From: "Wu, Jiaxin" <jiaxin.wu@intel.com>
To: "Palmer, Thomas" <thomas.palmer@hpe.com>,
Samer El Haj Mahmoud <smahmoud@lenovo.com>,
Santhapur Naveen <naveens@amiindia.co.in>,
"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Subject: Re: Issues with HTTPS Boot
Date: Fri, 23 Sep 2016 06:54:40 +0000 [thread overview]
Message-ID: <895558F6EA4E3B41AC93A00D163B727413889028@SHSMSX103.ccr.corp.intel.com> (raw)
In-Reply-To: <CS1PR84MB01512C1EFFFD2B0A45AB7FAAEDC90@CS1PR84MB0151.NAMPRD84.PROD.OUTLOOK.COM>
Naveen,
For error code L14:F171:R105, it seems not failed in the ssl3_get_server_hello(). L14 means SLL lib error, R105 means SSL_R_WRONG_CIPHER_RETURNED, but for F171, I can't find the corresponding error function represented. Can you tell us the openssl version your platform used? and what's the cipher returned from server hello?
Thanks,
Jiaxin
> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> Palmer, Thomas
> Sent: Friday, September 23, 2016 2:10 AM
> To: Samer El Haj Mahmoud <smahmoud@lenovo.com>; Santhapur Naveen
> <naveens@amiindia.co.in>; edk2-devel@lists.01.org
> Subject: Re: [edk2] Issues with HTTPS Boot
>
>
> Naveen,
>
> I may be interpreting this OpenSSL error code incorrectly, so if anyone has
> experience with this please chime in ...
>
> Looking at 1.02.h, the 0x105 reason corresponds with
> SSL_R_WRONG_CIPHER_RETURNED. This happens in two places in s3_clnt.c.
> This would indicate that the TLS server is wanting to use a cipher that the TLS
> client does not want to use.
>
> 0x105 can also correspond to SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE ... but
> we don't support client certificates or DTLS at this point so I would not expect
> this to be in play. (unless your server is configured for that ...)
>
> We should confirm this error code interpretation. If you have a debugger, set a
> break point for each instance of SSL_R_WRONG_CIPHER_RETURNED, or add a
> print statement. Which openssl version are you using?
>
>
> Regards,
>
> Thomas Palmer
>
> "I have only made this letter longer because I have not had the time to make it
> shorter" - Blaise Pascal
>
>
> -----Original Message-----
> From: Samer El Haj Mahmoud [mailto:smahmoud@lenovo.com]
> Sent: Thursday, September 22, 2016 10:12 AM
> To: Santhapur Naveen <naveens@amiindia.co.in>; Palmer, Thomas
> <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
> Subject: RE: Issues with HTTPS Boot
>
> Naveen,
>
> Are you using the latest code form the edk2-staging branch?
>
>
> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> Santhapur Naveen
> Sent: Thursday, September 22, 2016 7:07 AM
> To: Palmer, Thomas <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
> Subject: Re: [edk2] Issues with HTTPS Boot
>
> Hi Thomas,
>
> Regarding your previous question about the server certificates, please
> find my response as below:
>
> Do you have the appropriate certificate installed in UEFI for the target TLS
> server?
> Yes, I do have the appropriate certificate installed on my server. I have
> followed the section 2.2 titles " Self-Generated Certificate" in the white paper
> to generate the certificates.
>
> I have debugged a bit further and went inside TlsConnectSession() to
> see where exactly it is failing and I found out like it fails in TlsDoHandshake()
> and gives PROTOCOL ERROR. To be precise, it gives error as "TlsDoHandshake
> ERROR 0x14171105=L14:F171:R105".
>
> If I'm missing anything anywhere, would you please provide your
> comments.
>
> Thank you,
> Naveen
>
> -----Original Message-----
> From: Palmer, Thomas [mailto:thomas.palmer@hpe.com]
> Sent: Thursday, September 22, 2016 12:56 AM
> To: Santhapur Naveen; edk2-devel@lists.01.org
> Subject: RE: Issues with HTTPS Boot
>
>
> From what you describe, it sounds like they should not have an issue
> negotiating TLS version and cipher.
>
>
> Do you have the appropriate certificate installed in UEFI for the target TLS
> server? Either we need the 3rd part CA that signed the web server certificate,
> or you could install the self-signed certificate of the web server.
>
> Also, are you able to see the any DEBUG statements from TlsLib.c?
>
>
> Regards,
>
> Thomas Palmer
>
> "I have only made this letter longer because I have not had the time to make it
> shorter" - Blaise Pascal
>
> -----Original Message-----
> From: Santhapur Naveen [mailto:naveens@amiindia.co.in]
> Sent: Wednesday, September 21, 2016 8:09 AM
> To: Palmer, Thomas <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
> Subject: RE: Issues with HTTPS Boot
>
> Hi Thomas,
>
> Regarding my previous mail, after TCP handshake, Client Says Hello to
> sever and the Server replies its Hello to the client with TLSv1.
>
> Client says hello with the following Cipher Suites:
>
> 1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) 2.
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) 3.
> TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) 4.
> TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) 5.
> TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
>
> For the Client Hello, Server responds with its Hello and chooses
> TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) using TLSv1. The client sends an
> acknowledgement to the server and then immediately sends RST.
>
> After some debugging, it was found that it fails in TlsConnectSession().
> Would you please provide your comments on this?
>
>
> Thanks,
> Naveen
>
> -----Original Message-----
> From: Palmer, Thomas [mailto:thomas.palmer@hpe.com]
> Sent: Tuesday, September 20, 2016 9:30 PM
> To: Santhapur Naveen; edk2-devel@lists.01.org
> Subject: RE: Issues with HTTPS Boot
>
> Naveen,
>
> I cannot see attachments on this email.
>
> What TLS versions and ciphers does your web server support?
> Depending on when you built the UEFI image, your server may need to have
> TLS v1.0 enabled and support one of the non-SHA256 ciphers listed at the top of
> TlsLib.c.
>
>
> Regards,
>
> Thomas Palmer
>
> "I have only made this letter longer because I have not had the time to make it
> shorter" - Blaise Pascal
>
> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> Santhapur Naveen
> Sent: Tuesday, September 20, 2016 6:42 AM
> To: edk2-devel@lists.01.org
> Subject: [edk2] Issues with HTTPS Boot
>
> Hello All,
>
> Since the HTTPS Boot came into picture, I was very enthusiastic to try it. I
> configured the server as-is explained in the white paper
> https://github.com/tianocore/tianocore.github.io/wiki/EDK%20II%20White%20p
> apers
>
> But when I try to go for an HTTPS boot, it stops after the TCP handshake.
> Attached is the Wireshark log. Please help me out and also let me know if any
> other details are needed.
>
> Thank you,
> Naveen
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
next prev parent reply other threads:[~2016-09-23 6:54 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-20 11:41 Issues with HTTPS Boot Santhapur Naveen
2016-09-20 15:59 ` Palmer, Thomas
2016-09-21 13:09 ` Santhapur Naveen
2016-09-21 19:25 ` Palmer, Thomas
2016-09-22 14:06 ` Santhapur Naveen
2016-09-22 15:12 ` Samer El Haj Mahmoud
2016-09-22 18:10 ` Palmer, Thomas
2016-09-23 6:54 ` Wu, Jiaxin [this message]
2016-09-23 7:01 ` Santhapur Naveen
2016-09-26 1:46 ` Wu, Jiaxin
2016-09-30 5:26 ` Wu, Jiaxin
2016-09-30 5:29 ` Santhapur Naveen
[not found] ` <625A2455CC232F40B0F38F05ACED6D978C2F865D@VENUS1.in.megatrends.com>
2016-10-20 6:16 ` Wu, Jiaxin
2016-09-23 7:04 ` Santhapur Naveen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=895558F6EA4E3B41AC93A00D163B727413889028@SHSMSX103.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox