From: "Wu, Jiaxin" <jiaxin.wu@intel.com>
To: Santhapur Naveen <naveens@amiindia.co.in>,
"Palmer, Thomas" <thomas.palmer@hpe.com>,
Samer El Haj Mahmoud <smahmoud@lenovo.com>,
"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Subject: Re: Issues with HTTPS Boot
Date: Mon, 26 Sep 2016 01:46:07 +0000 [thread overview]
Message-ID: <895558F6EA4E3B41AC93A00D163B727413889597@SHSMSX103.ccr.corp.intel.com> (raw)
In-Reply-To: <625A2455CC232F40B0F38F05ACED6D978C2C2DE7@VENUS1.in.megatrends.com>
Naveen,
The version in edk2-staging is openssl-1.0.2g, I can't reproduce the failure case in the latest branch. From the limited debug information, I'm not sure whether it's the compatibility issue with openssl-1.0.2h. It is also possible that your server configuration is incorrect. Anyway, I will try openssl-1.0.2h. But before that, please make sure all the HTTPS related patches has been synced to your platform (From edk2-staging version: 891dde7da95bdc5deb11f9262b3bc6fde4e678ef).
Thanks,
Jiaxin
> -----Original Message-----
> From: Santhapur Naveen [mailto:naveens@amiindia.co.in]
> Sent: Friday, September 23, 2016 3:01 PM
> To: Wu, Jiaxin <jiaxin.wu@intel.com>; Palmer, Thomas
> <thomas.palmer@hpe.com>; Samer El Haj Mahmoud
> <smahmoud@lenovo.com>; edk2-devel@lists.01.org
> Subject: RE: Issues with HTTPS Boot
>
> Hi Jiaxin,
>
> The openssl version I have been using is 1.0.2h and the cipher returned
> by the Sever Hello is "TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)".
>
> Thanks,
> Naveen
>
> -----Original Message-----
> From: Wu, Jiaxin [mailto:jiaxin.wu@intel.com]
> Sent: Friday, September 23, 2016 12:25 PM
> To: Palmer, Thomas; Samer El Haj Mahmoud; Santhapur Naveen; edk2-
> devel@lists.01.org
> Subject: RE: Issues with HTTPS Boot
>
> Naveen,
>
> For error code L14:F171:R105, it seems not failed in the ssl3_get_server_hello().
> L14 means SLL lib error, R105 means SSL_R_WRONG_CIPHER_RETURNED, but
> for F171, I can't find the corresponding error function represented. Can you tell
> us the openssl version your platform used? and what's the cipher returned from
> server hello?
>
>
> Thanks,
> Jiaxin
>
> > -----Original Message-----
> > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> > Palmer, Thomas
> > Sent: Friday, September 23, 2016 2:10 AM
> > To: Samer El Haj Mahmoud <smahmoud@lenovo.com>; Santhapur Naveen
> > <naveens@amiindia.co.in>; edk2-devel@lists.01.org
> > Subject: Re: [edk2] Issues with HTTPS Boot
> >
> >
> > Naveen,
> >
> > I may be interpreting this OpenSSL error code incorrectly, so if
> > anyone has experience with this please chime in ...
> >
> > Looking at 1.02.h, the 0x105 reason corresponds with
> > SSL_R_WRONG_CIPHER_RETURNED. This happens in two places in s3_clnt.c.
> > This would indicate that the TLS server is wanting to use a cipher
> > that the TLS client does not want to use.
> >
> > 0x105 can also correspond to SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE ...
> > but we don't support client certificates or DTLS at this point so I
> > would not expect this to be in play. (unless your server is
> > configured for that ...)
> >
> > We should confirm this error code interpretation. If you have a
> > debugger, set a break point for each instance of
> > SSL_R_WRONG_CIPHER_RETURNED, or add a print statement. Which
> openssl version are you using?
> >
> >
> > Regards,
> >
> > Thomas Palmer
> >
> > "I have only made this letter longer because I have not had the time
> > to make it shorter" - Blaise Pascal
> >
> >
> > -----Original Message-----
> > From: Samer El Haj Mahmoud [mailto:smahmoud@lenovo.com]
> > Sent: Thursday, September 22, 2016 10:12 AM
> > To: Santhapur Naveen <naveens@amiindia.co.in>; Palmer, Thomas
> > <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
> > Subject: RE: Issues with HTTPS Boot
> >
> > Naveen,
> >
> > Are you using the latest code form the edk2-staging branch?
> >
> >
> > -----Original Message-----
> > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> > Santhapur Naveen
> > Sent: Thursday, September 22, 2016 7:07 AM
> > To: Palmer, Thomas <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
> > Subject: Re: [edk2] Issues with HTTPS Boot
> >
> > Hi Thomas,
> >
> > Regarding your previous question about the server certificates,
> > please find my response as below:
> >
> > Do you have the appropriate certificate installed in UEFI for the
> > target TLS server?
> > Yes, I do have the appropriate certificate installed on my server. I
> > have followed the section 2.2 titles " Self-Generated Certificate" in
> > the white paper to generate the certificates.
> >
> > I have debugged a bit further and went inside TlsConnectSession() to
> > see where exactly it is failing and I found out like it fails in
> > TlsDoHandshake() and gives PROTOCOL ERROR. To be precise, it gives
> > error as "TlsDoHandshake ERROR 0x14171105=L14:F171:R105".
> >
> > If I'm missing anything anywhere, would you please provide your
> > comments.
> >
> > Thank you,
> > Naveen
> >
> > -----Original Message-----
> > From: Palmer, Thomas [mailto:thomas.palmer@hpe.com]
> > Sent: Thursday, September 22, 2016 12:56 AM
> > To: Santhapur Naveen; edk2-devel@lists.01.org
> > Subject: RE: Issues with HTTPS Boot
> >
> >
> > From what you describe, it sounds like they should not have an issue
> > negotiating TLS version and cipher.
> >
> >
> > Do you have the appropriate certificate installed in UEFI for the target TLS
> > server? Either we need the 3rd part CA that signed the web server
> certificate,
> > or you could install the self-signed certificate of the web server.
> >
> > Also, are you able to see the any DEBUG statements from TlsLib.c?
> >
> >
> > Regards,
> >
> > Thomas Palmer
> >
> > "I have only made this letter longer because I have not had the time
> > to make it shorter" - Blaise Pascal
> >
> > -----Original Message-----
> > From: Santhapur Naveen [mailto:naveens@amiindia.co.in]
> > Sent: Wednesday, September 21, 2016 8:09 AM
> > To: Palmer, Thomas <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
> > Subject: RE: Issues with HTTPS Boot
> >
> > Hi Thomas,
> >
> > Regarding my previous mail, after TCP handshake, Client Says Hello to
> > sever and the Server replies its Hello to the client with TLSv1.
> >
> > Client says hello with the following Cipher Suites:
> >
> > 1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) 2.
> > TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) 3.
> > TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) 4.
> > TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) 5.
> > TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
> >
> > For the Client Hello, Server responds with its Hello and chooses
> > TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) using TLSv1. The client sends an
> > acknowledgement to the server and then immediately sends RST.
> >
> > After some debugging, it was found that it fails in TlsConnectSession().
> > Would you please provide your comments on this?
> >
> >
> > Thanks,
> > Naveen
> >
> > -----Original Message-----
> > From: Palmer, Thomas [mailto:thomas.palmer@hpe.com]
> > Sent: Tuesday, September 20, 2016 9:30 PM
> > To: Santhapur Naveen; edk2-devel@lists.01.org
> > Subject: RE: Issues with HTTPS Boot
> >
> > Naveen,
> >
> > I cannot see attachments on this email.
> >
> > What TLS versions and ciphers does your web server support?
> > Depending on when you built the UEFI image, your server may need to
> > have TLS v1.0 enabled and support one of the non-SHA256 ciphers listed
> > at the top of TlsLib.c.
> >
> >
> > Regards,
> >
> > Thomas Palmer
> >
> > "I have only made this letter longer because I have not had the time
> > to make it shorter" - Blaise Pascal
> >
> > -----Original Message-----
> > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> > Santhapur Naveen
> > Sent: Tuesday, September 20, 2016 6:42 AM
> > To: edk2-devel@lists.01.org
> > Subject: [edk2] Issues with HTTPS Boot
> >
> > Hello All,
> >
> > Since the HTTPS Boot came into picture, I was very
> > enthusiastic to try it. I configured the server as-is explained in the
> > white paper
> > https://github.com/tianocore/tianocore.github.io/wiki/EDK%20II%20White
> > %20p
> > apers
> >
> > But when I try to go for an HTTPS boot, it stops after the TCP handshake.
> > Attached is the Wireshark log. Please help me out and also let me know
> > if any other details are needed.
> >
> > Thank you,
> > Naveen
> > _______________________________________________
> > edk2-devel mailing list
> > edk2-devel@lists.01.org
> > https://lists.01.org/mailman/listinfo/edk2-devel
> > _______________________________________________
> > edk2-devel mailing list
> > edk2-devel@lists.01.org
> > https://lists.01.org/mailman/listinfo/edk2-devel
> > _______________________________________________
> > edk2-devel mailing list
> > edk2-devel@lists.01.org
> > https://lists.01.org/mailman/listinfo/edk2-devel
next prev parent reply other threads:[~2016-09-26 1:46 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-20 11:41 Issues with HTTPS Boot Santhapur Naveen
2016-09-20 15:59 ` Palmer, Thomas
2016-09-21 13:09 ` Santhapur Naveen
2016-09-21 19:25 ` Palmer, Thomas
2016-09-22 14:06 ` Santhapur Naveen
2016-09-22 15:12 ` Samer El Haj Mahmoud
2016-09-22 18:10 ` Palmer, Thomas
2016-09-23 6:54 ` Wu, Jiaxin
2016-09-23 7:01 ` Santhapur Naveen
2016-09-26 1:46 ` Wu, Jiaxin [this message]
2016-09-30 5:26 ` Wu, Jiaxin
2016-09-30 5:29 ` Santhapur Naveen
[not found] ` <625A2455CC232F40B0F38F05ACED6D978C2F865D@VENUS1.in.megatrends.com>
2016-10-20 6:16 ` Wu, Jiaxin
2016-09-23 7:04 ` Santhapur Naveen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=895558F6EA4E3B41AC93A00D163B727413889597@SHSMSX103.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox