unrecognised algorithm

I'm having issues with HTTPS.

When chaining a https URL I'm getting: "Operation not supported ("
We're using "real" certificates, so not self-signed.

I also tested on e.g and here it works (no error)

Recompiled with DEBUG=asn1 and it seems that the unrecognised algorithm is part of a certificate. See screenshot at

I'm testing with ipxe current from git (commit 6b7157c233541a4cb3c90021e8ca219b0b5dd358)

iPXE 1.0.0+ (6b71) -- Open Source Network Boot Firmware --

Fiddling with the code, basically ignoring the errors, it works.

diff --git a/src/crypto/asn1.c b/src/crypto/asn1.c
index aca12bf..6715685 100644
--- a/src/crypto/asn1.c
+++ b/src/crypto/asn1.c
@@ -507,7 +507,8 @@ int asn1_algorithm ( const struct asn1_cursor *cursor,
if ( ! *algorithm ) {
DBGC ( cursor, "ASN1 %p unrecognised algorithm:\n", cursor );
DBGC_HDA ( cursor, 0, cursor->data, cursor->len );
+ return 0;

return 0;
diff --git a/src/crypto/x509.c b/src/crypto/x509.c
index 00eb226..c42bc52 100644
--- a/src/crypto/x509.c
+++ b/src/crypto/x509.c
@@ -1763,7 +1763,8 @@ int x509_validate_chain ( struct x509_chain *chain, time_t time,

DBGC ( chain, "X509 chain %p found no usable certificates\n", chain );
+ //return -EACCES_USELESS;
+ return 0;
Find all posts by this user
Quote this message in a reply
2015-06-03, 09:31
Post: #2
RE: HTTPS - unrecognised algorithm
Update: Using uefi (snponly) the above 'fix' doesn't work and gives error.
Do undionly and snponly do https/crypto in another way ?
Find all posts by this user
Quote this message in a reply
2015-06-03, 16:45
Post: #3
RE: HTTPS - unrecognised algorithm
I could be wrong, but what are the build parameters you're using to build your binary boot files?

I believe, you still need the CA Chain or something for iPXE to recognize it as being valid. Even though they're "real" I don't think the iPXE binaries have a default set of "trusted root authorities" built into them as I imagine it would significantly increase the size of the compiled files.

Again, this is just speculation, I don't have a means to test/verify this to further help you out so maybe one of the Devs of iPXE can help shed some light as well?
Visit this user's website Find all posts by this user
Quote this message in a reply
2015-06-04, 08:59
Post: #4
RE: HTTPS - unrecognised algorithm
Hi thanks for the reply.
The URL ipxe uses for this by default ( is reachable from the client.
when chaining to eg it works, but for some reason it doesn't work with our certificates. (signed by terena ssl ca 2)
Find all posts by this user
Quote this message in a reply
Post Reply 

User(s) browsing this thread: 1 Guest(s)