Post Reply 
 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
optional client cert issue
2015-08-21, 01:49
Post: #1
optional client cert issue
Looks like I'm running into a known issue with optional client certs. When I try to chain boot from our https server I'm running into http://ipxe.org/err/410de3 which is not surprising given our setup. I found this via web search - http://lists.ipxe.org/pipermail/ipxe-dev...03989.html

Anyone know if there is a work around? Compile time option to not include client cert support maybe?
Find all posts by this user
Quote this message in a reply
2015-08-23, 21:55
Post: #2
RE: optional client cert issue
(2015-08-21 01:49)jcline Wrote:  Looks like I'm running into a known issue with optional client certs. When I try to chain boot from our https server I'm running into http://ipxe.org/err/410de3 which is not surprising given our setup. I found this via web search - http://lists.ipxe.org/pipermail/ipxe-dev...03989.html

Anyone know if there is a work around? Compile time option to not include client cert support maybe?

I've pushed what should be a fix to a temporary branch at http://git.ipxe.org/people/mcb30/ipxe.gi...ds/optcert.

Could you please try this code and let me know:

a) does it fix your problem? (i.e. does it continue the TLS connection when the server requests a certificate but iPXE has not been given any client certificate or private key?)

b) does it correctly provide the client certificate when iPXE is given a client certificate and private key to use?

If you can confirm both of these, then I can push the code to the master branch.

Thanks,

Michael
Visit this user's website Find all posts by this user
Quote this message in a reply
2015-08-24, 21:59
Post: #3
RE: optional client cert issue
Thanks Michael for jumping on this. Without baking in a trusted root I get a http://ipxe.org/err/420c60 (broken pipe) - unfortunately without much more info. I'll try flipping debug on here and see if I can get any more details. Also instead of doing a chain I'll try doing an imgfetch and imgstat, see if I can kinda bisect the problem a little. If we get there I'll try adding the cert and see what happens.

Any other debug suggestions?
Find all posts by this user
Quote this message in a reply
2015-08-24, 23:01
Post: #4
RE: optional client cert issue
(2015-08-24 21:59)jcline Wrote:  Thanks Michael for jumping on this. Without baking in a trusted root I get a http://ipxe.org/err/420c60 (broken pipe) - unfortunately without much more info. I'll try flipping debug on here and see if I can get any more details. Also instead of doing a chain I'll try doing an imgfetch and imgstat, see if I can kinda bisect the problem a little. If we get there I'll try adding the cert and see what happens.

Any other debug suggestions?

That error indicates that the HTTP(S) server closed the socket at an unexpected stage. It's most likely that the server closed the socket before TLS negotiation was complete: the HTTP layer would see this as an unexpected close.

Building with DEBUG=tls,x509,validator should show most of the relevant debug events.

Michael
Visit this user's website Find all posts by this user
Quote this message in a reply
2015-08-26, 01:20
Post: #5
RE: optional client cert issue
Sorry Michael, I'm struggling to get good logs, strip the escape codes etc. There is nothing sticking out like a sore thumb to me as a matter of fact I see a lot of 'successfully validated using issuer' and 'certificate validation succeeded'. I don't see a failure in the bunch. I may have to transpose them by hand if you need the detailed stack. I'll try again tomorrow AM.
Find all posts by this user
Quote this message in a reply
2015-08-26, 02:02
Post: #6
RE: optional client cert issue
(2015-08-26 01:20)jcline Wrote:  Sorry Michael, I'm struggling to get good logs, strip the escape codes etc. There is nothing sticking out like a sore thumb to me as a matter of fact I see a lot of 'successfully validated using issuer' and 'certificate validation succeeded'. I don't see a failure in the bunch. I may have to transpose them by hand if you need the detailed stack. I'll try again tomorrow AM.

One possibility (if you're on a relatively slow connection) is that the process of validating the certificate chain (including all of the OCSP lookups) could be taking so long that the HTTPS server gives up waiting and closes the socket. That would produce the symptoms as you've described so far.

If this is happening, you can work around it by retrying the HTTPS request within the same iPXE run. Certificate validation results are cached, so the second validation won't take as long.

Michael
Visit this user's website Find all posts by this user
Quote this message in a reply
2015-09-04, 02:53
Post: #7
RE: optional client cert issue
Sorry it's been a long week of talking to the security folks. So doing a chain [url] || chain [url] isn't getting me any farther. From what I can tell it isn't retrying after the broken pipe. http://ipxe.org/err/420c60 I tried doing a bunch of echo's in between the retry and it just doesn't look like it's happening.
Find all posts by this user
Quote this message in a reply
2015-09-04, 03:52
Post: #8
RE: optional client cert issue
(2015-09-04 02:53)jcline Wrote:  Sorry it's been a long week of talking to the security folks. So doing a chain [url] || chain [url] isn't getting me any farther. From what I can tell it isn't retrying after the broken pipe. http://ipxe.org/err/420c60 I tried doing a bunch of echo's in between the retry and it just doesn't look like it's happening.

OK. The scripting language is definitely not broken, so something is wrong in your test setup.

Try going to the command line and doing "imgfetch <url>". This will fail, but you should end up back at the command prompt. Retry the same "imgfetch <url>" command.

Michael
Visit this user's website Find all posts by this user
Quote this message in a reply
2015-09-22, 01:47
Post: #9
RE: optional client cert issue
Ok sorry for the long pause, I've been dealing with the people that own the server end. I currently have an exception so in the mean time I've setup another environment to reproduce and started using qemu to simplify things a little. Reproduction is identical to the original setup.

Yeah - scripting is definitely not broken but serial consoles and physical machines with long posts do make things more difficult to grok. I'm seeing the same error during multiple attempts. Error: Broken pipe 420c6001. Lots of X509 chain added and TLS found certificate messages followed by a certificate requested by no private key available then a TLS certificate validate succeeded and then *boom* broken pipe. Looks pretty much the same during both attempts.
Find all posts by this user
Quote this message in a reply
Post Reply 




User(s) browsing this thread: 1 Guest(s)