public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: Santhapur Naveen <naveens@amiindia.co.in>
To: "Wu, Jiaxin" <jiaxin.wu@intel.com>,
	"Palmer, Thomas" <thomas.palmer@hpe.com>,
	Samer El Haj Mahmoud <smahmoud@lenovo.com>,
	"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Subject: Re: Issues with HTTPS Boot
Date: Fri, 23 Sep 2016 07:01:05 +0000	[thread overview]
Message-ID: <625A2455CC232F40B0F38F05ACED6D978C2C2DE7@VENUS1.in.megatrends.com> (raw)
In-Reply-To: <895558F6EA4E3B41AC93A00D163B727413889028@SHSMSX103.ccr.corp.intel.com>

Hi Jiaxin,

	The openssl version I have been using is 1.0.2h and the cipher returned by the Sever Hello is "TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)".

Thanks,
Naveen

-----Original Message-----
From: Wu, Jiaxin [mailto:jiaxin.wu@intel.com] 
Sent: Friday, September 23, 2016 12:25 PM
To: Palmer, Thomas; Samer El Haj Mahmoud; Santhapur Naveen; edk2-devel@lists.01.org
Subject: RE: Issues with HTTPS Boot

Naveen,

For error code L14:F171:R105, it seems not failed in the ssl3_get_server_hello(). L14 means SLL lib error, R105 means SSL_R_WRONG_CIPHER_RETURNED, but for F171, I can't find the corresponding error function represented. Can you tell us the openssl version your platform used? and what's the cipher returned from server hello? 


Thanks,
Jiaxin

> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of 
> Palmer, Thomas
> Sent: Friday, September 23, 2016 2:10 AM
> To: Samer El Haj Mahmoud <smahmoud@lenovo.com>; Santhapur Naveen 
> <naveens@amiindia.co.in>; edk2-devel@lists.01.org
> Subject: Re: [edk2] Issues with HTTPS Boot
> 
> 
> Naveen,
> 
> I may be interpreting this OpenSSL error code incorrectly, so if 
> anyone has experience with this please chime in ...
> 
> Looking at 1.02.h,  the 0x105 reason corresponds with 
> SSL_R_WRONG_CIPHER_RETURNED.  This happens in two places in s3_clnt.c.
> This would indicate that the TLS server is wanting to use a cipher 
> that the TLS client does not want to use.
> 
> 0x105 can also correspond to SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE ... 
> but we don't support client certificates or DTLS at this point so I 
> would not expect this to be in play.  (unless your server is 
> configured for that ...)
> 
> We should confirm this error code interpretation.  If you have a 
> debugger, set a break point for each instance of 
> SSL_R_WRONG_CIPHER_RETURNED, or add a print statement.  Which openssl version are you using?
> 
> 
> Regards,
> 
> Thomas Palmer
> 
> "I have only made this letter longer because I have not had the time 
> to make it shorter" - Blaise Pascal
> 
> 
> -----Original Message-----
> From: Samer El Haj Mahmoud [mailto:smahmoud@lenovo.com]
> Sent: Thursday, September 22, 2016 10:12 AM
> To: Santhapur Naveen <naveens@amiindia.co.in>; Palmer, Thomas 
> <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
> Subject: RE: Issues with HTTPS Boot
> 
> Naveen,
> 
> Are you using the latest code form the edk2-staging branch?
> 
> 
> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of 
> Santhapur Naveen
> Sent: Thursday, September 22, 2016 7:07 AM
> To: Palmer, Thomas <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
> Subject: Re: [edk2] Issues with HTTPS Boot
> 
> Hi Thomas,
> 
> 	Regarding your previous question about the server certificates, 
> please find my response as below:
> 
> Do you have the appropriate certificate installed in UEFI for the 
> target TLS server?
> 	Yes, I do have the appropriate certificate installed on my server. I 
> have followed the section 2.2 titles " Self-Generated Certificate" in 
> the white paper to generate the certificates.
> 
> 	I have debugged a bit  further and went inside TlsConnectSession() to 
> see where exactly it is failing and I found out like it fails in 
> TlsDoHandshake() and gives PROTOCOL ERROR. To be precise, it gives 
> error as "TlsDoHandshake ERROR 0x14171105=L14:F171:R105".
> 
> 	If I'm missing anything anywhere, would you please provide your 
> comments.
> 
> Thank you,
> Naveen
> 
> -----Original Message-----
> From: Palmer, Thomas [mailto:thomas.palmer@hpe.com]
> Sent: Thursday, September 22, 2016 12:56 AM
> To: Santhapur Naveen; edk2-devel@lists.01.org
> Subject: RE: Issues with HTTPS Boot
> 
> 
> From what you describe, it sounds like they should not have an issue 
> negotiating TLS version and cipher.
> 
> 
> Do you have the appropriate certificate installed in UEFI for the target TLS
> server?   Either we need the 3rd part CA that signed the web server certificate,
> or you could install the self-signed certificate of the web server.
> 
> Also, are you able to see the any DEBUG statements from TlsLib.c?
> 
> 
> Regards,
> 
> Thomas Palmer
> 
> "I have only made this letter longer because I have not had the time 
> to make it shorter" - Blaise Pascal
> 
> -----Original Message-----
> From: Santhapur Naveen [mailto:naveens@amiindia.co.in]
> Sent: Wednesday, September 21, 2016 8:09 AM
> To: Palmer, Thomas <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
> Subject: RE: Issues with HTTPS Boot
> 
> Hi Thomas,
> 
> 	Regarding my previous mail, after TCP handshake, Client Says Hello to 
> sever and the Server replies its Hello to the client with TLSv1.
> 
> Client says hello with the following Cipher Suites:
> 
> 1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) 2.
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) 3.
> TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) 4.
> TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) 5.
> TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
> 
> 	For the Client Hello, Server responds with its Hello and chooses 
> TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) using TLSv1. The client sends an 
> acknowledgement to the server and then immediately sends RST.
> 
> 	After some debugging, it was found that it fails in TlsConnectSession().
> Would you please provide your comments on this?
> 
> 
> Thanks,
> Naveen
> 
> -----Original Message-----
> From: Palmer, Thomas [mailto:thomas.palmer@hpe.com]
> Sent: Tuesday, September 20, 2016 9:30 PM
> To: Santhapur Naveen; edk2-devel@lists.01.org
> Subject: RE: Issues with HTTPS Boot
> 
> Naveen,
> 
> 	I cannot see attachments on this email.
> 
> 	What TLS versions and ciphers does your web server support?
> Depending on when you built the UEFI image, your server may need to 
> have TLS v1.0 enabled and support one of the non-SHA256 ciphers listed 
> at the top of TlsLib.c.
> 
> 
> Regards,
> 
> Thomas Palmer
> 
> "I have only made this letter longer because I have not had the time 
> to make it shorter" - Blaise Pascal
> 
> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of 
> Santhapur Naveen
> Sent: Tuesday, September 20, 2016 6:42 AM
> To: edk2-devel@lists.01.org
> Subject: [edk2] Issues with HTTPS Boot
> 
> Hello All,
> 
>           Since the HTTPS Boot came into picture, I was very 
> enthusiastic to try it. I configured the server as-is explained in the 
> white paper 
> https://github.com/tianocore/tianocore.github.io/wiki/EDK%20II%20White
> %20p
> apers
> 
>           But when I try to go for an HTTPS boot, it stops after the TCP handshake.
> Attached is the Wireshark log. Please help me out and also let me know 
> if any other details are needed.
> 
> Thank you,
> Naveen
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel


  reply	other threads:[~2016-09-23  7:01 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-09-20 11:41 Issues with HTTPS Boot Santhapur Naveen
2016-09-20 15:59 ` Palmer, Thomas
2016-09-21 13:09   ` Santhapur Naveen
2016-09-21 19:25     ` Palmer, Thomas
2016-09-22 14:06       ` Santhapur Naveen
2016-09-22 15:12         ` Samer El Haj Mahmoud
2016-09-22 18:10           ` Palmer, Thomas
2016-09-23  6:54             ` Wu, Jiaxin
2016-09-23  7:01               ` Santhapur Naveen [this message]
2016-09-26  1:46                 ` Wu, Jiaxin
2016-09-30  5:26                 ` Wu, Jiaxin
2016-09-30  5:29                   ` Santhapur Naveen
     [not found]                   ` <625A2455CC232F40B0F38F05ACED6D978C2F865D@VENUS1.in.megatrends.com>
2016-10-20  6:16                     ` Wu, Jiaxin
2016-09-23  7:04           ` Santhapur Naveen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=625A2455CC232F40B0F38F05ACED6D978C2C2DE7@VENUS1.in.megatrends.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox