From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail1.bemta8.messagelabs.com (mail1.bemta8.messagelabs.com [216.82.243.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 81F3E1A1F20 for ; Thu, 22 Sep 2016 08:12:41 -0700 (PDT) Received: from [216.82.242.19] by server-3.bemta-8.messagelabs.com id 57/3D-13692-8E4F3E75; Thu, 22 Sep 2016 15:12:40 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprIKsWRWlGSWpSXmKPExsWS8eIhk+7zL4/ DDR41S1vsOXSU2eL3vOeMFvsfH2d0YPb4t3k+i8euXY3sHt2z/7EEMEexZuYl5VcksGbcb68o +KxUsW/TEbYGxkOyXYxcHEICTxklVl45y9zFyAnkrGKU+Hg3ByIxmVFi0ru/TCAJNgEDibfv5 rOD2CICvYwSq2YLdjFycAgLKEs03lOCCKtILJ19mxXC9pN4v2YdWDmLgKrEi/WHWUDKeQUcJB bvFYEY/5dJ4tK0FWDjOQUCJDY2HwXrZRQQk/h+ag1YnFlAXOLWk/lgtoSAgMSSPeeZIWxRiZe P/7FC2IoSned+QtXrSCzY/YkNwtaWWLbwNVg9r4CgxMmZT1ggflSQ2Pv6ANsERtFZSFbMQtI+ C0n7LCTtCxhZVjFqFKcWlaUW6RqZ6CUVZaZnlOQmZuboGhpY6OWmFhcnpqfmJCYV6yXn525iB EZVPQMD4w7GTbvdDzFKcjApifImPHwcLsSXlJ9SmZFYnBFfVJqTWnyIUYaDQ0mC99JnoJxgUW p6akVaZg4wvmHSEhw8SiK84cAYF+ItLkjMLc5Mh0idYlSUEud9D9InAJLIKM2Da4OllEuMslL CvIwMDAxCPAWpRbmZJajyrxjFORiVhHktQcbzZOaVwE1/BbSYCWjxlp8PQBaXJCKkpBoY188J CV97Wfxh5CwujcN8LhdbV6UnP0t+ve9U7WOdZ7OutDr+mrzsQFCG/7vdaxwrt1w/wPOt5r2G7 +esnl+ztm7K/iwee8iN40dIUf1r4685BhvEolNrtzDcKZS5+ijVrtRVcspnlpo+bV5hnm3bjg TKCxe/ZW/qubokIzFzS/gZ40fHIv4UKrEUZyQaajEXFScCABwFlXYkAwAA X-Env-Sender: smahmoud@lenovo.com X-Msg-Ref: server-16.tower-191.messagelabs.com!1474557159!59572659!1 X-Originating-IP: [104.232.225.2] X-StarScan-Received: X-StarScan-Version: 8.84; banners=-,-,- X-VirusChecked: Checked Received: (qmail 14743 invoked from network); 22 Sep 2016 15:12:39 -0000 Received: from unknown (HELO maesmtp01.lenovo.com) (104.232.225.2) by server-16.tower-191.messagelabs.com with DHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 22 Sep 2016 15:12:39 -0000 Received: from AEMAILCH03.lenovo.com (unknown [10.40.13.90]) by maesmtp01.lenovo.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA) id 47af_0389_b5942d7d_51af_47d3_9ba8_a112fd8c84d4; Thu, 22 Sep 2016 15:12:27 +0000 Received: from USMAILCH02.lenovo.com (10.62.32.6) by AEMAILCH03.lenovo.com (10.40.13.90) with Microsoft SMTP Server (TLS) id 14.3.248.2; Thu, 22 Sep 2016 08:12:26 -0700 Received: from USMAILMBX02.lenovo.com ([10.62.32.2]) by USMAILCH02.lenovo.com ([::1]) with mapi id 14.03.0248.002; Thu, 22 Sep 2016 08:12:25 -0700 From: Samer El Haj Mahmoud To: Santhapur Naveen , "Palmer, Thomas" , "edk2-devel@lists.01.org" Thread-Topic: Issues with HTTPS Boot Thread-Index: AdITMrB9dQ9WWubnSXaJO1RcrMRFRgAJIYwAACb2LMAAEohmMAAmfOIwAAMjFEA= Date: Thu, 22 Sep 2016 15:12:25 +0000 Message-ID: <54EF1A77C479D840AF005ED34A3DC6597041C6@USMAILMBX02> References: <625A2455CC232F40B0F38F05ACED6D978C2C2225@VENUS1.in.megatrends.com> <625A2455CC232F40B0F38F05ACED6D978C2C29FD@VENUS1.in.megatrends.com> <625A2455CC232F40B0F38F05ACED6D978C2C2C5E@VENUS1.in.megatrends.com> In-Reply-To: <625A2455CC232F40B0F38F05ACED6D978C2C2C5E@VENUS1.in.megatrends.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.38.107.114] MIME-Version: 1.0 Subject: Re: Issues with HTTPS Boot X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Sep 2016 15:12:41 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Naveen, Are you using the latest code form the edk2-staging branch? -----Original Message----- From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Sant= hapur Naveen Sent: Thursday, September 22, 2016 7:07 AM To: Palmer, Thomas ; edk2-devel@lists.01.org Subject: Re: [edk2] Issues with HTTPS Boot Hi Thomas, Regarding your previous question about the server certificates, please fin= d my response as below: Do you have the appropriate certificate installed in UEFI for the target TL= S server? Yes, I do have the appropriate certificate installed on my server. I have = followed the section 2.2 titles " Self-Generated Certificate" in the white = paper to generate the certificates. I have debugged a bit further and went inside TlsConnectSession() to see = where exactly it is failing and I found out like it fails in TlsDoHandshake= () and gives PROTOCOL ERROR. To be precise, it gives error as "TlsDoHandsha= ke ERROR 0x14171105=3DL14:F171:R105". If I'm missing anything anywhere, would you please provide your comments. Thank you, Naveen -----Original Message----- From: Palmer, Thomas [mailto:thomas.palmer@hpe.com]=20 Sent: Thursday, September 22, 2016 12:56 AM To: Santhapur Naveen; edk2-devel@lists.01.org Subject: RE: Issues with HTTPS Boot >>From what you describe, it sounds like they should not have an issue negoti= ating TLS version and cipher. Do you have the appropriate certificate installed in UEFI for the target TL= S server? Either we need the 3rd part CA that signed the web server certi= ficate, or you could install the self-signed certificate of the web server. Also, are you able to see the any DEBUG statements from TlsLib.c? Regards, Thomas Palmer "I have only made this letter longer because I have not had the time to mak= e it shorter" - Blaise Pascal -----Original Message----- From: Santhapur Naveen [mailto:naveens@amiindia.co.in]=20 Sent: Wednesday, September 21, 2016 8:09 AM To: Palmer, Thomas ; edk2-devel@lists.01.org Subject: RE: Issues with HTTPS Boot Hi Thomas, Regarding my previous mail, after TCP handshake, Client Says Hello to seve= r and the Server replies its Hello to the client with TLSv1. =20 Client says hello with the following Cipher Suites: 1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) 2. TLS_DHE_RSA_WITH_AES_128_CB= C_SHA (0x0033) 3. TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) 4. TLS_RSA_WITH_AES= _128_CBC_SHA (0x002f) 5. TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) For the Client Hello, Server responds with its Hello and chooses TLS_RSA_W= ITH_AES_128_CBC_SHA (0x002f) using TLSv1. The client sends an acknowledgeme= nt to the server and then immediately sends RST.=20 After some debugging, it was found that it fails in TlsConnectSession(). W= ould you please provide your comments on this? Thanks, Naveen -----Original Message----- From: Palmer, Thomas [mailto:thomas.palmer@hpe.com] Sent: Tuesday, September 20, 2016 9:30 PM To: Santhapur Naveen; edk2-devel@lists.01.org Subject: RE: Issues with HTTPS Boot Naveen, I cannot see attachments on this email.=20 =09 What TLS versions and ciphers does your web server support? Depending on w= hen you built the UEFI image, your server may need to have TLS v1.0 enabled= and support one of the non-SHA256 ciphers listed at the top of TlsLib.c. = =20 =09 Regards, Thomas Palmer "I have only made this letter longer because I have not had the time to mak= e it shorter" - Blaise Pascal -----Original Message----- From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Sant= hapur Naveen Sent: Tuesday, September 20, 2016 6:42 AM To: edk2-devel@lists.01.org Subject: [edk2] Issues with HTTPS Boot Hello All, Since the HTTPS Boot came into picture, I was very enthusiastic t= o try it. I configured the server as-is explained in the white paper https:= //github.com/tianocore/tianocore.github.io/wiki/EDK%20II%20White%20papers But when I try to go for an HTTPS boot, it stops after the TCP ha= ndshake. Attached is the Wireshark log. Please help me out and also let me = know if any other details are needed. Thank you, Naveen _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel