From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from IMSVA.IN.MEGATRENDS.COM (venus.amiindia.co.in [111.93.197.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 8D8541A1E45 for ; Thu, 29 Sep 2016 22:29:13 -0700 (PDT) Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 13A4A82047; Fri, 30 Sep 2016 10:59:34 +0530 (IST) Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [127.0.0.1]) by IMSVA (Postfix) with ESMTP id EF89682046; Fri, 30 Sep 2016 10:59:30 +0530 (IST) Received: from webmail.amiindia.co.in (venus2.in.megatrends.com [10.0.0.7]) by IMSVA.IN.MEGATRENDS.COM (Postfix) with ESMTPS; Fri, 30 Sep 2016 10:59:30 +0530 (IST) Received: from VENUS1.in.megatrends.com ([fe80::951:7975:6ecf:eae5]) by Venus2.in.megatrends.com ([fe80::2002:4a07:4f17:c09b%14]) with mapi id 14.03.0248.002; Fri, 30 Sep 2016 10:59:47 +0530 From: Santhapur Naveen To: "Wu, Jiaxin" , "Palmer, Thomas" , Samer El Haj Mahmoud , "edk2-devel@lists.01.org" CC: "Fu, Siyuan" , "Ye, Ting" , "Li, Ruth" Thread-Topic: Issues with HTTPS Boot Thread-Index: AdITMrB9dQ9WWubnSXaJO1RcrMRFRgAJIYwAACb2LMAAEohmMAAmfOIwAAMjFEAABJQ6AAAZXFlgAAL9nSAAipjtsADOQRPAAAQrLuA= Date: Fri, 30 Sep 2016 05:29:46 +0000 Message-ID: <625A2455CC232F40B0F38F05ACED6D978C2C9CE6@VENUS1.in.megatrends.com> References: <625A2455CC232F40B0F38F05ACED6D978C2C2225@VENUS1.in.megatrends.com> <625A2455CC232F40B0F38F05ACED6D978C2C29FD@VENUS1.in.megatrends.com> <625A2455CC232F40B0F38F05ACED6D978C2C2C5E@VENUS1.in.megatrends.com> <54EF1A77C479D840AF005ED34A3DC6597041C6@USMAILMBX02> <895558F6EA4E3B41AC93A00D163B727413889028@SHSMSX103.ccr.corp.intel.com> <625A2455CC232F40B0F38F05ACED6D978C2C2DE7@VENUS1.in.megatrends.com> <895558F6EA4E3B41AC93A00D163B72741388BB24@SHSMSX103.ccr.corp.intel.com> In-Reply-To: <895558F6EA4E3B41AC93A00D163B72741388BB24@SHSMSX103.ccr.corp.intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.0.93.16] MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-TM-AS-Product-Ver: IMSVA-9.1.0.1600-8.1.0.1054-22608.005 X-TM-AS-Result: No--30.475-5.0-31-10 X-imss-scan-details: No--30.475-5.0-31-10 X-TMASE-Version: IMSVA-9.1.0.1600-8.1.1054-22608.005 X-TMASE-Result: 10--30.475300-10.000000 X-TMASE-MatchedRID: IDdx3MBO6EB5X0FJZbmEpuG5dRZCgxC3Ud7Bjfo+5jRm60OoujMOyKSZ V8xpDzhZuKIVXXy1OeisljedDGzshmQbEv3419yxnVTWWiNp+v9zd7C7BtJobtqCxkzSpW/XsT6 GSFHInVX6xjIgrBer1l4uRoYlaFfECJNBFrEOGv4qgmyngA7b7ToSfZud5+Ggjm39dGqS3EkEPZ /FNtxg32N71d9aLyYaPCKX1CviOq1C9qEX7ASCsfYiLRVJ915D0X0X5dpeBd6U1TdxYi5MqPeJl qUEMxA/ontaqpOg1IfhpAulFEAvQzkZlrjEKm7bkOsNTkTfqjFI2alOmyYH999RlPzeVuQQqNzF wBkJ21JW5cywRh+CewP/UA4JlwUxu+66Sy5jOwL45KHDXm2JAdFqG4/BpDVaTDoylMQmcK/NQ5q atA7xi9SURrWa3SfcXwfsZZs2DgVIc+1+9a4pszBWUe6730Un63kN9C+Jcx790SDJqhXtn2XzKO GjxYvGj+b2U4dTr7+H5gHdi6EpOFmOHT7fU6S2cYGYuKj6YmAgzzoB6jqxgkbkmCm1JslrFrnab IhaKiZwdrWc9E8QEeHyE+tY42ycNgAikVe+OQFCnGIuUMP0VdMNeBxSUI2jjGIZ3DZBj9hj//gz EsCVOByAXyQ3PGXB0+QxCj9qXQUC6vSNRLEBKIlD2T5imTkJC4rWEiK1IgfnU40jhQv76qPFjJE Fr+ol4Z/vCGGy3v63sNbcHjySQd0H8LFZNFG7JQhrLH5KSJ0= X-TMASE-SNAP-Result: 1.811037.0001-0-1-12:0,22:0,33:0,34:0,39:0-0 Subject: Re: Issues with HTTPS Boot X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Sep 2016 05:29:14 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Jiaxin, Thank you very much for the information you have provided. I shall try and= update you. Thank you once again. Best Regards, Naveen -----Original Message----- From: Wu, Jiaxin [mailto:jiaxin.wu@intel.com]=20 Sent: Friday, September 30, 2016 10:56 AM To: Santhapur Naveen; Palmer, Thomas; Samer El Haj Mahmoud; edk2-devel@list= s.01.org Cc: Fu, Siyuan; Ye, Ting; Li, Ruth Subject: RE: Issues with HTTPS Boot Hi Naveen, I have tried the openssl-1.0.2h and openssl-1.0.2j (the latest edk2-master = version), both of them work well with the UEFI HTTPS in staging branch. I h= aven't met you issue:(. Now, I have synced the patches from EDK2 master(htt= ps://github.com/tianocore/edk2 ) to HTTPS-TLS branch (https://github.com/ti= anocore/edk2-staging/tree/HTTPS-TLS ). That means current HTTPS in branch i= s developed based on openssl-1.0.2j. =20 I noticed you're not using the latest code from the edk2-staging branch bec= ause your code base seems not support TLS version negotiation feature. Can = you retry the latest code in current HTTPS-TLS branch?=20 In order to eliminate the HTTPS server configuration issue, you can using I= E or Chrome or any other HTTPS client (Note: don't forget to enroll the ser= ver CA cert) to verify the HTTPS server's functionality first. That also ca= n help you to verify your self-signed certificates:). If you are using IIS8= HTTPS server, please also aware the README notes. =20 Thanks, Jiaxin > -----Original Message----- > From: Wu, Jiaxin > Sent: Monday, September 26, 2016 9:46 AM > To: Santhapur Naveen ; Palmer, Thomas=20 > ; Samer El Haj Mahmoud ;=20 > edk2-devel@lists.01.org > Subject: RE: Issues with HTTPS Boot >=20 > Naveen, >=20 > The version in edk2-staging is openssl-1.0.2g, I can't reproduce the=20 > failure case in the latest branch. From the limited debug information,=20 > I'm not sure whether it's the compatibility issue with openssl-1.0.2h.=20 > It is also possible that your server configuration is incorrect.=20 > Anyway, I will try openssl-1.0.2h. But before that, please make sure=20 > all the HTTPS related patches has been synced to your platform (From edk2= -staging version: > 891dde7da95bdc5deb11f9262b3bc6fde4e678ef). >=20 > Thanks, > Jiaxin >=20 > > -----Original Message----- > > From: Santhapur Naveen [mailto:naveens@amiindia.co.in] > > Sent: Friday, September 23, 2016 3:01 PM > > To: Wu, Jiaxin ; Palmer, Thomas=20 > > ; Samer El Haj Mahmoud > ; > > edk2-devel@lists.01.org > > Subject: RE: Issues with HTTPS Boot > > > > Hi Jiaxin, > > > > The openssl version I have been using is 1.0.2h and the cipher=20 > > returned by the Sever Hello is "TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)". > > > > Thanks, > > Naveen > > > > -----Original Message----- > > From: Wu, Jiaxin [mailto:jiaxin.wu@intel.com] > > Sent: Friday, September 23, 2016 12:25 PM > > To: Palmer, Thomas; Samer El Haj Mahmoud; Santhapur Naveen; edk2-=20 > > devel@lists.01.org > > Subject: RE: Issues with HTTPS Boot > > > > Naveen, > > > > For error code L14:F171:R105, it seems not failed in the > ssl3_get_server_hello(). > > L14 means SLL lib error, R105 means SSL_R_WRONG_CIPHER_RETURNED, > but > > for F171, I can't find the corresponding error function represented. > > Can you tell us the openssl version your platform used? and what's=20 > > the cipher returned from server hello? > > > > > > Thanks, > > Jiaxin > > > > > -----Original Message----- > > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On=20 > > > Behalf Of Palmer, Thomas > > > Sent: Friday, September 23, 2016 2:10 AM > > > To: Samer El Haj Mahmoud ; Santhapur Naveen=20 > > > ; edk2-devel@lists.01.org > > > Subject: Re: [edk2] Issues with HTTPS Boot > > > > > > > > > Naveen, > > > > > > I may be interpreting this OpenSSL error code incorrectly, so if=20 > > > anyone has experience with this please chime in ... > > > > > > Looking at 1.02.h, the 0x105 reason corresponds with=20 > > > SSL_R_WRONG_CIPHER_RETURNED. This happens in two places in > s3_clnt.c. > > > This would indicate that the TLS server is wanting to use a cipher=20 > > > that the TLS client does not want to use. > > > > > > 0x105 can also correspond to SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE ... > > > but we don't support client certificates or DTLS at this point so=20 > > > I would not expect this to be in play. (unless your server is=20 > > > configured for that ...) > > > > > > We should confirm this error code interpretation. If you have a=20 > > > debugger, set a break point for each instance of=20 > > > SSL_R_WRONG_CIPHER_RETURNED, or add a print statement. Which > > openssl version are you using? > > > > > > > > > Regards, > > > > > > Thomas Palmer > > > > > > "I have only made this letter longer because I have not had the=20 > > > time to make it shorter" - Blaise Pascal > > > > > > > > > -----Original Message----- > > > From: Samer El Haj Mahmoud [mailto:smahmoud@lenovo.com] > > > Sent: Thursday, September 22, 2016 10:12 AM > > > To: Santhapur Naveen ; Palmer, Thomas=20 > > > ; edk2-devel@lists.01.org > > > Subject: RE: Issues with HTTPS Boot > > > > > > Naveen, > > > > > > Are you using the latest code form the edk2-staging branch? > > > > > > > > > -----Original Message----- > > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On=20 > > > Behalf Of Santhapur Naveen > > > Sent: Thursday, September 22, 2016 7:07 AM > > > To: Palmer, Thomas ;=20 > > > edk2-devel@lists.01.org > > > Subject: Re: [edk2] Issues with HTTPS Boot > > > > > > Hi Thomas, > > > > > > Regarding your previous question about the server certificates,=20 > > > please find my response as below: > > > > > > Do you have the appropriate certificate installed in UEFI for the=20 > > > target TLS server? > > > Yes, I do have the appropriate certificate installed on my server. > > > I have followed the section 2.2 titles " Self-Generated Certificate" > > > in the white paper to generate the certificates. > > > > > > I have debugged a bit further and went inside=20 > > > TlsConnectSession() to see where exactly it is failing and I found=20 > > > out like it fails in > > > TlsDoHandshake() and gives PROTOCOL ERROR. To be precise, it gives=20 > > > error as "TlsDoHandshake ERROR 0x14171105=3DL14:F171:R105". > > > > > > If I'm missing anything anywhere, would you please provide your=20 > > > comments. > > > > > > Thank you, > > > Naveen > > > > > > -----Original Message----- > > > From: Palmer, Thomas [mailto:thomas.palmer@hpe.com] > > > Sent: Thursday, September 22, 2016 12:56 AM > > > To: Santhapur Naveen; edk2-devel@lists.01.org > > > Subject: RE: Issues with HTTPS Boot > > > > > > > > > From what you describe, it sounds like they should not have an=20 > > > issue negotiating TLS version and cipher. > > > > > > > > > Do you have the appropriate certificate installed in UEFI for the tar= get TLS > > > server? Either we need the 3rd part CA that signed the web server > > certificate, > > > or you could install the self-signed certificate of the web server. > > > > > > Also, are you able to see the any DEBUG statements from TlsLib.c? > > > > > > > > > Regards, > > > > > > Thomas Palmer > > > > > > "I have only made this letter longer because I have not had the=20 > > > time to make it shorter" - Blaise Pascal > > > > > > -----Original Message----- > > > From: Santhapur Naveen [mailto:naveens@amiindia.co.in] > > > Sent: Wednesday, September 21, 2016 8:09 AM > > > To: Palmer, Thomas ;=20 > > > edk2-devel@lists.01.org > > > Subject: RE: Issues with HTTPS Boot > > > > > > Hi Thomas, > > > > > > Regarding my previous mail, after TCP handshake, Client Says=20 > > > Hello to sever and the Server replies its Hello to the client with TL= Sv1. > > > > > > Client says hello with the following Cipher Suites: > > > > > > 1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) 2. > > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) 3. > > > TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) 4. > > > TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) 5. > > > TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) > > > > > > For the Client Hello, Server responds with its Hello and chooses=20 > > > TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) using TLSv1. The client=20 > > > sends an acknowledgement to the server and then immediately sends RST= . > > > > > > After some debugging, it was found that it fails in TlsConnectSessio= n(). > > > Would you please provide your comments on this? > > > > > > > > > Thanks, > > > Naveen > > > > > > -----Original Message----- > > > From: Palmer, Thomas [mailto:thomas.palmer@hpe.com] > > > Sent: Tuesday, September 20, 2016 9:30 PM > > > To: Santhapur Naveen; edk2-devel@lists.01.org > > > Subject: RE: Issues with HTTPS Boot > > > > > > Naveen, > > > > > > I cannot see attachments on this email. > > > > > > What TLS versions and ciphers does your web server support? > > > Depending on when you built the UEFI image, your server may need=20 > > > to have TLS v1.0 enabled and support one of the non-SHA256 ciphers=20 > > > listed at the top of TlsLib.c. > > > > > > > > > Regards, > > > > > > Thomas Palmer > > > > > > "I have only made this letter longer because I have not had the=20 > > > time to make it shorter" - Blaise Pascal > > > > > > -----Original Message----- > > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On=20 > > > Behalf Of Santhapur Naveen > > > Sent: Tuesday, September 20, 2016 6:42 AM > > > To: edk2-devel@lists.01.org > > > Subject: [edk2] Issues with HTTPS Boot > > > > > > Hello All, > > > > > > Since the HTTPS Boot came into picture, I was very=20 > > > enthusiastic to try it. I configured the server as-is explained in=20 > > > the white paper=20 > > > https://github.com/tianocore/tianocore.github.io/wiki/EDK%20II%20W > > > hi > > > te > > > %20p > > > apers > > > > > > But when I try to go for an HTTPS boot, it stops after=20 > > > the TCP > handshake. > > > Attached is the Wireshark log. Please help me out and also let me=20 > > > know if any other details are needed. > > > > > > Thank you, > > > Naveen > > > _______________________________________________ > > > edk2-devel mailing list > > > edk2-devel@lists.01.org > > > https://lists.01.org/mailman/listinfo/edk2-devel > > > _______________________________________________ > > > edk2-devel mailing list > > > edk2-devel@lists.01.org > > > https://lists.01.org/mailman/listinfo/edk2-devel > > > _______________________________________________ > > > edk2-devel mailing list > > > edk2-devel@lists.01.org > > > https://lists.01.org/mailman/listinfo/edk2-devel