From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from IMSVA.IN.MEGATRENDS.COM (venus.amiindia.co.in [111.93.197.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 4C8A21A2094 for ; Fri, 23 Sep 2016 00:01:05 -0700 (PDT) Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 277778205B; Fri, 23 Sep 2016 12:31:23 +0530 (IST) Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 104928205A; Fri, 23 Sep 2016 12:31:23 +0530 (IST) Received: from webmail.amiindia.co.in (venus2.in.megatrends.com [10.0.0.7]) by IMSVA.IN.MEGATRENDS.COM (Postfix) with ESMTPS; Fri, 23 Sep 2016 12:31:23 +0530 (IST) Received: from VENUS1.in.megatrends.com ([fe80::951:7975:6ecf:eae5]) by Venus2.in.megatrends.com ([fe80::2002:4a07:4f17:c09b%14]) with mapi id 14.03.0248.002; Fri, 23 Sep 2016 12:30:49 +0530 From: Santhapur Naveen To: "Wu, Jiaxin" , "Palmer, Thomas" , Samer El Haj Mahmoud , "edk2-devel@lists.01.org" Thread-Topic: Issues with HTTPS Boot Thread-Index: AdITMrB9dQ9WWubnSXaJO1RcrMRFRgAJIYwAACb2LMAAEohmMAAmfOIwAAMjFEAABJQ6AAAZXFlgAAL9nSA= Date: Fri, 23 Sep 2016 07:01:05 +0000 Message-ID: <625A2455CC232F40B0F38F05ACED6D978C2C2DE7@VENUS1.in.megatrends.com> References: <625A2455CC232F40B0F38F05ACED6D978C2C2225@VENUS1.in.megatrends.com> <625A2455CC232F40B0F38F05ACED6D978C2C29FD@VENUS1.in.megatrends.com> <625A2455CC232F40B0F38F05ACED6D978C2C2C5E@VENUS1.in.megatrends.com> <54EF1A77C479D840AF005ED34A3DC6597041C6@USMAILMBX02> <895558F6EA4E3B41AC93A00D163B727413889028@SHSMSX103.ccr.corp.intel.com> In-Reply-To: <895558F6EA4E3B41AC93A00D163B727413889028@SHSMSX103.ccr.corp.intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.0.93.16] MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-TM-AS-Product-Ver: IMSVA-9.1.0.1600-8.1.0.1054-22594.005 X-TM-AS-Result: No--29.324-5.0-31-10 X-imss-scan-details: No--29.324-5.0-31-10 X-TMASE-Version: IMSVA-9.1.0.1600-8.1.1054-22594.005 X-TMASE-Result: 10--29.324500-10.000000 X-TMASE-MatchedRID: z5DqD3Ob671PImw1y5q7/FPjo7D4SFg4pQH4ogtVQP2Obf10apLcSae7 nmhJA6kzXvTfF9EoV2DAFycL8Ymu1nXHdWrIeHKUkPoFsM336M6BHKTJ+sfXGdqCxkzSpW/Xa8n 1VKhiQ3/vRxhN4qdDLqObAExGVfi72DBKoUnK0AUD2WXLXdz+AVt06oMfzUpKSZV6zWnCdrmYX5 ygseDrHxsDO+DT2f5XraI2QANa43GqYtZoSKdB4RHuQ9dDJbS2rwvZAFQ6OcNcKZwALwMGs7isM D86zW0obaffGbYjlqqVrAvMmYxxrotHCnjZkXY3oINGBkUjkRbo2sGE/jnMlbKeTtOdjMy64Bup r1wDCdrvLCai4rX7peruBJNU9w8bZIEKKTn9mhICg1rav4R3DUJ1RkW+/L6QHGRbGDv0rgh5ayM DJneWs0KPKCAzOfqpQ2UpAYQxaortvMVN/9JMysL6jhga4Ht7DYBVKmbeeQOCsBeCv8CM/a7djM 7nXzpjRUj8dmgi7J6riZtkLgsYzdA4NqdM7aY0kTZDWhAZsGSks6/VhJme3EjtiGyJJTPMGEq3A VSeMLS6QVoWQ9ThANpjbOJAZP5Sf46ELUnpDSyeAiCmPx4NwMidYBYDjITptrNGq+WQEvQBi3kq JOK62QtuKBGekqUpPjKoPgsq7cA= X-TMASE-SNAP-Result: 1.811037.0001-0-1-12:0,22:0,33:0,34:0,39:0-0 Subject: Re: Issues with HTTPS Boot X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2016 07:01:05 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Jiaxin, The openssl version I have been using is 1.0.2h and the cipher returned by= the Sever Hello is "TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)". Thanks, Naveen -----Original Message----- From: Wu, Jiaxin [mailto:jiaxin.wu@intel.com]=20 Sent: Friday, September 23, 2016 12:25 PM To: Palmer, Thomas; Samer El Haj Mahmoud; Santhapur Naveen; edk2-devel@list= s.01.org Subject: RE: Issues with HTTPS Boot Naveen, For error code L14:F171:R105, it seems not failed in the ssl3_get_server_he= llo(). L14 means SLL lib error, R105 means SSL_R_WRONG_CIPHER_RETURNED, but= for F171, I can't find the corresponding error function represented. Can y= ou tell us the openssl version your platform used? and what's the cipher re= turned from server hello?=20 Thanks, Jiaxin > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of=20 > Palmer, Thomas > Sent: Friday, September 23, 2016 2:10 AM > To: Samer El Haj Mahmoud ; Santhapur Naveen=20 > ; edk2-devel@lists.01.org > Subject: Re: [edk2] Issues with HTTPS Boot >=20 >=20 > Naveen, >=20 > I may be interpreting this OpenSSL error code incorrectly, so if=20 > anyone has experience with this please chime in ... >=20 > Looking at 1.02.h, the 0x105 reason corresponds with=20 > SSL_R_WRONG_CIPHER_RETURNED. This happens in two places in s3_clnt.c. > This would indicate that the TLS server is wanting to use a cipher=20 > that the TLS client does not want to use. >=20 > 0x105 can also correspond to SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE ...=20 > but we don't support client certificates or DTLS at this point so I=20 > would not expect this to be in play. (unless your server is=20 > configured for that ...) >=20 > We should confirm this error code interpretation. If you have a=20 > debugger, set a break point for each instance of=20 > SSL_R_WRONG_CIPHER_RETURNED, or add a print statement. Which openssl ver= sion are you using? >=20 >=20 > Regards, >=20 > Thomas Palmer >=20 > "I have only made this letter longer because I have not had the time=20 > to make it shorter" - Blaise Pascal >=20 >=20 > -----Original Message----- > From: Samer El Haj Mahmoud [mailto:smahmoud@lenovo.com] > Sent: Thursday, September 22, 2016 10:12 AM > To: Santhapur Naveen ; Palmer, Thomas=20 > ; edk2-devel@lists.01.org > Subject: RE: Issues with HTTPS Boot >=20 > Naveen, >=20 > Are you using the latest code form the edk2-staging branch? >=20 >=20 > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of=20 > Santhapur Naveen > Sent: Thursday, September 22, 2016 7:07 AM > To: Palmer, Thomas ; edk2-devel@lists.01.org > Subject: Re: [edk2] Issues with HTTPS Boot >=20 > Hi Thomas, >=20 > Regarding your previous question about the server certificates,=20 > please find my response as below: >=20 > Do you have the appropriate certificate installed in UEFI for the=20 > target TLS server? > Yes, I do have the appropriate certificate installed on my server. I=20 > have followed the section 2.2 titles " Self-Generated Certificate" in=20 > the white paper to generate the certificates. >=20 > I have debugged a bit further and went inside TlsConnectSession() to=20 > see where exactly it is failing and I found out like it fails in=20 > TlsDoHandshake() and gives PROTOCOL ERROR. To be precise, it gives=20 > error as "TlsDoHandshake ERROR 0x14171105=3DL14:F171:R105". >=20 > If I'm missing anything anywhere, would you please provide your=20 > comments. >=20 > Thank you, > Naveen >=20 > -----Original Message----- > From: Palmer, Thomas [mailto:thomas.palmer@hpe.com] > Sent: Thursday, September 22, 2016 12:56 AM > To: Santhapur Naveen; edk2-devel@lists.01.org > Subject: RE: Issues with HTTPS Boot >=20 >=20 > From what you describe, it sounds like they should not have an issue=20 > negotiating TLS version and cipher. >=20 >=20 > Do you have the appropriate certificate installed in UEFI for the target = TLS > server? Either we need the 3rd part CA that signed the web server certi= ficate, > or you could install the self-signed certificate of the web server. >=20 > Also, are you able to see the any DEBUG statements from TlsLib.c? >=20 >=20 > Regards, >=20 > Thomas Palmer >=20 > "I have only made this letter longer because I have not had the time=20 > to make it shorter" - Blaise Pascal >=20 > -----Original Message----- > From: Santhapur Naveen [mailto:naveens@amiindia.co.in] > Sent: Wednesday, September 21, 2016 8:09 AM > To: Palmer, Thomas ; edk2-devel@lists.01.org > Subject: RE: Issues with HTTPS Boot >=20 > Hi Thomas, >=20 > Regarding my previous mail, after TCP handshake, Client Says Hello to=20 > sever and the Server replies its Hello to the client with TLSv1. >=20 > Client says hello with the following Cipher Suites: >=20 > 1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) 2. > TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) 3. > TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) 4. > TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) 5. > TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) >=20 > For the Client Hello, Server responds with its Hello and chooses=20 > TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) using TLSv1. The client sends an=20 > acknowledgement to the server and then immediately sends RST. >=20 > After some debugging, it was found that it fails in TlsConnectSession(). > Would you please provide your comments on this? >=20 >=20 > Thanks, > Naveen >=20 > -----Original Message----- > From: Palmer, Thomas [mailto:thomas.palmer@hpe.com] > Sent: Tuesday, September 20, 2016 9:30 PM > To: Santhapur Naveen; edk2-devel@lists.01.org > Subject: RE: Issues with HTTPS Boot >=20 > Naveen, >=20 > I cannot see attachments on this email. >=20 > What TLS versions and ciphers does your web server support? > Depending on when you built the UEFI image, your server may need to=20 > have TLS v1.0 enabled and support one of the non-SHA256 ciphers listed=20 > at the top of TlsLib.c. >=20 >=20 > Regards, >=20 > Thomas Palmer >=20 > "I have only made this letter longer because I have not had the time=20 > to make it shorter" - Blaise Pascal >=20 > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of=20 > Santhapur Naveen > Sent: Tuesday, September 20, 2016 6:42 AM > To: edk2-devel@lists.01.org > Subject: [edk2] Issues with HTTPS Boot >=20 > Hello All, >=20 > Since the HTTPS Boot came into picture, I was very=20 > enthusiastic to try it. I configured the server as-is explained in the=20 > white paper=20 > https://github.com/tianocore/tianocore.github.io/wiki/EDK%20II%20White > %20p > apers >=20 > But when I try to go for an HTTPS boot, it stops after the TCP = handshake. > Attached is the Wireshark log. Please help me out and also let me know=20 > if any other details are needed. >=20 > Thank you, > Naveen > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel