From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) (using TLSv1 with cipher CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 017541A1DFE for ; Sun, 25 Sep 2016 18:46:12 -0700 (PDT) Received: from orsmga004.jf.intel.com ([10.7.209.38]) by fmsmga103.fm.intel.com with ESMTP; 25 Sep 2016 18:46:12 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.30,396,1470726000"; d="scan'208";a="13617683" Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203]) by orsmga004.jf.intel.com with ESMTP; 25 Sep 2016 18:46:12 -0700 Received: from fmsmsx124.amr.corp.intel.com (10.18.125.39) by FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS) id 14.3.248.2; Sun, 25 Sep 2016 18:46:10 -0700 Received: from shsmsx101.ccr.corp.intel.com (10.239.4.153) by fmsmsx124.amr.corp.intel.com (10.18.125.39) with Microsoft SMTP Server (TLS) id 14.3.248.2; Sun, 25 Sep 2016 18:46:09 -0700 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.234]) by SHSMSX101.ccr.corp.intel.com ([169.254.1.118]) with mapi id 14.03.0248.002; Mon, 26 Sep 2016 09:46:07 +0800 From: "Wu, Jiaxin" To: Santhapur Naveen , "Palmer, Thomas" , Samer El Haj Mahmoud , "edk2-devel@lists.01.org" Thread-Topic: Issues with HTTPS Boot Thread-Index: AdITMrB9dQ9WWubnSXaJO1RcrMRFRgAJIYwAACb2LMAAEohmMAAmfOIwAAMjFEAABJQ6AAAZXFlgAAL9nSAAipjtsA== Date: Mon, 26 Sep 2016 01:46:07 +0000 Message-ID: <895558F6EA4E3B41AC93A00D163B727413889597@SHSMSX103.ccr.corp.intel.com> References: <625A2455CC232F40B0F38F05ACED6D978C2C2225@VENUS1.in.megatrends.com> <625A2455CC232F40B0F38F05ACED6D978C2C29FD@VENUS1.in.megatrends.com> <625A2455CC232F40B0F38F05ACED6D978C2C2C5E@VENUS1.in.megatrends.com> <54EF1A77C479D840AF005ED34A3DC6597041C6@USMAILMBX02> <895558F6EA4E3B41AC93A00D163B727413889028@SHSMSX103.ccr.corp.intel.com> <625A2455CC232F40B0F38F05ACED6D978C2C2DE7@VENUS1.in.megatrends.com> In-Reply-To: <625A2455CC232F40B0F38F05ACED6D978C2C2DE7@VENUS1.in.megatrends.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiMTIyZDVkNzQtNTY4OS00YWNjLTk0MzgtMGIxZDdmM2I2MmU1IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX1BVQkxJQyJ9XX1dfSwiU3ViamVjdExhYmVscyI6W10sIlRNQ1ZlcnNpb24iOiIxNS45LjYuNiIsIlRydXN0ZWRMYWJlbEhhc2giOiI0Uk1jSHA2VnpseU9RcmxTRzNKYnl2aTdWNUhGNkRMeDVTV29nam5jSUJBPSJ9 x-ctpclassification: CTP_PUBLIC x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: Issues with HTTPS Boot X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Sep 2016 01:46:13 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Naveen, The version in edk2-staging is openssl-1.0.2g, I can't reproduce the failur= e case in the latest branch. From the limited debug information, I'm not su= re whether it's the compatibility issue with openssl-1.0.2h. It is also pos= sible that your server configuration is incorrect. Anyway, I will try opens= sl-1.0.2h. But before that, please make sure all the HTTPS related patches = has been synced to your platform (From edk2-staging version: 891dde7da95bdc= 5deb11f9262b3bc6fde4e678ef).=20 Thanks, Jiaxin =20 > -----Original Message----- > From: Santhapur Naveen [mailto:naveens@amiindia.co.in] > Sent: Friday, September 23, 2016 3:01 PM > To: Wu, Jiaxin ; Palmer, Thomas > ; Samer El Haj Mahmoud > ; edk2-devel@lists.01.org > Subject: RE: Issues with HTTPS Boot >=20 > Hi Jiaxin, >=20 > The openssl version I have been using is 1.0.2h and the cipher returned > by the Sever Hello is "TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)". >=20 > Thanks, > Naveen >=20 > -----Original Message----- > From: Wu, Jiaxin [mailto:jiaxin.wu@intel.com] > Sent: Friday, September 23, 2016 12:25 PM > To: Palmer, Thomas; Samer El Haj Mahmoud; Santhapur Naveen; edk2- > devel@lists.01.org > Subject: RE: Issues with HTTPS Boot >=20 > Naveen, >=20 > For error code L14:F171:R105, it seems not failed in the ssl3_get_server_= hello(). > L14 means SLL lib error, R105 means SSL_R_WRONG_CIPHER_RETURNED, but > for F171, I can't find the corresponding error function represented. Can = you tell > us the openssl version your platform used? and what's the cipher returned= from > server hello? >=20 >=20 > Thanks, > Jiaxin >=20 > > -----Original Message----- > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > > Palmer, Thomas > > Sent: Friday, September 23, 2016 2:10 AM > > To: Samer El Haj Mahmoud ; Santhapur Naveen > > ; edk2-devel@lists.01.org > > Subject: Re: [edk2] Issues with HTTPS Boot > > > > > > Naveen, > > > > I may be interpreting this OpenSSL error code incorrectly, so if > > anyone has experience with this please chime in ... > > > > Looking at 1.02.h, the 0x105 reason corresponds with > > SSL_R_WRONG_CIPHER_RETURNED. This happens in two places in s3_clnt.c. > > This would indicate that the TLS server is wanting to use a cipher > > that the TLS client does not want to use. > > > > 0x105 can also correspond to SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE ... > > but we don't support client certificates or DTLS at this point so I > > would not expect this to be in play. (unless your server is > > configured for that ...) > > > > We should confirm this error code interpretation. If you have a > > debugger, set a break point for each instance of > > SSL_R_WRONG_CIPHER_RETURNED, or add a print statement. Which > openssl version are you using? > > > > > > Regards, > > > > Thomas Palmer > > > > "I have only made this letter longer because I have not had the time > > to make it shorter" - Blaise Pascal > > > > > > -----Original Message----- > > From: Samer El Haj Mahmoud [mailto:smahmoud@lenovo.com] > > Sent: Thursday, September 22, 2016 10:12 AM > > To: Santhapur Naveen ; Palmer, Thomas > > ; edk2-devel@lists.01.org > > Subject: RE: Issues with HTTPS Boot > > > > Naveen, > > > > Are you using the latest code form the edk2-staging branch? > > > > > > -----Original Message----- > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > > Santhapur Naveen > > Sent: Thursday, September 22, 2016 7:07 AM > > To: Palmer, Thomas ; edk2-devel@lists.01.org > > Subject: Re: [edk2] Issues with HTTPS Boot > > > > Hi Thomas, > > > > Regarding your previous question about the server certificates, > > please find my response as below: > > > > Do you have the appropriate certificate installed in UEFI for the > > target TLS server? > > Yes, I do have the appropriate certificate installed on my server. I > > have followed the section 2.2 titles " Self-Generated Certificate" in > > the white paper to generate the certificates. > > > > I have debugged a bit further and went inside TlsConnectSession() to > > see where exactly it is failing and I found out like it fails in > > TlsDoHandshake() and gives PROTOCOL ERROR. To be precise, it gives > > error as "TlsDoHandshake ERROR 0x14171105=3DL14:F171:R105". > > > > If I'm missing anything anywhere, would you please provide your > > comments. > > > > Thank you, > > Naveen > > > > -----Original Message----- > > From: Palmer, Thomas [mailto:thomas.palmer@hpe.com] > > Sent: Thursday, September 22, 2016 12:56 AM > > To: Santhapur Naveen; edk2-devel@lists.01.org > > Subject: RE: Issues with HTTPS Boot > > > > > > From what you describe, it sounds like they should not have an issue > > negotiating TLS version and cipher. > > > > > > Do you have the appropriate certificate installed in UEFI for the targe= t TLS > > server? Either we need the 3rd part CA that signed the web server > certificate, > > or you could install the self-signed certificate of the web server. > > > > Also, are you able to see the any DEBUG statements from TlsLib.c? > > > > > > Regards, > > > > Thomas Palmer > > > > "I have only made this letter longer because I have not had the time > > to make it shorter" - Blaise Pascal > > > > -----Original Message----- > > From: Santhapur Naveen [mailto:naveens@amiindia.co.in] > > Sent: Wednesday, September 21, 2016 8:09 AM > > To: Palmer, Thomas ; edk2-devel@lists.01.org > > Subject: RE: Issues with HTTPS Boot > > > > Hi Thomas, > > > > Regarding my previous mail, after TCP handshake, Client Says Hello to > > sever and the Server replies its Hello to the client with TLSv1. > > > > Client says hello with the following Cipher Suites: > > > > 1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) 2. > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) 3. > > TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) 4. > > TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) 5. > > TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) > > > > For the Client Hello, Server responds with its Hello and chooses > > TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) using TLSv1. The client sends an > > acknowledgement to the server and then immediately sends RST. > > > > After some debugging, it was found that it fails in TlsConnectSession(= ). > > Would you please provide your comments on this? > > > > > > Thanks, > > Naveen > > > > -----Original Message----- > > From: Palmer, Thomas [mailto:thomas.palmer@hpe.com] > > Sent: Tuesday, September 20, 2016 9:30 PM > > To: Santhapur Naveen; edk2-devel@lists.01.org > > Subject: RE: Issues with HTTPS Boot > > > > Naveen, > > > > I cannot see attachments on this email. > > > > What TLS versions and ciphers does your web server support? > > Depending on when you built the UEFI image, your server may need to > > have TLS v1.0 enabled and support one of the non-SHA256 ciphers listed > > at the top of TlsLib.c. > > > > > > Regards, > > > > Thomas Palmer > > > > "I have only made this letter longer because I have not had the time > > to make it shorter" - Blaise Pascal > > > > -----Original Message----- > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > > Santhapur Naveen > > Sent: Tuesday, September 20, 2016 6:42 AM > > To: edk2-devel@lists.01.org > > Subject: [edk2] Issues with HTTPS Boot > > > > Hello All, > > > > Since the HTTPS Boot came into picture, I was very > > enthusiastic to try it. I configured the server as-is explained in the > > white paper > > https://github.com/tianocore/tianocore.github.io/wiki/EDK%20II%20White > > %20p > > apers > > > > But when I try to go for an HTTPS boot, it stops after the TC= P handshake. > > Attached is the Wireshark log. Please help me out and also let me know > > if any other details are needed. > > > > Thank you, > > Naveen > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.01.org > > https://lists.01.org/mailman/listinfo/edk2-devel > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.01.org > > https://lists.01.org/mailman/listinfo/edk2-devel > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.01.org > > https://lists.01.org/mailman/listinfo/edk2-devel