From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bounce+27952+110367+7686176+12367111@groups.io>
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108])
	by spool.mail.gandi.net (Postfix) with ESMTPS id 1AA6DD80F77
	for <rebecca@openfw.io>; Tue, 31 Oct 2023 06:10:29 +0000 (UTC)
DKIM-Signature: a=rsa-sha256; bh=JcOp2j7a8759iPJ+bzk+H8qDunsJKlrrtE9HYzVEcVA=;
 c=relaxed/simple; d=groups.io;
 h=Subject:To:From:User-Agent:MIME-Version:Date:References:In-Reply-To:Message-ID:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type;
 s=20140610; t=1698732628; v=1;
 b=b466TEJCxxwFTWb3/P5O0HpvlzMpalr3et12U98K+mRYnIRFcNIdaaUKcfqT7lCLjNRjcTox
 ixUpL98Ap4XYf3Y2fwRieGbEhmpEUY6J5vnnvf3pNDcjrBX7DpSpK9NBs5LwCoSOTyInc0QKLlH
 Acmgp7qhiKNN0oCkATkQYd8k=
X-Received: by 127.0.0.2 with SMTP id B30YYY7687511xfakhcPpwgu; Mon, 30 Oct 2023 23:10:28 -0700
Subject: Re: [edk2-devel] SSL handshake in HTTPS boot if the certificate was signed with a root certificate
To: Laszlo Ersek <lersek@redhat.com>,devel@edk2.groups.io
From: jacopo.r00ta@gmail.com
X-Originating-Location: Riga, LV (159.148.223.140)
X-Originating-Platform: Linux Firefox 118
User-Agent: GROUPS.IO Web Poster
MIME-Version: 1.0
Date: Mon, 30 Oct 2023 23:10:28 -0700
References: <515c91c9-74e8-339e-45c5-adf0cb8d3542@redhat.com>
In-Reply-To: <515c91c9-74e8-339e-45c5-adf0cb8d3542@redhat.com>
Message-ID: <7135.1698732628313427950@groups.io>
Precedence: Bulk
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,jacopo.r00ta@gmail.com
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: <https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/plugh>
X-Gm-Message-State: z2cwDK8Vh6JG2yl0JD0vGE5Tx7686176AA=
Content-Type: multipart/alternative; boundary="LFkCMbob5QkikMMUZmnG"
X-GND-Status: LEGIT
Authentication-Results: spool.mail.gandi.net;
	dkim=pass header.d=groups.io header.s=20140610 header.b=b466TEJC;
	spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io;
	dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=gmail.com (policy=none)

--LFkCMbob5QkikMMUZmnG
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi Laszlo,

If I generate the certificate like

openssl req -new -nodes -x509 -days 365 -keyout server.key -out server.crt =
-config config

it works perfectly fine (with the original configuration).

The problem stands with the *chain* of certificates, meaning that I have a =
root certificate (let's call it A) and sign another one for an IP (let's ca=
ll it B). Then in the image server with such IP I set the certificate B, an=
d in the VM I trust the certificate A. Unless I missed something, this scen=
ario is not covered in https://listman.redhat.com/archives/edk2-devel-archi=
ve/2019-October/009601.html.

Could you confirm this is supposed to work?

Thank you very much for your time on this, I appreciate it!

Jacopo


-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#110367): https://edk2.groups.io/g/devel/message/110367
Mute This Topic: https://groups.io/mt/102201552/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-



--LFkCMbob5QkikMMUZmnG
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<p>Hi Laszlo, <br /><br />If I generate the certificate like <br /><br /><e=
m>openssl req -new -nodes -x509 -days 365 -keyout server.key -out server.cr=
t -config config </em><br /><br />it works perfectly fine (with the origina=
l configuration). <br /><br />The problem stands with the <strong>chain</st=
rong> of certificates, meaning that I have a root certificate (let's call i=
t A) and sign another one for an IP (let's call it B). Then in the image se=
rver with such IP I set the certificate B, and in the VM I trust the certif=
icate A. Unless I missed something, this scenario is not covered in <a href=
=3D"https://listman.redhat.com/archives/edk2-devel-archive/2019-October/009=
601.html" target=3D"_blank" rel=3D"noopener">https://listman.redhat.com/arc=
hives/edk2-devel-archive/2019-October/009601.html</a> . <br /><br />Could y=
ou confirm this is supposed to work? <br /><br />Thank you very much for yo=
ur time on this, I appreciate it! <br /><br />Jacopo</p>


<div width=3D"1" style=3D"color:white;clear:both">_._,_._,_</div>
<hr>


Groups.io Links:<p>


 =20
    You receive all messages sent to this group.
 =20
 =20


<p>
<a target=3D"_blank" href=3D"https://edk2.groups.io/g/devel/message/110367"=
>View/Reply Online (#110367)</a> |


 =20

|

  <a target=3D"_blank" href=3D"https://groups.io/mt/102201552/7686176">Mute=
 This Topic</a>


| <a href=3D"https://edk2.groups.io/g/devel/post">New Topic</a>

<br>




<a href=3D"https://edk2.groups.io/g/devel/editsub/7686176">Your Subscriptio=
n</a> |
<a href=3D"mailto:devel+owner@edk2.groups.io">Contact Group Owner</a> |

<a href=3D"https://edk2.groups.io/g/devel/unsub">Unsubscribe</a>

 [rebecca@openfw.io]<br>
<div width=3D"1" style=3D"color:white;clear:both">_._,_._,_</div>


--LFkCMbob5QkikMMUZmnG--