From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id A75E5740041 for ; Thu, 26 Oct 2023 16:26:53 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=qzNNrUqEmDDbfErKl40ay4zeF//eduCGSySMVEO0IUo=; c=relaxed/simple; d=groups.io; h=Message-ID:Date:MIME-Version:Subject:To:References:From:In-Reply-To:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20140610; t=1698337612; v=1; b=uM7OjeXGWNzhQukSI4dZr+3630K7fSkkJIt9GlGFU1sUtHsikKFfa1w6wQZ1VhqanKS7ZXpS 9ou1H84JDhF//zoKUkSNSteeUW5/bjzfRYohZ2OtMHSSBgLLRIeXRms0goTgh1HnRf+T6q+YzGg wxxMMo/FsLPbKjeXKaijbqDo= X-Received: by 127.0.0.2 with SMTP id xjaeYY7687511xidLUsfb9T6; Thu, 26 Oct 2023 09:26:52 -0700 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.groups.io with SMTP id smtpd.web10.204907.1698337611641861357 for ; Thu, 26 Oct 2023 09:26:51 -0700 X-Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-478-jdo_RU7JMTCF6iO-rZ_PFw-1; Thu, 26 Oct 2023 12:26:46 -0400 X-MC-Unique: jdo_RU7JMTCF6iO-rZ_PFw-1 X-Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 1338D101A529; Thu, 26 Oct 2023 16:26:46 +0000 (UTC) X-Received: from [10.39.192.119] (unknown [10.39.192.119]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A049B492BE7; Thu, 26 Oct 2023 16:26:45 +0000 (UTC) Message-ID: <2502b234-23e7-a72e-1aa2-5b2318764aaa@redhat.com> Date: Thu, 26 Oct 2023 18:26:44 +0200 MIME-Version: 1.0 Subject: Re: [edk2-devel] SSL handshake in HTTPS boot if the certificate was signed with a root certificate To: devel@edk2.groups.io, jacopo.r00ta@gmail.com References: From: "Laszlo Ersek" In-Reply-To: X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.9 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: d4ea4eqmTFV8SiuGCG9uEppDx7686176AA= Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=uM7OjeXG; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=redhat.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io On 10/26/23 14:37, jacopo.r00ta@gmail.com wrote: > Hi there, >=20 > I was trying to HTTPs boot a virtual machine with the following scenario: >=20 > 1) I have a self signed root CA /root.crt /and then I use it to sign > another self signed certificate /myip.crt /for the IP address X.X.X.X > 2) I have an NGINX server configured to use SSL with the /myip.crt > /certificate and its key. > 3) I have a UEFI virtual machine configured to HTTPs boot and trust the > CA certificate /root.crt /. How exactly did you configure your VM (runnig presumably ArmVirtQemu or OVMF) to accept the root certificate? See the SetCaCerts() function in "OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c". See also the "HTTPS Boot" section in "OvmfPkg/README" If you build OVMF with DEBUG_VERBOSE enabled (pass "--pcd=3DgEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel=3D0x8040004F" to "build"), and attach the firmware log (search "OvmfPkg/README" for "debugcon"), that might help with the analysis. It's quite possible that the certificate chain you've created is not accepted by how edk2 uses OpenSSL, but we need to check more closely to determine that. Can you include a textual dump of your CA cert / server cert, too? Laszlo >=20 > Unfortunately the machine fails in the SSL handshake step and then the > UEFI config page is shown again. Using for example /curl --cacert > root.crt X.X.X.X /it works perfectly fine (also forcing curl to use tls > 1.2). >=20 > In addition to that, if I do not use a root certificate for the server's > IP (i.e. I do not build a chain of certificates), the machine boots fine. >=20 > Unfortunately I don't have a physical server to make a real test. Is > this a missing feature, a bug, or am I doing it completely wrong? >=20 > Thank you very much! >=20 >=20 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#110127): https://edk2.groups.io/g/devel/message/110127 Mute This Topic: https://groups.io/mt/102201552/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/leave/12367111/7686176/19134562= 12/xyzzy [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-