Issues with HTTPS Boot

Issues with HTTPS Boot

[Santhapur Naveen]

Hello All,

          Since the HTTPS Boot came into picture, I was very enthusiastic to try it. I configured the server as-is explained in the white paper https://github.com/tianocore/tianocore.github.io/wiki/EDK%20II%20White%20papers

          But when I try to go for an HTTPS boot, it stops after the TCP handshake. Attached is the Wireshark log. Please help me out and also let me know if any other details are needed.

Thank you,
Naveen

Re: Issues with HTTPS Boot

[Palmer, Thomas]

Naveen,

	I cannot see attachments on this email. 
	
	What TLS versions and ciphers does your web server support? Depending on when you built the UEFI image, your server may need to have TLS v1.0 enabled and support one of the non-SHA256 ciphers listed at the top of TlsLib.c.   
	

Regards,

Thomas Palmer

"I have only made this letter longer because I have not had the time to make it shorter" - Blaise Pascal

-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Santhapur Naveen
Sent: Tuesday, September 20, 2016 6:42 AM
To: edk2-devel@lists.01.org
Subject: [edk2] Issues with HTTPS Boot

Hello All,

          Since the HTTPS Boot came into picture, I was very enthusiastic to try it. I configured the server as-is explained in the white paper https://github.com/tianocore/tianocore.github.io/wiki/EDK%20II%20White%20papers

          But when I try to go for an HTTPS boot, it stops after the TCP handshake. Attached is the Wireshark log. Please help me out and also let me know if any other details are needed.

Thank you,
Naveen
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: Issues with HTTPS Boot

[Santhapur Naveen]

Hi Thomas,

	Regarding my previous mail, after TCP handshake, Client Says Hello to sever and the Server replies its Hello to the client with TLSv1.
 
Client says hello with the following Cipher Suites:

1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
2. TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
3. TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
4. TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
5. TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

	For the Client Hello, Server responds with its Hello and chooses TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) using TLSv1. The client sends an acknowledgement to the server and then immediately sends RST. 

	After some debugging, it was found that it fails in TlsConnectSession(). Would you please provide your comments on this?


Thanks,
Naveen

-----Original Message-----
From: Palmer, Thomas [mailto:thomas.palmer@hpe.com] 
Sent: Tuesday, September 20, 2016 9:30 PM
To: Santhapur Naveen; edk2-devel@lists.01.org
Subject: RE: Issues with HTTPS Boot

Naveen,

	I cannot see attachments on this email. 
	
	What TLS versions and ciphers does your web server support? Depending on when you built the UEFI image, your server may need to have TLS v1.0 enabled and support one of the non-SHA256 ciphers listed at the top of TlsLib.c.   
	

Regards,

Thomas Palmer

"I have only made this letter longer because I have not had the time to make it shorter" - Blaise Pascal

-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Santhapur Naveen
Sent: Tuesday, September 20, 2016 6:42 AM
To: edk2-devel@lists.01.org
Subject: [edk2] Issues with HTTPS Boot

Hello All,

          Since the HTTPS Boot came into picture, I was very enthusiastic to try it. I configured the server as-is explained in the white paper https://github.com/tianocore/tianocore.github.io/wiki/EDK%20II%20White%20papers

          But when I try to go for an HTTPS boot, it stops after the TCP handshake. Attached is the Wireshark log. Please help me out and also let me know if any other details are needed.

Thank you,
Naveen
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: Issues with HTTPS Boot

[Palmer, Thomas]

>From what you describe, it sounds like they should not have an issue negotiating TLS version and cipher.


Do you have the appropriate certificate installed in UEFI for the target TLS server?   Either we need the 3rd part CA that signed the web server certificate, or you could install the self-signed certificate of the web server.

Also, are you able to see the any DEBUG statements from TlsLib.c?


Regards,

Thomas Palmer

"I have only made this letter longer because I have not had the time to make it shorter" - Blaise Pascal

-----Original Message-----
From: Santhapur Naveen [mailto:naveens@amiindia.co.in] 
Sent: Wednesday, September 21, 2016 8:09 AM
To: Palmer, Thomas <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
Subject: RE: Issues with HTTPS Boot

Hi Thomas,

	Regarding my previous mail, after TCP handshake, Client Says Hello to sever and the Server replies its Hello to the client with TLSv1.
 
Client says hello with the following Cipher Suites:

1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) 2. TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) 3. TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) 4. TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) 5. TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

	For the Client Hello, Server responds with its Hello and chooses TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) using TLSv1. The client sends an acknowledgement to the server and then immediately sends RST. 

	After some debugging, it was found that it fails in TlsConnectSession(). Would you please provide your comments on this?


Thanks,
Naveen

-----Original Message-----
From: Palmer, Thomas [mailto:thomas.palmer@hpe.com]
Sent: Tuesday, September 20, 2016 9:30 PM
To: Santhapur Naveen; edk2-devel@lists.01.org
Subject: RE: Issues with HTTPS Boot

Naveen,

	I cannot see attachments on this email. 
	
	What TLS versions and ciphers does your web server support? Depending on when you built the UEFI image, your server may need to have TLS v1.0 enabled and support one of the non-SHA256 ciphers listed at the top of TlsLib.c.   
	

Regards,

Thomas Palmer

"I have only made this letter longer because I have not had the time to make it shorter" - Blaise Pascal

-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Santhapur Naveen
Sent: Tuesday, September 20, 2016 6:42 AM
To: edk2-devel@lists.01.org
Subject: [edk2] Issues with HTTPS Boot

Hello All,

          Since the HTTPS Boot came into picture, I was very enthusiastic to try it. I configured the server as-is explained in the white paper https://github.com/tianocore/tianocore.github.io/wiki/EDK%20II%20White%20papers

          But when I try to go for an HTTPS boot, it stops after the TCP handshake. Attached is the Wireshark log. Please help me out and also let me know if any other details are needed.

Thank you,
Naveen
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: Issues with HTTPS Boot

[Santhapur Naveen]

Hi Thomas,

	Regarding your previous question about the server certificates, please find my response as below:

Do you have the appropriate certificate installed in UEFI for the target TLS server?
	Yes, I do have the appropriate certificate installed on my server. I have followed the section 2.2 titles " Self-Generated Certificate" in the white paper to generate the certificates.

	I have debugged a bit  further and went inside TlsConnectSession() to see where exactly it is failing and I found out like it fails in TlsDoHandshake() and gives PROTOCOL ERROR. To be precise, it gives error as "TlsDoHandshake ERROR 0x14171105=L14:F171:R105".

	If I'm missing anything anywhere, would you please provide your comments.

Thank you,
Naveen

-----Original Message-----
From: Palmer, Thomas [mailto:thomas.palmer@hpe.com] 
Sent: Thursday, September 22, 2016 12:56 AM
To: Santhapur Naveen; edk2-devel@lists.01.org
Subject: RE: Issues with HTTPS Boot


>From what you describe, it sounds like they should not have an issue negotiating TLS version and cipher.


Do you have the appropriate certificate installed in UEFI for the target TLS server?   Either we need the 3rd part CA that signed the web server certificate, or you could install the self-signed certificate of the web server.

Also, are you able to see the any DEBUG statements from TlsLib.c?


Regards,

Thomas Palmer

"I have only made this letter longer because I have not had the time to make it shorter" - Blaise Pascal

-----Original Message-----
From: Santhapur Naveen [mailto:naveens@amiindia.co.in] 
Sent: Wednesday, September 21, 2016 8:09 AM
To: Palmer, Thomas <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
Subject: RE: Issues with HTTPS Boot

Hi Thomas,

	Regarding my previous mail, after TCP handshake, Client Says Hello to sever and the Server replies its Hello to the client with TLSv1.
 
Client says hello with the following Cipher Suites:

1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) 2. TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) 3. TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) 4. TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) 5. TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

	For the Client Hello, Server responds with its Hello and chooses TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) using TLSv1. The client sends an acknowledgement to the server and then immediately sends RST. 

	After some debugging, it was found that it fails in TlsConnectSession(). Would you please provide your comments on this?


Thanks,
Naveen

-----Original Message-----
From: Palmer, Thomas [mailto:thomas.palmer@hpe.com]
Sent: Tuesday, September 20, 2016 9:30 PM
To: Santhapur Naveen; edk2-devel@lists.01.org
Subject: RE: Issues with HTTPS Boot

Naveen,

	I cannot see attachments on this email. 
	
	What TLS versions and ciphers does your web server support? Depending on when you built the UEFI image, your server may need to have TLS v1.0 enabled and support one of the non-SHA256 ciphers listed at the top of TlsLib.c.   
	

Regards,

Thomas Palmer

"I have only made this letter longer because I have not had the time to make it shorter" - Blaise Pascal

-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Santhapur Naveen
Sent: Tuesday, September 20, 2016 6:42 AM
To: edk2-devel@lists.01.org
Subject: [edk2] Issues with HTTPS Boot

Hello All,

          Since the HTTPS Boot came into picture, I was very enthusiastic to try it. I configured the server as-is explained in the white paper https://github.com/tianocore/tianocore.github.io/wiki/EDK%20II%20White%20papers

          But when I try to go for an HTTPS boot, it stops after the TCP handshake. Attached is the Wireshark log. Please help me out and also let me know if any other details are needed.

Thank you,
Naveen
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: Issues with HTTPS Boot

[Samer El Haj Mahmoud]

Naveen,

Are you using the latest code form the edk2-staging branch?


-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Santhapur Naveen
Sent: Thursday, September 22, 2016 7:07 AM
To: Palmer, Thomas <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
Subject: Re: [edk2] Issues with HTTPS Boot

Hi Thomas,

	Regarding your previous question about the server certificates, please find my response as below:

Do you have the appropriate certificate installed in UEFI for the target TLS server?
	Yes, I do have the appropriate certificate installed on my server. I have followed the section 2.2 titles " Self-Generated Certificate" in the white paper to generate the certificates.

	I have debugged a bit  further and went inside TlsConnectSession() to see where exactly it is failing and I found out like it fails in TlsDoHandshake() and gives PROTOCOL ERROR. To be precise, it gives error as "TlsDoHandshake ERROR 0x14171105=L14:F171:R105".

	If I'm missing anything anywhere, would you please provide your comments.

Thank you,
Naveen

-----Original Message-----
From: Palmer, Thomas [mailto:thomas.palmer@hpe.com] 
Sent: Thursday, September 22, 2016 12:56 AM
To: Santhapur Naveen; edk2-devel@lists.01.org
Subject: RE: Issues with HTTPS Boot


>From what you describe, it sounds like they should not have an issue negotiating TLS version and cipher.


Do you have the appropriate certificate installed in UEFI for the target TLS server?   Either we need the 3rd part CA that signed the web server certificate, or you could install the self-signed certificate of the web server.

Also, are you able to see the any DEBUG statements from TlsLib.c?


Regards,

Thomas Palmer

"I have only made this letter longer because I have not had the time to make it shorter" - Blaise Pascal

-----Original Message-----
From: Santhapur Naveen [mailto:naveens@amiindia.co.in] 
Sent: Wednesday, September 21, 2016 8:09 AM
To: Palmer, Thomas <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
Subject: RE: Issues with HTTPS Boot

Hi Thomas,

	Regarding my previous mail, after TCP handshake, Client Says Hello to sever and the Server replies its Hello to the client with TLSv1.
 
Client says hello with the following Cipher Suites:

1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) 2. TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) 3. TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) 4. TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) 5. TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

	For the Client Hello, Server responds with its Hello and chooses TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) using TLSv1. The client sends an acknowledgement to the server and then immediately sends RST. 

	After some debugging, it was found that it fails in TlsConnectSession(). Would you please provide your comments on this?


Thanks,
Naveen

-----Original Message-----
From: Palmer, Thomas [mailto:thomas.palmer@hpe.com]
Sent: Tuesday, September 20, 2016 9:30 PM
To: Santhapur Naveen; edk2-devel@lists.01.org
Subject: RE: Issues with HTTPS Boot

Naveen,

	I cannot see attachments on this email. 
	
	What TLS versions and ciphers does your web server support? Depending on when you built the UEFI image, your server may need to have TLS v1.0 enabled and support one of the non-SHA256 ciphers listed at the top of TlsLib.c.   
	

Regards,

Thomas Palmer

"I have only made this letter longer because I have not had the time to make it shorter" - Blaise Pascal

-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Santhapur Naveen
Sent: Tuesday, September 20, 2016 6:42 AM
To: edk2-devel@lists.01.org
Subject: [edk2] Issues with HTTPS Boot

Hello All,

          Since the HTTPS Boot came into picture, I was very enthusiastic to try it. I configured the server as-is explained in the white paper https://github.com/tianocore/tianocore.github.io/wiki/EDK%20II%20White%20papers

          But when I try to go for an HTTPS boot, it stops after the TCP handshake. Attached is the Wireshark log. Please help me out and also let me know if any other details are needed.

Thank you,
Naveen
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: Issues with HTTPS Boot

[Palmer, Thomas]

Naveen,

I may be interpreting this OpenSSL error code incorrectly, so if anyone has experience with this please chime in ...

Looking at 1.02.h,  the 0x105 reason corresponds with SSL_R_WRONG_CIPHER_RETURNED.  This happens in two places in s3_clnt.c.     This would indicate that the TLS server is wanting to use a cipher that the TLS client does not want to use.

0x105 can also correspond to SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE ... but we don't support client certificates or DTLS at this point so I would not expect this to be in play.  (unless your server is configured for that ...)

We should confirm this error code interpretation.  If you have a debugger, set a break point for each instance of SSL_R_WRONG_CIPHER_RETURNED, or add a print statement.  Which openssl version are you using?  


Regards,

Thomas Palmer

"I have only made this letter longer because I have not had the time to make it shorter" - Blaise Pascal


-----Original Message-----
From: Samer El Haj Mahmoud [mailto:smahmoud@lenovo.com] 
Sent: Thursday, September 22, 2016 10:12 AM
To: Santhapur Naveen <naveens@amiindia.co.in>; Palmer, Thomas <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
Subject: RE: Issues with HTTPS Boot

Naveen,

Are you using the latest code form the edk2-staging branch?


-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Santhapur Naveen
Sent: Thursday, September 22, 2016 7:07 AM
To: Palmer, Thomas <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
Subject: Re: [edk2] Issues with HTTPS Boot

Hi Thomas,

	Regarding your previous question about the server certificates, please find my response as below:

Do you have the appropriate certificate installed in UEFI for the target TLS server?
	Yes, I do have the appropriate certificate installed on my server. I have followed the section 2.2 titles " Self-Generated Certificate" in the white paper to generate the certificates.

	I have debugged a bit  further and went inside TlsConnectSession() to see where exactly it is failing and I found out like it fails in TlsDoHandshake() and gives PROTOCOL ERROR. To be precise, it gives error as "TlsDoHandshake ERROR 0x14171105=L14:F171:R105".

	If I'm missing anything anywhere, would you please provide your comments.

Thank you,
Naveen

-----Original Message-----
From: Palmer, Thomas [mailto:thomas.palmer@hpe.com] 
Sent: Thursday, September 22, 2016 12:56 AM
To: Santhapur Naveen; edk2-devel@lists.01.org
Subject: RE: Issues with HTTPS Boot


>From what you describe, it sounds like they should not have an issue negotiating TLS version and cipher.


Do you have the appropriate certificate installed in UEFI for the target TLS server?   Either we need the 3rd part CA that signed the web server certificate, or you could install the self-signed certificate of the web server.

Also, are you able to see the any DEBUG statements from TlsLib.c?


Regards,

Thomas Palmer

"I have only made this letter longer because I have not had the time to make it shorter" - Blaise Pascal

-----Original Message-----
From: Santhapur Naveen [mailto:naveens@amiindia.co.in] 
Sent: Wednesday, September 21, 2016 8:09 AM
To: Palmer, Thomas <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
Subject: RE: Issues with HTTPS Boot

Hi Thomas,

	Regarding my previous mail, after TCP handshake, Client Says Hello to sever and the Server replies its Hello to the client with TLSv1.
 
Client says hello with the following Cipher Suites:

1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) 2. TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) 3. TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) 4. TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) 5. TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

	For the Client Hello, Server responds with its Hello and chooses TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) using TLSv1. The client sends an acknowledgement to the server and then immediately sends RST. 

	After some debugging, it was found that it fails in TlsConnectSession(). Would you please provide your comments on this?


Thanks,
Naveen

-----Original Message-----
From: Palmer, Thomas [mailto:thomas.palmer@hpe.com]
Sent: Tuesday, September 20, 2016 9:30 PM
To: Santhapur Naveen; edk2-devel@lists.01.org
Subject: RE: Issues with HTTPS Boot

Naveen,

	I cannot see attachments on this email. 
	
	What TLS versions and ciphers does your web server support? Depending on when you built the UEFI image, your server may need to have TLS v1.0 enabled and support one of the non-SHA256 ciphers listed at the top of TlsLib.c.   
	

Regards,

Thomas Palmer

"I have only made this letter longer because I have not had the time to make it shorter" - Blaise Pascal

-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Santhapur Naveen
Sent: Tuesday, September 20, 2016 6:42 AM
To: edk2-devel@lists.01.org
Subject: [edk2] Issues with HTTPS Boot

Hello All,

          Since the HTTPS Boot came into picture, I was very enthusiastic to try it. I configured the server as-is explained in the white paper https://github.com/tianocore/tianocore.github.io/wiki/EDK%20II%20White%20papers

          But when I try to go for an HTTPS boot, it stops after the TCP handshake. Attached is the Wireshark log. Please help me out and also let me know if any other details are needed.

Thank you,
Naveen
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: Issues with HTTPS Boot

[Wu, Jiaxin]

Naveen,

For error code L14:F171:R105, it seems not failed in the ssl3_get_server_hello(). L14 means SLL lib error, R105 means SSL_R_WRONG_CIPHER_RETURNED, but for F171, I can't find the corresponding error function represented. Can you tell us the openssl version your platform used? and what's the cipher returned from server hello? 


Thanks,
Jiaxin

> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> Palmer, Thomas
> Sent: Friday, September 23, 2016 2:10 AM
> To: Samer El Haj Mahmoud <smahmoud@lenovo.com>; Santhapur Naveen
> <naveens@amiindia.co.in>; edk2-devel@lists.01.org
> Subject: Re: [edk2] Issues with HTTPS Boot
> 
> 
> Naveen,
> 
> I may be interpreting this OpenSSL error code incorrectly, so if anyone has
> experience with this please chime in ...
> 
> Looking at 1.02.h,  the 0x105 reason corresponds with
> SSL_R_WRONG_CIPHER_RETURNED.  This happens in two places in s3_clnt.c.
> This would indicate that the TLS server is wanting to use a cipher that the TLS
> client does not want to use.
> 
> 0x105 can also correspond to SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE ... but
> we don't support client certificates or DTLS at this point so I would not expect
> this to be in play.  (unless your server is configured for that ...)
> 
> We should confirm this error code interpretation.  If you have a debugger, set a
> break point for each instance of SSL_R_WRONG_CIPHER_RETURNED, or add a
> print statement.  Which openssl version are you using?
> 
> 
> Regards,
> 
> Thomas Palmer
> 
> "I have only made this letter longer because I have not had the time to make it
> shorter" - Blaise Pascal
> 
> 
> -----Original Message-----
> From: Samer El Haj Mahmoud [mailto:smahmoud@lenovo.com]
> Sent: Thursday, September 22, 2016 10:12 AM
> To: Santhapur Naveen <naveens@amiindia.co.in>; Palmer, Thomas
> <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
> Subject: RE: Issues with HTTPS Boot
> 
> Naveen,
> 
> Are you using the latest code form the edk2-staging branch?
> 
> 
> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> Santhapur Naveen
> Sent: Thursday, September 22, 2016 7:07 AM
> To: Palmer, Thomas <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
> Subject: Re: [edk2] Issues with HTTPS Boot
> 
> Hi Thomas,
> 
> 	Regarding your previous question about the server certificates, please
> find my response as below:
> 
> Do you have the appropriate certificate installed in UEFI for the target TLS
> server?
> 	Yes, I do have the appropriate certificate installed on my server. I have
> followed the section 2.2 titles " Self-Generated Certificate" in the white paper
> to generate the certificates.
> 
> 	I have debugged a bit  further and went inside TlsConnectSession() to
> see where exactly it is failing and I found out like it fails in TlsDoHandshake()
> and gives PROTOCOL ERROR. To be precise, it gives error as "TlsDoHandshake
> ERROR 0x14171105=L14:F171:R105".
> 
> 	If I'm missing anything anywhere, would you please provide your
> comments.
> 
> Thank you,
> Naveen
> 
> -----Original Message-----
> From: Palmer, Thomas [mailto:thomas.palmer@hpe.com]
> Sent: Thursday, September 22, 2016 12:56 AM
> To: Santhapur Naveen; edk2-devel@lists.01.org
> Subject: RE: Issues with HTTPS Boot
> 
> 
> From what you describe, it sounds like they should not have an issue
> negotiating TLS version and cipher.
> 
> 
> Do you have the appropriate certificate installed in UEFI for the target TLS
> server?   Either we need the 3rd part CA that signed the web server certificate,
> or you could install the self-signed certificate of the web server.
> 
> Also, are you able to see the any DEBUG statements from TlsLib.c?
> 
> 
> Regards,
> 
> Thomas Palmer
> 
> "I have only made this letter longer because I have not had the time to make it
> shorter" - Blaise Pascal
> 
> -----Original Message-----
> From: Santhapur Naveen [mailto:naveens@amiindia.co.in]
> Sent: Wednesday, September 21, 2016 8:09 AM
> To: Palmer, Thomas <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
> Subject: RE: Issues with HTTPS Boot
> 
> Hi Thomas,
> 
> 	Regarding my previous mail, after TCP handshake, Client Says Hello to
> sever and the Server replies its Hello to the client with TLSv1.
> 
> Client says hello with the following Cipher Suites:
> 
> 1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) 2.
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) 3.
> TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) 4.
> TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) 5.
> TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
> 
> 	For the Client Hello, Server responds with its Hello and chooses
> TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) using TLSv1. The client sends an
> acknowledgement to the server and then immediately sends RST.
> 
> 	After some debugging, it was found that it fails in TlsConnectSession().
> Would you please provide your comments on this?
> 
> 
> Thanks,
> Naveen
> 
> -----Original Message-----
> From: Palmer, Thomas [mailto:thomas.palmer@hpe.com]
> Sent: Tuesday, September 20, 2016 9:30 PM
> To: Santhapur Naveen; edk2-devel@lists.01.org
> Subject: RE: Issues with HTTPS Boot
> 
> Naveen,
> 
> 	I cannot see attachments on this email.
> 
> 	What TLS versions and ciphers does your web server support?
> Depending on when you built the UEFI image, your server may need to have
> TLS v1.0 enabled and support one of the non-SHA256 ciphers listed at the top of
> TlsLib.c.
> 
> 
> Regards,
> 
> Thomas Palmer
> 
> "I have only made this letter longer because I have not had the time to make it
> shorter" - Blaise Pascal
> 
> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> Santhapur Naveen
> Sent: Tuesday, September 20, 2016 6:42 AM
> To: edk2-devel@lists.01.org
> Subject: [edk2] Issues with HTTPS Boot
> 
> Hello All,
> 
>           Since the HTTPS Boot came into picture, I was very enthusiastic to try it. I
> configured the server as-is explained in the white paper
> https://github.com/tianocore/tianocore.github.io/wiki/EDK%20II%20White%20p
> apers
> 
>           But when I try to go for an HTTPS boot, it stops after the TCP handshake.
> Attached is the Wireshark log. Please help me out and also let me know if any
> other details are needed.
> 
> Thank you,
> Naveen
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel

Re: Issues with HTTPS Boot

[Santhapur Naveen]

Hi Jiaxin,

	The openssl version I have been using is 1.0.2h and the cipher returned by the Sever Hello is "TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)".

Thanks,
Naveen

-----Original Message-----
From: Wu, Jiaxin [mailto:jiaxin.wu@intel.com] 
Sent: Friday, September 23, 2016 12:25 PM
To: Palmer, Thomas; Samer El Haj Mahmoud; Santhapur Naveen; edk2-devel@lists.01.org
Subject: RE: Issues with HTTPS Boot

Naveen,

For error code L14:F171:R105, it seems not failed in the ssl3_get_server_hello(). L14 means SLL lib error, R105 means SSL_R_WRONG_CIPHER_RETURNED, but for F171, I can't find the corresponding error function represented. Can you tell us the openssl version your platform used? and what's the cipher returned from server hello? 


Thanks,
Jiaxin

> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of 
> Palmer, Thomas
> Sent: Friday, September 23, 2016 2:10 AM
> To: Samer El Haj Mahmoud <smahmoud@lenovo.com>; Santhapur Naveen 
> <naveens@amiindia.co.in>; edk2-devel@lists.01.org
> Subject: Re: [edk2] Issues with HTTPS Boot
> 
> 
> Naveen,
> 
> I may be interpreting this OpenSSL error code incorrectly, so if 
> anyone has experience with this please chime in ...
> 
> Looking at 1.02.h,  the 0x105 reason corresponds with 
> SSL_R_WRONG_CIPHER_RETURNED.  This happens in two places in s3_clnt.c.
> This would indicate that the TLS server is wanting to use a cipher 
> that the TLS client does not want to use.
> 
> 0x105 can also correspond to SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE ... 
> but we don't support client certificates or DTLS at this point so I 
> would not expect this to be in play.  (unless your server is 
> configured for that ...)
> 
> We should confirm this error code interpretation.  If you have a 
> debugger, set a break point for each instance of 
> SSL_R_WRONG_CIPHER_RETURNED, or add a print statement.  Which openssl version are you using?
> 
> 
> Regards,
> 
> Thomas Palmer
> 
> "I have only made this letter longer because I have not had the time 
> to make it shorter" - Blaise Pascal
> 
> 
> -----Original Message-----
> From: Samer El Haj Mahmoud [mailto:smahmoud@lenovo.com]
> Sent: Thursday, September 22, 2016 10:12 AM
> To: Santhapur Naveen <naveens@amiindia.co.in>; Palmer, Thomas 
> <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
> Subject: RE: Issues with HTTPS Boot
> 
> Naveen,
> 
> Are you using the latest code form the edk2-staging branch?
> 
> 
> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of 
> Santhapur Naveen
> Sent: Thursday, September 22, 2016 7:07 AM
> To: Palmer, Thomas <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
> Subject: Re: [edk2] Issues with HTTPS Boot
> 
> Hi Thomas,
> 
> 	Regarding your previous question about the server certificates, 
> please find my response as below:
> 
> Do you have the appropriate certificate installed in UEFI for the 
> target TLS server?
> 	Yes, I do have the appropriate certificate installed on my server. I 
> have followed the section 2.2 titles " Self-Generated Certificate" in 
> the white paper to generate the certificates.
> 
> 	I have debugged a bit  further and went inside TlsConnectSession() to 
> see where exactly it is failing and I found out like it fails in 
> TlsDoHandshake() and gives PROTOCOL ERROR. To be precise, it gives 
> error as "TlsDoHandshake ERROR 0x14171105=L14:F171:R105".
> 
> 	If I'm missing anything anywhere, would you please provide your 
> comments.
> 
> Thank you,
> Naveen
> 
> -----Original Message-----
> From: Palmer, Thomas [mailto:thomas.palmer@hpe.com]
> Sent: Thursday, September 22, 2016 12:56 AM
> To: Santhapur Naveen; edk2-devel@lists.01.org
> Subject: RE: Issues with HTTPS Boot
> 
> 
> From what you describe, it sounds like they should not have an issue 
> negotiating TLS version and cipher.
> 
> 
> Do you have the appropriate certificate installed in UEFI for the target TLS
> server?   Either we need the 3rd part CA that signed the web server certificate,
> or you could install the self-signed certificate of the web server.
> 
> Also, are you able to see the any DEBUG statements from TlsLib.c?
> 
> 
> Regards,
> 
> Thomas Palmer
> 
> "I have only made this letter longer because I have not had the time 
> to make it shorter" - Blaise Pascal
> 
> -----Original Message-----
> From: Santhapur Naveen [mailto:naveens@amiindia.co.in]
> Sent: Wednesday, September 21, 2016 8:09 AM
> To: Palmer, Thomas <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
> Subject: RE: Issues with HTTPS Boot
> 
> Hi Thomas,
> 
> 	Regarding my previous mail, after TCP handshake, Client Says Hello to 
> sever and the Server replies its Hello to the client with TLSv1.
> 
> Client says hello with the following Cipher Suites:
> 
> 1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) 2.
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) 3.
> TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) 4.
> TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) 5.
> TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
> 
> 	For the Client Hello, Server responds with its Hello and chooses 
> TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) using TLSv1. The client sends an 
> acknowledgement to the server and then immediately sends RST.
> 
> 	After some debugging, it was found that it fails in TlsConnectSession().
> Would you please provide your comments on this?
> 
> 
> Thanks,
> Naveen
> 
> -----Original Message-----
> From: Palmer, Thomas [mailto:thomas.palmer@hpe.com]
> Sent: Tuesday, September 20, 2016 9:30 PM
> To: Santhapur Naveen; edk2-devel@lists.01.org
> Subject: RE: Issues with HTTPS Boot
> 
> Naveen,
> 
> 	I cannot see attachments on this email.
> 
> 	What TLS versions and ciphers does your web server support?
> Depending on when you built the UEFI image, your server may need to 
> have TLS v1.0 enabled and support one of the non-SHA256 ciphers listed 
> at the top of TlsLib.c.
> 
> 
> Regards,
> 
> Thomas Palmer
> 
> "I have only made this letter longer because I have not had the time 
> to make it shorter" - Blaise Pascal
> 
> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of 
> Santhapur Naveen
> Sent: Tuesday, September 20, 2016 6:42 AM
> To: edk2-devel@lists.01.org
> Subject: [edk2] Issues with HTTPS Boot
> 
> Hello All,
> 
>           Since the HTTPS Boot came into picture, I was very 
> enthusiastic to try it. I configured the server as-is explained in the 
> white paper 
> https://github.com/tianocore/tianocore.github.io/wiki/EDK%20II%20White
> %20p
> apers
> 
>           But when I try to go for an HTTPS boot, it stops after the TCP handshake.
> Attached is the Wireshark log. Please help me out and also let me know 
> if any other details are needed.
> 
> Thank you,
> Naveen
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel

Re: Issues with HTTPS Boot

[Santhapur Naveen]

Hi,
	I've downloaded the source from edk2-staging a couple weeks ago and have been using the same source since then.

Thanks,
Naveen

-----Original Message-----
From: Samer El Haj Mahmoud [mailto:smahmoud@lenovo.com] 
Sent: Thursday, September 22, 2016 8:42 PM
To: Santhapur Naveen; Palmer, Thomas; edk2-devel@lists.01.org
Subject: RE: Issues with HTTPS Boot

Naveen,

Are you using the latest code form the edk2-staging branch?


-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Santhapur Naveen
Sent: Thursday, September 22, 2016 7:07 AM
To: Palmer, Thomas <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
Subject: Re: [edk2] Issues with HTTPS Boot

Hi Thomas,

	Regarding your previous question about the server certificates, please find my response as below:

Do you have the appropriate certificate installed in UEFI for the target TLS server?
	Yes, I do have the appropriate certificate installed on my server. I have followed the section 2.2 titles " Self-Generated Certificate" in the white paper to generate the certificates.

	I have debugged a bit  further and went inside TlsConnectSession() to see where exactly it is failing and I found out like it fails in TlsDoHandshake() and gives PROTOCOL ERROR. To be precise, it gives error as "TlsDoHandshake ERROR 0x14171105=L14:F171:R105".

	If I'm missing anything anywhere, would you please provide your comments.

Thank you,
Naveen

-----Original Message-----
From: Palmer, Thomas [mailto:thomas.palmer@hpe.com] 
Sent: Thursday, September 22, 2016 12:56 AM
To: Santhapur Naveen; edk2-devel@lists.01.org
Subject: RE: Issues with HTTPS Boot


>From what you describe, it sounds like they should not have an issue negotiating TLS version and cipher.


Do you have the appropriate certificate installed in UEFI for the target TLS server?   Either we need the 3rd part CA that signed the web server certificate, or you could install the self-signed certificate of the web server.

Also, are you able to see the any DEBUG statements from TlsLib.c?


Regards,

Thomas Palmer

"I have only made this letter longer because I have not had the time to make it shorter" - Blaise Pascal

-----Original Message-----
From: Santhapur Naveen [mailto:naveens@amiindia.co.in] 
Sent: Wednesday, September 21, 2016 8:09 AM
To: Palmer, Thomas <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
Subject: RE: Issues with HTTPS Boot

Hi Thomas,

	Regarding my previous mail, after TCP handshake, Client Says Hello to sever and the Server replies its Hello to the client with TLSv1.
 
Client says hello with the following Cipher Suites:

1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) 2. TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) 3. TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) 4. TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) 5. TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

	For the Client Hello, Server responds with its Hello and chooses TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) using TLSv1. The client sends an acknowledgement to the server and then immediately sends RST. 

	After some debugging, it was found that it fails in TlsConnectSession(). Would you please provide your comments on this?


Thanks,
Naveen

-----Original Message-----
From: Palmer, Thomas [mailto:thomas.palmer@hpe.com]
Sent: Tuesday, September 20, 2016 9:30 PM
To: Santhapur Naveen; edk2-devel@lists.01.org
Subject: RE: Issues with HTTPS Boot

Naveen,

	I cannot see attachments on this email. 
	
	What TLS versions and ciphers does your web server support? Depending on when you built the UEFI image, your server may need to have TLS v1.0 enabled and support one of the non-SHA256 ciphers listed at the top of TlsLib.c.   
	

Regards,

Thomas Palmer

"I have only made this letter longer because I have not had the time to make it shorter" - Blaise Pascal

-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Santhapur Naveen
Sent: Tuesday, September 20, 2016 6:42 AM
To: edk2-devel@lists.01.org
Subject: [edk2] Issues with HTTPS Boot

Hello All,

          Since the HTTPS Boot came into picture, I was very enthusiastic to try it. I configured the server as-is explained in the white paper https://github.com/tianocore/tianocore.github.io/wiki/EDK%20II%20White%20papers

          But when I try to go for an HTTPS boot, it stops after the TCP handshake. Attached is the Wireshark log. Please help me out and also let me know if any other details are needed.

Thank you,
Naveen
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: Issues with HTTPS Boot

[Wu, Jiaxin]

Naveen,

The version in edk2-staging is openssl-1.0.2g, I can't reproduce the failure case in the latest branch. From the limited debug information, I'm not sure whether it's the compatibility issue with openssl-1.0.2h. It is also possible that your server configuration is incorrect. Anyway, I will try openssl-1.0.2h. But before that, please make sure all the HTTPS related patches has been synced to your platform (From edk2-staging version: 891dde7da95bdc5deb11f9262b3bc6fde4e678ef). 

Thanks,
Jiaxin  

> -----Original Message-----
> From: Santhapur Naveen [mailto:naveens@amiindia.co.in]
> Sent: Friday, September 23, 2016 3:01 PM
> To: Wu, Jiaxin <jiaxin.wu@intel.com>; Palmer, Thomas
> <thomas.palmer@hpe.com>; Samer El Haj Mahmoud
> <smahmoud@lenovo.com>; edk2-devel@lists.01.org
> Subject: RE: Issues with HTTPS Boot
> 
> Hi Jiaxin,
> 
> 	The openssl version I have been using is 1.0.2h and the cipher returned
> by the Sever Hello is "TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)".
> 
> Thanks,
> Naveen
> 
> -----Original Message-----
> From: Wu, Jiaxin [mailto:jiaxin.wu@intel.com]
> Sent: Friday, September 23, 2016 12:25 PM
> To: Palmer, Thomas; Samer El Haj Mahmoud; Santhapur Naveen; edk2-
> devel@lists.01.org
> Subject: RE: Issues with HTTPS Boot
> 
> Naveen,
> 
> For error code L14:F171:R105, it seems not failed in the ssl3_get_server_hello().
> L14 means SLL lib error, R105 means SSL_R_WRONG_CIPHER_RETURNED, but
> for F171, I can't find the corresponding error function represented. Can you tell
> us the openssl version your platform used? and what's the cipher returned from
> server hello?
> 
> 
> Thanks,
> Jiaxin
> 
> > -----Original Message-----
> > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> > Palmer, Thomas
> > Sent: Friday, September 23, 2016 2:10 AM
> > To: Samer El Haj Mahmoud <smahmoud@lenovo.com>; Santhapur Naveen
> > <naveens@amiindia.co.in>; edk2-devel@lists.01.org
> > Subject: Re: [edk2] Issues with HTTPS Boot
> >
> >
> > Naveen,
> >
> > I may be interpreting this OpenSSL error code incorrectly, so if
> > anyone has experience with this please chime in ...
> >
> > Looking at 1.02.h,  the 0x105 reason corresponds with
> > SSL_R_WRONG_CIPHER_RETURNED.  This happens in two places in s3_clnt.c.
> > This would indicate that the TLS server is wanting to use a cipher
> > that the TLS client does not want to use.
> >
> > 0x105 can also correspond to SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE ...
> > but we don't support client certificates or DTLS at this point so I
> > would not expect this to be in play.  (unless your server is
> > configured for that ...)
> >
> > We should confirm this error code interpretation.  If you have a
> > debugger, set a break point for each instance of
> > SSL_R_WRONG_CIPHER_RETURNED, or add a print statement.  Which
> openssl version are you using?
> >
> >
> > Regards,
> >
> > Thomas Palmer
> >
> > "I have only made this letter longer because I have not had the time
> > to make it shorter" - Blaise Pascal
> >
> >
> > -----Original Message-----
> > From: Samer El Haj Mahmoud [mailto:smahmoud@lenovo.com]
> > Sent: Thursday, September 22, 2016 10:12 AM
> > To: Santhapur Naveen <naveens@amiindia.co.in>; Palmer, Thomas
> > <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
> > Subject: RE: Issues with HTTPS Boot
> >
> > Naveen,
> >
> > Are you using the latest code form the edk2-staging branch?
> >
> >
> > -----Original Message-----
> > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> > Santhapur Naveen
> > Sent: Thursday, September 22, 2016 7:07 AM
> > To: Palmer, Thomas <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
> > Subject: Re: [edk2] Issues with HTTPS Boot
> >
> > Hi Thomas,
> >
> > 	Regarding your previous question about the server certificates,
> > please find my response as below:
> >
> > Do you have the appropriate certificate installed in UEFI for the
> > target TLS server?
> > 	Yes, I do have the appropriate certificate installed on my server. I
> > have followed the section 2.2 titles " Self-Generated Certificate" in
> > the white paper to generate the certificates.
> >
> > 	I have debugged a bit  further and went inside TlsConnectSession() to
> > see where exactly it is failing and I found out like it fails in
> > TlsDoHandshake() and gives PROTOCOL ERROR. To be precise, it gives
> > error as "TlsDoHandshake ERROR 0x14171105=L14:F171:R105".
> >
> > 	If I'm missing anything anywhere, would you please provide your
> > comments.
> >
> > Thank you,
> > Naveen
> >
> > -----Original Message-----
> > From: Palmer, Thomas [mailto:thomas.palmer@hpe.com]
> > Sent: Thursday, September 22, 2016 12:56 AM
> > To: Santhapur Naveen; edk2-devel@lists.01.org
> > Subject: RE: Issues with HTTPS Boot
> >
> >
> > From what you describe, it sounds like they should not have an issue
> > negotiating TLS version and cipher.
> >
> >
> > Do you have the appropriate certificate installed in UEFI for the target TLS
> > server?   Either we need the 3rd part CA that signed the web server
> certificate,
> > or you could install the self-signed certificate of the web server.
> >
> > Also, are you able to see the any DEBUG statements from TlsLib.c?
> >
> >
> > Regards,
> >
> > Thomas Palmer
> >
> > "I have only made this letter longer because I have not had the time
> > to make it shorter" - Blaise Pascal
> >
> > -----Original Message-----
> > From: Santhapur Naveen [mailto:naveens@amiindia.co.in]
> > Sent: Wednesday, September 21, 2016 8:09 AM
> > To: Palmer, Thomas <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
> > Subject: RE: Issues with HTTPS Boot
> >
> > Hi Thomas,
> >
> > 	Regarding my previous mail, after TCP handshake, Client Says Hello to
> > sever and the Server replies its Hello to the client with TLSv1.
> >
> > Client says hello with the following Cipher Suites:
> >
> > 1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) 2.
> > TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) 3.
> > TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) 4.
> > TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) 5.
> > TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
> >
> > 	For the Client Hello, Server responds with its Hello and chooses
> > TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) using TLSv1. The client sends an
> > acknowledgement to the server and then immediately sends RST.
> >
> > 	After some debugging, it was found that it fails in TlsConnectSession().
> > Would you please provide your comments on this?
> >
> >
> > Thanks,
> > Naveen
> >
> > -----Original Message-----
> > From: Palmer, Thomas [mailto:thomas.palmer@hpe.com]
> > Sent: Tuesday, September 20, 2016 9:30 PM
> > To: Santhapur Naveen; edk2-devel@lists.01.org
> > Subject: RE: Issues with HTTPS Boot
> >
> > Naveen,
> >
> > 	I cannot see attachments on this email.
> >
> > 	What TLS versions and ciphers does your web server support?
> > Depending on when you built the UEFI image, your server may need to
> > have TLS v1.0 enabled and support one of the non-SHA256 ciphers listed
> > at the top of TlsLib.c.
> >
> >
> > Regards,
> >
> > Thomas Palmer
> >
> > "I have only made this letter longer because I have not had the time
> > to make it shorter" - Blaise Pascal
> >
> > -----Original Message-----
> > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> > Santhapur Naveen
> > Sent: Tuesday, September 20, 2016 6:42 AM
> > To: edk2-devel@lists.01.org
> > Subject: [edk2] Issues with HTTPS Boot
> >
> > Hello All,
> >
> >           Since the HTTPS Boot came into picture, I was very
> > enthusiastic to try it. I configured the server as-is explained in the
> > white paper
> > https://github.com/tianocore/tianocore.github.io/wiki/EDK%20II%20White
> > %20p
> > apers
> >
> >           But when I try to go for an HTTPS boot, it stops after the TCP handshake.
> > Attached is the Wireshark log. Please help me out and also let me know
> > if any other details are needed.
> >
> > Thank you,
> > Naveen
> > _______________________________________________
> > edk2-devel mailing list
> > edk2-devel@lists.01.org
> > https://lists.01.org/mailman/listinfo/edk2-devel
> > _______________________________________________
> > edk2-devel mailing list
> > edk2-devel@lists.01.org
> > https://lists.01.org/mailman/listinfo/edk2-devel
> > _______________________________________________
> > edk2-devel mailing list
> > edk2-devel@lists.01.org
> > https://lists.01.org/mailman/listinfo/edk2-devel

Re: Issues with HTTPS Boot

[Wu, Jiaxin]

Hi Naveen,

I have tried the openssl-1.0.2h and openssl-1.0.2j (the latest edk2-master version), both of them work well with the UEFI HTTPS in staging branch. I haven't met you issue:(. Now, I have synced the patches from EDK2 master(https://github.com/tianocore/edk2 ) to HTTPS-TLS branch (https://github.com/tianocore/edk2-staging/tree/HTTPS-TLS ). That means current HTTPS in branch is developed based on openssl-1.0.2j.   

I noticed you're not using the latest code from the edk2-staging branch because your code base seems not support TLS version negotiation feature. Can you retry the latest code in current HTTPS-TLS branch? 

In order to eliminate the HTTPS server configuration issue, you can using IE or Chrome or any other HTTPS client (Note: don't forget to enroll the server CA cert) to verify the HTTPS server's functionality first. That also can help you to verify your self-signed certificates:). If you are using IIS8 HTTPS server, please also aware the README notes.
 

Thanks,
Jiaxin

> -----Original Message-----
> From: Wu, Jiaxin
> Sent: Monday, September 26, 2016 9:46 AM
> To: Santhapur Naveen <naveens@amiindia.co.in>; Palmer, Thomas
> <thomas.palmer@hpe.com>; Samer El Haj Mahmoud
> <smahmoud@lenovo.com>; edk2-devel@lists.01.org
> Subject: RE: Issues with HTTPS Boot
> 
> Naveen,
> 
> The version in edk2-staging is openssl-1.0.2g, I can't reproduce the failure case
> in the latest branch. From the limited debug information, I'm not sure whether
> it's the compatibility issue with openssl-1.0.2h. It is also possible that your
> server configuration is incorrect. Anyway, I will try openssl-1.0.2h. But before
> that, please make sure all the HTTPS related patches has been synced to your
> platform (From edk2-staging version:
> 891dde7da95bdc5deb11f9262b3bc6fde4e678ef).
> 
> Thanks,
> Jiaxin
> 
> > -----Original Message-----
> > From: Santhapur Naveen [mailto:naveens@amiindia.co.in]
> > Sent: Friday, September 23, 2016 3:01 PM
> > To: Wu, Jiaxin <jiaxin.wu@intel.com>; Palmer, Thomas
> > <thomas.palmer@hpe.com>; Samer El Haj Mahmoud
> <smahmoud@lenovo.com>;
> > edk2-devel@lists.01.org
> > Subject: RE: Issues with HTTPS Boot
> >
> > Hi Jiaxin,
> >
> > 	The openssl version I have been using is 1.0.2h and the cipher
> > returned by the Sever Hello is "TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)".
> >
> > Thanks,
> > Naveen
> >
> > -----Original Message-----
> > From: Wu, Jiaxin [mailto:jiaxin.wu@intel.com]
> > Sent: Friday, September 23, 2016 12:25 PM
> > To: Palmer, Thomas; Samer El Haj Mahmoud; Santhapur Naveen; edk2-
> > devel@lists.01.org
> > Subject: RE: Issues with HTTPS Boot
> >
> > Naveen,
> >
> > For error code L14:F171:R105, it seems not failed in the
> ssl3_get_server_hello().
> > L14 means SLL lib error, R105 means SSL_R_WRONG_CIPHER_RETURNED,
> but
> > for F171, I can't find the corresponding error function represented.
> > Can you tell us the openssl version your platform used? and what's the
> > cipher returned from server hello?
> >
> >
> > Thanks,
> > Jiaxin
> >
> > > -----Original Message-----
> > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf
> > > Of Palmer, Thomas
> > > Sent: Friday, September 23, 2016 2:10 AM
> > > To: Samer El Haj Mahmoud <smahmoud@lenovo.com>; Santhapur Naveen
> > > <naveens@amiindia.co.in>; edk2-devel@lists.01.org
> > > Subject: Re: [edk2] Issues with HTTPS Boot
> > >
> > >
> > > Naveen,
> > >
> > > I may be interpreting this OpenSSL error code incorrectly, so if
> > > anyone has experience with this please chime in ...
> > >
> > > Looking at 1.02.h,  the 0x105 reason corresponds with
> > > SSL_R_WRONG_CIPHER_RETURNED.  This happens in two places in
> s3_clnt.c.
> > > This would indicate that the TLS server is wanting to use a cipher
> > > that the TLS client does not want to use.
> > >
> > > 0x105 can also correspond to SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE ...
> > > but we don't support client certificates or DTLS at this point so I
> > > would not expect this to be in play.  (unless your server is
> > > configured for that ...)
> > >
> > > We should confirm this error code interpretation.  If you have a
> > > debugger, set a break point for each instance of
> > > SSL_R_WRONG_CIPHER_RETURNED, or add a print statement.  Which
> > openssl version are you using?
> > >
> > >
> > > Regards,
> > >
> > > Thomas Palmer
> > >
> > > "I have only made this letter longer because I have not had the time
> > > to make it shorter" - Blaise Pascal
> > >
> > >
> > > -----Original Message-----
> > > From: Samer El Haj Mahmoud [mailto:smahmoud@lenovo.com]
> > > Sent: Thursday, September 22, 2016 10:12 AM
> > > To: Santhapur Naveen <naveens@amiindia.co.in>; Palmer, Thomas
> > > <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
> > > Subject: RE: Issues with HTTPS Boot
> > >
> > > Naveen,
> > >
> > > Are you using the latest code form the edk2-staging branch?
> > >
> > >
> > > -----Original Message-----
> > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf
> > > Of Santhapur Naveen
> > > Sent: Thursday, September 22, 2016 7:07 AM
> > > To: Palmer, Thomas <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
> > > Subject: Re: [edk2] Issues with HTTPS Boot
> > >
> > > Hi Thomas,
> > >
> > > 	Regarding your previous question about the server certificates,
> > > please find my response as below:
> > >
> > > Do you have the appropriate certificate installed in UEFI for the
> > > target TLS server?
> > > 	Yes, I do have the appropriate certificate installed on my server.
> > > I have followed the section 2.2 titles " Self-Generated Certificate"
> > > in the white paper to generate the certificates.
> > >
> > > 	I have debugged a bit  further and went inside TlsConnectSession()
> > > to see where exactly it is failing and I found out like it fails in
> > > TlsDoHandshake() and gives PROTOCOL ERROR. To be precise, it gives
> > > error as "TlsDoHandshake ERROR 0x14171105=L14:F171:R105".
> > >
> > > 	If I'm missing anything anywhere, would you please provide your
> > > comments.
> > >
> > > Thank you,
> > > Naveen
> > >
> > > -----Original Message-----
> > > From: Palmer, Thomas [mailto:thomas.palmer@hpe.com]
> > > Sent: Thursday, September 22, 2016 12:56 AM
> > > To: Santhapur Naveen; edk2-devel@lists.01.org
> > > Subject: RE: Issues with HTTPS Boot
> > >
> > >
> > > From what you describe, it sounds like they should not have an issue
> > > negotiating TLS version and cipher.
> > >
> > >
> > > Do you have the appropriate certificate installed in UEFI for the target TLS
> > > server?   Either we need the 3rd part CA that signed the web server
> > certificate,
> > > or you could install the self-signed certificate of the web server.
> > >
> > > Also, are you able to see the any DEBUG statements from TlsLib.c?
> > >
> > >
> > > Regards,
> > >
> > > Thomas Palmer
> > >
> > > "I have only made this letter longer because I have not had the time
> > > to make it shorter" - Blaise Pascal
> > >
> > > -----Original Message-----
> > > From: Santhapur Naveen [mailto:naveens@amiindia.co.in]
> > > Sent: Wednesday, September 21, 2016 8:09 AM
> > > To: Palmer, Thomas <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
> > > Subject: RE: Issues with HTTPS Boot
> > >
> > > Hi Thomas,
> > >
> > > 	Regarding my previous mail, after TCP handshake, Client Says Hello
> > > to sever and the Server replies its Hello to the client with TLSv1.
> > >
> > > Client says hello with the following Cipher Suites:
> > >
> > > 1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) 2.
> > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) 3.
> > > TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) 4.
> > > TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) 5.
> > > TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
> > >
> > > 	For the Client Hello, Server responds with its Hello and chooses
> > > TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) using TLSv1. The client sends
> > > an acknowledgement to the server and then immediately sends RST.
> > >
> > > 	After some debugging, it was found that it fails in TlsConnectSession().
> > > Would you please provide your comments on this?
> > >
> > >
> > > Thanks,
> > > Naveen
> > >
> > > -----Original Message-----
> > > From: Palmer, Thomas [mailto:thomas.palmer@hpe.com]
> > > Sent: Tuesday, September 20, 2016 9:30 PM
> > > To: Santhapur Naveen; edk2-devel@lists.01.org
> > > Subject: RE: Issues with HTTPS Boot
> > >
> > > Naveen,
> > >
> > > 	I cannot see attachments on this email.
> > >
> > > 	What TLS versions and ciphers does your web server support?
> > > Depending on when you built the UEFI image, your server may need to
> > > have TLS v1.0 enabled and support one of the non-SHA256 ciphers
> > > listed at the top of TlsLib.c.
> > >
> > >
> > > Regards,
> > >
> > > Thomas Palmer
> > >
> > > "I have only made this letter longer because I have not had the time
> > > to make it shorter" - Blaise Pascal
> > >
> > > -----Original Message-----
> > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf
> > > Of Santhapur Naveen
> > > Sent: Tuesday, September 20, 2016 6:42 AM
> > > To: edk2-devel@lists.01.org
> > > Subject: [edk2] Issues with HTTPS Boot
> > >
> > > Hello All,
> > >
> > >           Since the HTTPS Boot came into picture, I was very
> > > enthusiastic to try it. I configured the server as-is explained in
> > > the white paper
> > > https://github.com/tianocore/tianocore.github.io/wiki/EDK%20II%20Whi
> > > te
> > > %20p
> > > apers
> > >
> > >           But when I try to go for an HTTPS boot, it stops after the TCP
> handshake.
> > > Attached is the Wireshark log. Please help me out and also let me
> > > know if any other details are needed.
> > >
> > > Thank you,
> > > Naveen
> > > _______________________________________________
> > > edk2-devel mailing list
> > > edk2-devel@lists.01.org
> > > https://lists.01.org/mailman/listinfo/edk2-devel
> > > _______________________________________________
> > > edk2-devel mailing list
> > > edk2-devel@lists.01.org
> > > https://lists.01.org/mailman/listinfo/edk2-devel
> > > _______________________________________________
> > > edk2-devel mailing list
> > > edk2-devel@lists.01.org
> > > https://lists.01.org/mailman/listinfo/edk2-devel

Re: Issues with HTTPS Boot

[Santhapur Naveen]

Hi Jiaxin,

	Thank you very much for the information you have provided. I shall try and update you. Thank you once again.

Best Regards,
Naveen

-----Original Message-----
From: Wu, Jiaxin [mailto:jiaxin.wu@intel.com] 
Sent: Friday, September 30, 2016 10:56 AM
To: Santhapur Naveen; Palmer, Thomas; Samer El Haj Mahmoud; edk2-devel@lists.01.org
Cc: Fu, Siyuan; Ye, Ting; Li, Ruth
Subject: RE: Issues with HTTPS Boot

Hi Naveen,

I have tried the openssl-1.0.2h and openssl-1.0.2j (the latest edk2-master version), both of them work well with the UEFI HTTPS in staging branch. I haven't met you issue:(. Now, I have synced the patches from EDK2 master(https://github.com/tianocore/edk2 ) to HTTPS-TLS branch (https://github.com/tianocore/edk2-staging/tree/HTTPS-TLS ). That means current HTTPS in branch is developed based on openssl-1.0.2j.   

I noticed you're not using the latest code from the edk2-staging branch because your code base seems not support TLS version negotiation feature. Can you retry the latest code in current HTTPS-TLS branch? 

In order to eliminate the HTTPS server configuration issue, you can using IE or Chrome or any other HTTPS client (Note: don't forget to enroll the server CA cert) to verify the HTTPS server's functionality first. That also can help you to verify your self-signed certificates:). If you are using IIS8 HTTPS server, please also aware the README notes.
 

Thanks,
Jiaxin

> -----Original Message-----
> From: Wu, Jiaxin
> Sent: Monday, September 26, 2016 9:46 AM
> To: Santhapur Naveen <naveens@amiindia.co.in>; Palmer, Thomas 
> <thomas.palmer@hpe.com>; Samer El Haj Mahmoud <smahmoud@lenovo.com>; 
> edk2-devel@lists.01.org
> Subject: RE: Issues with HTTPS Boot
> 
> Naveen,
> 
> The version in edk2-staging is openssl-1.0.2g, I can't reproduce the 
> failure case in the latest branch. From the limited debug information, 
> I'm not sure whether it's the compatibility issue with openssl-1.0.2h. 
> It is also possible that your server configuration is incorrect. 
> Anyway, I will try openssl-1.0.2h. But before that, please make sure 
> all the HTTPS related patches has been synced to your platform (From edk2-staging version:
> 891dde7da95bdc5deb11f9262b3bc6fde4e678ef).
> 
> Thanks,
> Jiaxin
> 
> > -----Original Message-----
> > From: Santhapur Naveen [mailto:naveens@amiindia.co.in]
> > Sent: Friday, September 23, 2016 3:01 PM
> > To: Wu, Jiaxin <jiaxin.wu@intel.com>; Palmer, Thomas 
> > <thomas.palmer@hpe.com>; Samer El Haj Mahmoud
> <smahmoud@lenovo.com>;
> > edk2-devel@lists.01.org
> > Subject: RE: Issues with HTTPS Boot
> >
> > Hi Jiaxin,
> >
> > 	The openssl version I have been using is 1.0.2h and the cipher 
> > returned by the Sever Hello is "TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)".
> >
> > Thanks,
> > Naveen
> >
> > -----Original Message-----
> > From: Wu, Jiaxin [mailto:jiaxin.wu@intel.com]
> > Sent: Friday, September 23, 2016 12:25 PM
> > To: Palmer, Thomas; Samer El Haj Mahmoud; Santhapur Naveen; edk2- 
> > devel@lists.01.org
> > Subject: RE: Issues with HTTPS Boot
> >
> > Naveen,
> >
> > For error code L14:F171:R105, it seems not failed in the
> ssl3_get_server_hello().
> > L14 means SLL lib error, R105 means SSL_R_WRONG_CIPHER_RETURNED,
> but
> > for F171, I can't find the corresponding error function represented.
> > Can you tell us the openssl version your platform used? and what's 
> > the cipher returned from server hello?
> >
> >
> > Thanks,
> > Jiaxin
> >
> > > -----Original Message-----
> > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On 
> > > Behalf Of Palmer, Thomas
> > > Sent: Friday, September 23, 2016 2:10 AM
> > > To: Samer El Haj Mahmoud <smahmoud@lenovo.com>; Santhapur Naveen 
> > > <naveens@amiindia.co.in>; edk2-devel@lists.01.org
> > > Subject: Re: [edk2] Issues with HTTPS Boot
> > >
> > >
> > > Naveen,
> > >
> > > I may be interpreting this OpenSSL error code incorrectly, so if 
> > > anyone has experience with this please chime in ...
> > >
> > > Looking at 1.02.h,  the 0x105 reason corresponds with 
> > > SSL_R_WRONG_CIPHER_RETURNED.  This happens in two places in
> s3_clnt.c.
> > > This would indicate that the TLS server is wanting to use a cipher 
> > > that the TLS client does not want to use.
> > >
> > > 0x105 can also correspond to SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE ...
> > > but we don't support client certificates or DTLS at this point so 
> > > I would not expect this to be in play.  (unless your server is 
> > > configured for that ...)
> > >
> > > We should confirm this error code interpretation.  If you have a 
> > > debugger, set a break point for each instance of 
> > > SSL_R_WRONG_CIPHER_RETURNED, or add a print statement.  Which
> > openssl version are you using?
> > >
> > >
> > > Regards,
> > >
> > > Thomas Palmer
> > >
> > > "I have only made this letter longer because I have not had the 
> > > time to make it shorter" - Blaise Pascal
> > >
> > >
> > > -----Original Message-----
> > > From: Samer El Haj Mahmoud [mailto:smahmoud@lenovo.com]
> > > Sent: Thursday, September 22, 2016 10:12 AM
> > > To: Santhapur Naveen <naveens@amiindia.co.in>; Palmer, Thomas 
> > > <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
> > > Subject: RE: Issues with HTTPS Boot
> > >
> > > Naveen,
> > >
> > > Are you using the latest code form the edk2-staging branch?
> > >
> > >
> > > -----Original Message-----
> > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On 
> > > Behalf Of Santhapur Naveen
> > > Sent: Thursday, September 22, 2016 7:07 AM
> > > To: Palmer, Thomas <thomas.palmer@hpe.com>; 
> > > edk2-devel@lists.01.org
> > > Subject: Re: [edk2] Issues with HTTPS Boot
> > >
> > > Hi Thomas,
> > >
> > > 	Regarding your previous question about the server certificates, 
> > > please find my response as below:
> > >
> > > Do you have the appropriate certificate installed in UEFI for the 
> > > target TLS server?
> > > 	Yes, I do have the appropriate certificate installed on my server.
> > > I have followed the section 2.2 titles " Self-Generated Certificate"
> > > in the white paper to generate the certificates.
> > >
> > > 	I have debugged a bit  further and went inside 
> > > TlsConnectSession() to see where exactly it is failing and I found 
> > > out like it fails in
> > > TlsDoHandshake() and gives PROTOCOL ERROR. To be precise, it gives 
> > > error as "TlsDoHandshake ERROR 0x14171105=L14:F171:R105".
> > >
> > > 	If I'm missing anything anywhere, would you please provide your 
> > > comments.
> > >
> > > Thank you,
> > > Naveen
> > >
> > > -----Original Message-----
> > > From: Palmer, Thomas [mailto:thomas.palmer@hpe.com]
> > > Sent: Thursday, September 22, 2016 12:56 AM
> > > To: Santhapur Naveen; edk2-devel@lists.01.org
> > > Subject: RE: Issues with HTTPS Boot
> > >
> > >
> > > From what you describe, it sounds like they should not have an 
> > > issue negotiating TLS version and cipher.
> > >
> > >
> > > Do you have the appropriate certificate installed in UEFI for the target TLS
> > > server?   Either we need the 3rd part CA that signed the web server
> > certificate,
> > > or you could install the self-signed certificate of the web server.
> > >
> > > Also, are you able to see the any DEBUG statements from TlsLib.c?
> > >
> > >
> > > Regards,
> > >
> > > Thomas Palmer
> > >
> > > "I have only made this letter longer because I have not had the 
> > > time to make it shorter" - Blaise Pascal
> > >
> > > -----Original Message-----
> > > From: Santhapur Naveen [mailto:naveens@amiindia.co.in]
> > > Sent: Wednesday, September 21, 2016 8:09 AM
> > > To: Palmer, Thomas <thomas.palmer@hpe.com>; 
> > > edk2-devel@lists.01.org
> > > Subject: RE: Issues with HTTPS Boot
> > >
> > > Hi Thomas,
> > >
> > > 	Regarding my previous mail, after TCP handshake, Client Says 
> > > Hello to sever and the Server replies its Hello to the client with TLSv1.
> > >
> > > Client says hello with the following Cipher Suites:
> > >
> > > 1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) 2.
> > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) 3.
> > > TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) 4.
> > > TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) 5.
> > > TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
> > >
> > > 	For the Client Hello, Server responds with its Hello and chooses 
> > > TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) using TLSv1. The client 
> > > sends an acknowledgement to the server and then immediately sends RST.
> > >
> > > 	After some debugging, it was found that it fails in TlsConnectSession().
> > > Would you please provide your comments on this?
> > >
> > >
> > > Thanks,
> > > Naveen
> > >
> > > -----Original Message-----
> > > From: Palmer, Thomas [mailto:thomas.palmer@hpe.com]
> > > Sent: Tuesday, September 20, 2016 9:30 PM
> > > To: Santhapur Naveen; edk2-devel@lists.01.org
> > > Subject: RE: Issues with HTTPS Boot
> > >
> > > Naveen,
> > >
> > > 	I cannot see attachments on this email.
> > >
> > > 	What TLS versions and ciphers does your web server support?
> > > Depending on when you built the UEFI image, your server may need 
> > > to have TLS v1.0 enabled and support one of the non-SHA256 ciphers 
> > > listed at the top of TlsLib.c.
> > >
> > >
> > > Regards,
> > >
> > > Thomas Palmer
> > >
> > > "I have only made this letter longer because I have not had the 
> > > time to make it shorter" - Blaise Pascal
> > >
> > > -----Original Message-----
> > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On 
> > > Behalf Of Santhapur Naveen
> > > Sent: Tuesday, September 20, 2016 6:42 AM
> > > To: edk2-devel@lists.01.org
> > > Subject: [edk2] Issues with HTTPS Boot
> > >
> > > Hello All,
> > >
> > >           Since the HTTPS Boot came into picture, I was very 
> > > enthusiastic to try it. I configured the server as-is explained in 
> > > the white paper 
> > > https://github.com/tianocore/tianocore.github.io/wiki/EDK%20II%20W
> > > hi
> > > te
> > > %20p
> > > apers
> > >
> > >           But when I try to go for an HTTPS boot, it stops after 
> > > the TCP
> handshake.
> > > Attached is the Wireshark log. Please help me out and also let me 
> > > know if any other details are needed.
> > >
> > > Thank you,
> > > Naveen
> > > _______________________________________________
> > > edk2-devel mailing list
> > > edk2-devel@lists.01.org
> > > https://lists.01.org/mailman/listinfo/edk2-devel
> > > _______________________________________________
> > > edk2-devel mailing list
> > > edk2-devel@lists.01.org
> > > https://lists.01.org/mailman/listinfo/edk2-devel
> > > _______________________________________________
> > > edk2-devel mailing list
> > > edk2-devel@lists.01.org
> > > https://lists.01.org/mailman/listinfo/edk2-devel

Re: Issues with HTTPS Boot

[Wu, Jiaxin]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="gb2312", Size: 18367 bytes --]

Hello Naveen,

Does your code really cover the patch to support the TLS version negotiation (Git SHA-1: 755d1e60c58e1e67130d802ca715d2d4fbfe90e9 + SHA-1: dffa6642081d8b0bd65c339e7a76e99d032e9a7c)?

I noticed the TLS version in client hello message is TLS1.0. That¡¯s not the latest code behavior. You can see the below piece code in TlsCtxNew() fuction:

TlsCtx = SSL_CTX_new (SSLv23_client_method ());

SSLv23_client_method () means to negotiate highest available SSL/TLS version. So, the TLS version in client hello message should be TLS1.2 if you keep the default openssl options. So, I have to doubt that is there any patch you lost?

If you use the edk2-staging code base and still face the failure, do you mind share your generated certificates for verification (rootcert.pem/server.pfx)?

Thanks,
Jiaxin

From: Santhapur Naveen [mailto:naveens@amiindia.co.in]
Sent: Wednesday, October 19, 2016 9:55 PM
To: Wu, Jiaxin <jiaxin.wu@intel.com>; Palmer, Thomas <thomas.palmer@hpe.com>; Samer El Haj Mahmoud <smahmoud@lenovo.com>; edk2-devel@lists.01.org
Cc: Fu, Siyuan <siyuan.fu@intel.com>; Ye, Ting <ting.ye@intel.com>; Li, Ruth <ruth.li@intel.com>
Subject: RE: Issues with HTTPS Boot


Hello Jiaxin,



          I've used the latest code as you have suggested in your previous mail and still face the same failure. It has been failing once after receiving "Server Hello" like I said in my previous mail.



The following things are done to confirm the HTTPS server configured is working fine.

1.    We are able to download the Shell.efi using IE within the server.

2.    We are able to download the Shell.efi using IE from another system connected to the HTTPS server.



However, we found that accessing the Shell.efi from the Google Chrome and Mozilla are failing within the HTTPS server and with the other system as well. In your previous mail, you have mentioned to go through README notes if I¡¯m using IIS8. I¡¯ve gone through the README notes and didn¡¯t find anything that has to be noted.



Once the client receives Server Hello, the code flow is below as debugged:



TlsConnectSession() ¡ú TlsBuildResponsePacket() ¡ú TlsDoHandshake() ¡ú SSL_do_handshake()

The function SSL_do_handshake() is returning -1 causing the failure.



From HttpDxe\HttpsSupport.c, in TlsConnectSession()



i)                    Initialize TLS state   -> Success

ii)                  Create ClientHello     -> Success

iii)                Transmit ClientHello  -> Success

iv)                Inside the while loop


   while(HttpInstance->TlsSessionState != EfiTlsSessionDataTransferring && \
           ((Timeout == NULL) || EFI_ERROR (gBS->CheckEvent (Timeout)))) {



i)                    Receive one TLS record -> Success

ii)                  HttpInstance->Tls->BuildResponsePacket() -> Protocol Error


                     Status = HttpInstance->Tls->BuildResponsePacket (
                                  HttpInstance->Tls,
                                  BufferIn,
                                  BufferInSize,
                                  BufferOut,
                                  &BufferOutSize
                                  );
                     DEBUG((-1,"HttpInstance->Tls->BuildResponsePacket while Status= %r\n", Status)); // Protocol Error


       iii)  If we DEBUG TlsBuildResponsePacket() more in TlsDxe\TlsProtocol.c
              else {
              //
              // 1. Received packet may have multiply TLS record messages.
              // 2. One TLS record message may have multiply handshake protocol.
              // 3. Some errors may be happened in handshake.
              // TlsDoHandshake() can handle all of those cases.
              //
               if (TlsInHandshake (Instance->TlsConn)) {
                     Status = TlsDoHandshake (
                           Instance->TlsConn,
                           RequestBuffer,
                           RequestSize,
                           Buffer,
                           BufferSize);
              DEBUG((-1,"TlsBuildResponsePacket: else Status = TlsDoHandshake=%r\n", Status));             // Protocol Error


       iv) If we DEBUG TlsDoHandshake() more in CryptoPkg\Library\TlsLib\TlsLib.c

if (Ret < 1) {
                     Ret = SSL_get_error (TlsConn->Ssl, (int) Ret);
                     if (Ret == SSL_ERROR_SSL ||
                     Ret == SSL_ERROR_SYSCALL ||
                     Ret == SSL_ERROR_ZERO_RETURN) {

                     DEBUG_CODE_BEGIN ();
                     while (TRUE) {
                     ErrorCode = ERR_get_error ();
                     if (ErrorCode == 0) {
                     break;
                     }
              DEBUG ((
            DEBUG_ERROR,
            "%a ERROR 0x%x=L%x:F%x:R%x\n",                      //        TlsDoHandshake ERROR 0x14171105=L14:F171:R105
            __FUNCTION__,
            ErrorCode,
            ERR_GET_LIB (ErrorCode),
            ERR_GET_FUNC (ErrorCode),
            ERR_GET_REASON (ErrorCode)));
            }
           DEBUG_CODE_END ();
            ///// Returns from here
      return EFI_PROTOCOL_ERROR;
              }
              }



          Please check the attachment that may help you to get to know the problem.

1.            HTTPS_Failure_Log ¨C Log captured when SUT is performing an HTTPS boot.

2.            HTTPS_ServerConfigSuccess ¨C Log captured when the Shell.efi was downloaded from another system using IE.



          It would be very helpful if you could provide me any suggestions where am I going wrong. Also please feel free to ask if you may need any other details from us.



Thank you,

Naveen



-----Original Message-----
From: Santhapur Naveen
Sent: Friday, September 30, 2016 11:00 AM
To: 'Wu, Jiaxin'; Palmer, Thomas; Samer El Haj Mahmoud; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>
Cc: Fu, Siyuan; Ye, Ting; Li, Ruth
Subject: RE: Issues with HTTPS Boot



Hi Jiaxin,



          Thank you very much for the information you have provided. I shall try and update you. Thank you once again.



Best Regards,

Naveen



-----Original Message-----

From: Wu, Jiaxin [mailto:jiaxin.wu@intel.com]

Sent: Friday, September 30, 2016 10:56 AM

To: Santhapur Naveen; Palmer, Thomas; Samer El Haj Mahmoud; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>

Cc: Fu, Siyuan; Ye, Ting; Li, Ruth

Subject: RE: Issues with HTTPS Boot



Hi Naveen,



I have tried the openssl-1.0.2h and openssl-1.0.2j (the latest edk2-master version), both of them work well with the UEFI HTTPS in staging branch. I haven't met you issue:(. Now, I have synced the patches from EDK2 master(https://github.com/tianocore/edk2 ) to HTTPS-TLS branch (https://github.com/tianocore/edk2-staging/tree/HTTPS-TLS ). That means current HTTPS in branch is developed based on openssl-1.0.2j.



I noticed you're not using the latest code from the edk2-staging branch because your code base seems not support TLS version negotiation feature. Can you retry the latest code in current HTTPS-TLS branch?



In order to eliminate the HTTPS server configuration issue, you can using IE or Chrome or any other HTTPS client (Note: don't forget to enroll the server CA cert) to verify the HTTPS server's functionality first. That also can help you to verify your self-signed certificates:). If you are using IIS8 HTTPS server, please also aware the README notes.



Thanks,

Jiaxin



> -----Original Message-----

> From: Wu, Jiaxin

> Sent: Monday, September 26, 2016 9:46 AM

> To: Santhapur Naveen <naveens@amiindia.co.in<mailto:naveens@amiindia.co.in>>; Palmer, Thomas

> <thomas.palmer@hpe.com<mailto:thomas.palmer@hpe.com>>; Samer El Haj Mahmoud <smahmoud@lenovo.com<mailto:smahmoud@lenovo.com>>;

> edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>

> Subject: RE: Issues with HTTPS Boot

>

> Naveen,

>

> The version in edk2-staging is openssl-1.0.2g, I can't reproduce the

> failure case in the latest branch. From the limited debug information,

> I'm not sure whether it's the compatibility issue with openssl-1.0.2h.

> It is also possible that your server configuration is incorrect.

> Anyway, I will try openssl-1.0.2h. But before that, please make sure

> all the HTTPS related patches has been synced to your platform (From edk2-staging version:

> 891dde7da95bdc5deb11f9262b3bc6fde4e678ef).

>

> Thanks,

> Jiaxin

>

> > -----Original Message-----

> > From: Santhapur Naveen [mailto:naveens@amiindia.co.in]

> > Sent: Friday, September 23, 2016 3:01 PM

> > To: Wu, Jiaxin <jiaxin.wu@intel.com<mailto:jiaxin.wu@intel.com>>; Palmer, Thomas

> > <thomas.palmer@hpe.com<mailto:thomas.palmer@hpe.com>>; Samer El Haj Mahmoud

> <smahmoud@lenovo.com<mailto:smahmoud@lenovo.com>>;

> > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>

> > Subject: RE: Issues with HTTPS Boot

> >

> > Hi Jiaxin,

> >

> >     The openssl version I have been using is 1.0.2h and the cipher

> > returned by the Sever Hello is "TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)".

> >

> > Thanks,

> > Naveen

> >

> > -----Original Message-----

> > From: Wu, Jiaxin [mailto:jiaxin.wu@intel.com]

> > Sent: Friday, September 23, 2016 12:25 PM

> > To: Palmer, Thomas; Samer El Haj Mahmoud; Santhapur Naveen; edk2-

> > devel@lists.01.org<mailto:devel@lists.01.org>

> > Subject: RE: Issues with HTTPS Boot

> >

> > Naveen,

> >

> > For error code L14:F171:R105, it seems not failed in the

> ssl3_get_server_hello().

> > L14 means SLL lib error, R105 means SSL_R_WRONG_CIPHER_RETURNED,

> but

> > for F171, I can't find the corresponding error function represented.

> > Can you tell us the openssl version your platform used? and what's

> > the cipher returned from server hello?

> >

> >

> > Thanks,

> > Jiaxin

> >

> > > -----Original Message-----

> > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On

> > > Behalf Of Palmer, Thomas

> > > Sent: Friday, September 23, 2016 2:10 AM

> > > To: Samer El Haj Mahmoud <smahmoud@lenovo.com<mailto:smahmoud@lenovo.com>>; Santhapur Naveen

> > > <naveens@amiindia.co.in<mailto:naveens@amiindia.co.in>>; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>

> > > Subject: Re: [edk2] Issues with HTTPS Boot

> > >

> > >

> > > Naveen,

> > >

> > > I may be interpreting this OpenSSL error code incorrectly, so if

> > > anyone has experience with this please chime in ...

> > >

> > > Looking at 1.02.h,  the 0x105 reason corresponds with

> > > SSL_R_WRONG_CIPHER_RETURNED.  This happens in two places in

> s3_clnt.c.

> > > This would indicate that the TLS server is wanting to use a cipher

> > > that the TLS client does not want to use.

> > >

> > > 0x105 can also correspond to SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE ...

> > > but we don't support client certificates or DTLS at this point so

> > > I would not expect this to be in play.  (unless your server is

> > > configured for that ...)

> > >

> > > We should confirm this error code interpretation.  If you have a

> > > debugger, set a break point for each instance of

> > > SSL_R_WRONG_CIPHER_RETURNED, or add a print statement.  Which

> > openssl version are you using?

> > >

> > >

> > > Regards,

> > >

> > > Thomas Palmer

> > >

> > > "I have only made this letter longer because I have not had the

> > > time to make it shorter" - Blaise Pascal

> > >

> > >

> > > -----Original Message-----

> > > From: Samer El Haj Mahmoud [mailto:smahmoud@lenovo.com]

> > > Sent: Thursday, September 22, 2016 10:12 AM

> > > To: Santhapur Naveen <naveens@amiindia.co.in<mailto:naveens@amiindia.co.in>>; Palmer, Thomas

> > > <thomas.palmer@hpe.com<mailto:thomas.palmer@hpe.com>>; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>

> > > Subject: RE: Issues with HTTPS Boot

> > >

> > > Naveen,

> > >

> > > Are you using the latest code form the edk2-staging branch?

> > >

> > >

> > > -----Original Message-----

> > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On

> > > Behalf Of Santhapur Naveen

> > > Sent: Thursday, September 22, 2016 7:07 AM

> > > To: Palmer, Thomas <thomas.palmer@hpe.com<mailto:thomas.palmer@hpe.com>>;

> > > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>

> > > Subject: Re: [edk2] Issues with HTTPS Boot

> > >

> > > Hi Thomas,

> > >

> > >   Regarding your previous question about the server certificates,

> > > please find my response as below:

> > >

> > > Do you have the appropriate certificate installed in UEFI for the

> > > target TLS server?

> > >   Yes, I do have the appropriate certificate installed on my server.

> > > I have followed the section 2.2 titles " Self-Generated Certificate"

> > > in the white paper to generate the certificates.

> > >

> > >   I have debugged a bit  further and went inside

> > > TlsConnectSession() to see where exactly it is failing and I found

> > > out like it fails in

> > > TlsDoHandshake() and gives PROTOCOL ERROR. To be precise, it gives

> > > error as "TlsDoHandshake ERROR 0x14171105=L14:F171:R105".

> > >

> > >   If I'm missing anything anywhere, would you please provide your

> > > comments.

> > >

> > > Thank you,

> > > Naveen

> > >

> > > -----Original Message-----

> > > From: Palmer, Thomas [mailto:thomas.palmer@hpe.com]

> > > Sent: Thursday, September 22, 2016 12:56 AM

> > > To: Santhapur Naveen; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>

> > > Subject: RE: Issues with HTTPS Boot

> > >

> > >

> > > From what you describe, it sounds like they should not have an

> > > issue negotiating TLS version and cipher.

> > >

> > >

> > > Do you have the appropriate certificate installed in UEFI for the target TLS

> > > server?   Either we need the 3rd part CA that signed the web server

> > certificate,

> > > or you could install the self-signed certificate of the web server.

> > >

> > > Also, are you able to see the any DEBUG statements from TlsLib.c?

> > >

> > >

> > > Regards,

> > >

> > > Thomas Palmer

> > >

> > > "I have only made this letter longer because I have not had the

> > > time to make it shorter" - Blaise Pascal

> > >

> > > -----Original Message-----

> > > From: Santhapur Naveen [mailto:naveens@amiindia.co.in]

> > > Sent: Wednesday, September 21, 2016 8:09 AM

> > > To: Palmer, Thomas <thomas.palmer@hpe.com<mailto:thomas.palmer@hpe.com>>;

> > > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>

> > > Subject: RE: Issues with HTTPS Boot

> > >

> > > Hi Thomas,

> > >

> > >   Regarding my previous mail, after TCP handshake, Client Says

> > > Hello to sever and the Server replies its Hello to the client with TLSv1.

> > >

> > > Client says hello with the following Cipher Suites:

> > >

> > > 1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) 2.

> > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) 3.

> > > TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) 4.

> > > TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) 5.

> > > TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

> > >

> > >   For the Client Hello, Server responds with its Hello and chooses

> > > TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) using TLSv1. The client

> > > sends an acknowledgement to the server and then immediately sends RST.

> > >

> > >   After some debugging, it was found that it fails in TlsConnectSession().

> > > Would you please provide your comments on this?

> > >

> > >

> > > Thanks,

> > > Naveen

> > >

> > > -----Original Message-----

> > > From: Palmer, Thomas [mailto:thomas.palmer@hpe.com]

> > > Sent: Tuesday, September 20, 2016 9:30 PM

> > > To: Santhapur Naveen; edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>

> > > Subject: RE: Issues with HTTPS Boot

> > >

> > > Naveen,

> > >

> > >   I cannot see attachments on this email.

> > >

> > >   What TLS versions and ciphers does your web server support?

> > > Depending on when you built the UEFI image, your server may need

> > > to have TLS v1.0 enabled and support one of the non-SHA256 ciphers

> > > listed at the top of TlsLib.c.

> > >

> > >

> > > Regards,

> > >

> > > Thomas Palmer

> > >

> > > "I have only made this letter longer because I have not had the

> > > time to make it shorter" - Blaise Pascal

> > >

> > > -----Original Message-----

> > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On

> > > Behalf Of Santhapur Naveen

> > > Sent: Tuesday, September 20, 2016 6:42 AM

> > > To: edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>

> > > Subject: [edk2] Issues with HTTPS Boot

> > >

> > > Hello All,

> > >

> > >           Since the HTTPS Boot came into picture, I was very

> > > enthusiastic to try it. I configured the server as-is explained in

> > > the white paper

> > > https://github.com/tianocore/tianocore.github.io/wiki/EDK%20II%20W

> > > hi

> > > te

> > > %20p

> > > apers

> > >

> > >           But when I try to go for an HTTPS boot, it stops after

> > > the TCP

> handshake.

> > > Attached is the Wireshark log. Please help me out and also let me

> > > know if any other details are needed.

> > >

> > > Thank you,

> > > Naveen

> > > _______________________________________________

> > > edk2-devel mailing list

> > > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>

> > > https://lists.01.org/mailman/listinfo/edk2-devel

> > > _______________________________________________

> > > edk2-devel mailing list

> > > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>

> > > https://lists.01.org/mailman/listinfo/edk2-devel

> > > _______________________________________________

> > > edk2-devel mailing list

> > > edk2-devel@lists.01.org<mailto:edk2-devel@lists.01.org>

> > > https://lists.01.org/mailman/listinfo/edk2-devel