From: "Palmer, Thomas" <thomas.palmer@hpe.com>
To: Samer El Haj Mahmoud <smahmoud@lenovo.com>,
Santhapur Naveen <naveens@amiindia.co.in>,
"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Subject: Re: Issues with HTTPS Boot
Date: Thu, 22 Sep 2016 18:10:22 +0000 [thread overview]
Message-ID: <CS1PR84MB01512C1EFFFD2B0A45AB7FAAEDC90@CS1PR84MB0151.NAMPRD84.PROD.OUTLOOK.COM> (raw)
In-Reply-To: <54EF1A77C479D840AF005ED34A3DC6597041C6@USMAILMBX02>
Naveen,
I may be interpreting this OpenSSL error code incorrectly, so if anyone has experience with this please chime in ...
Looking at 1.02.h, the 0x105 reason corresponds with SSL_R_WRONG_CIPHER_RETURNED. This happens in two places in s3_clnt.c. This would indicate that the TLS server is wanting to use a cipher that the TLS client does not want to use.
0x105 can also correspond to SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE ... but we don't support client certificates or DTLS at this point so I would not expect this to be in play. (unless your server is configured for that ...)
We should confirm this error code interpretation. If you have a debugger, set a break point for each instance of SSL_R_WRONG_CIPHER_RETURNED, or add a print statement. Which openssl version are you using?
Regards,
Thomas Palmer
"I have only made this letter longer because I have not had the time to make it shorter" - Blaise Pascal
-----Original Message-----
From: Samer El Haj Mahmoud [mailto:smahmoud@lenovo.com]
Sent: Thursday, September 22, 2016 10:12 AM
To: Santhapur Naveen <naveens@amiindia.co.in>; Palmer, Thomas <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
Subject: RE: Issues with HTTPS Boot
Naveen,
Are you using the latest code form the edk2-staging branch?
-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Santhapur Naveen
Sent: Thursday, September 22, 2016 7:07 AM
To: Palmer, Thomas <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
Subject: Re: [edk2] Issues with HTTPS Boot
Hi Thomas,
Regarding your previous question about the server certificates, please find my response as below:
Do you have the appropriate certificate installed in UEFI for the target TLS server?
Yes, I do have the appropriate certificate installed on my server. I have followed the section 2.2 titles " Self-Generated Certificate" in the white paper to generate the certificates.
I have debugged a bit further and went inside TlsConnectSession() to see where exactly it is failing and I found out like it fails in TlsDoHandshake() and gives PROTOCOL ERROR. To be precise, it gives error as "TlsDoHandshake ERROR 0x14171105=L14:F171:R105".
If I'm missing anything anywhere, would you please provide your comments.
Thank you,
Naveen
-----Original Message-----
From: Palmer, Thomas [mailto:thomas.palmer@hpe.com]
Sent: Thursday, September 22, 2016 12:56 AM
To: Santhapur Naveen; edk2-devel@lists.01.org
Subject: RE: Issues with HTTPS Boot
>From what you describe, it sounds like they should not have an issue negotiating TLS version and cipher.
Do you have the appropriate certificate installed in UEFI for the target TLS server? Either we need the 3rd part CA that signed the web server certificate, or you could install the self-signed certificate of the web server.
Also, are you able to see the any DEBUG statements from TlsLib.c?
Regards,
Thomas Palmer
"I have only made this letter longer because I have not had the time to make it shorter" - Blaise Pascal
-----Original Message-----
From: Santhapur Naveen [mailto:naveens@amiindia.co.in]
Sent: Wednesday, September 21, 2016 8:09 AM
To: Palmer, Thomas <thomas.palmer@hpe.com>; edk2-devel@lists.01.org
Subject: RE: Issues with HTTPS Boot
Hi Thomas,
Regarding my previous mail, after TCP handshake, Client Says Hello to sever and the Server replies its Hello to the client with TLSv1.
Client says hello with the following Cipher Suites:
1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) 2. TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) 3. TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) 4. TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) 5. TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
For the Client Hello, Server responds with its Hello and chooses TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) using TLSv1. The client sends an acknowledgement to the server and then immediately sends RST.
After some debugging, it was found that it fails in TlsConnectSession(). Would you please provide your comments on this?
Thanks,
Naveen
-----Original Message-----
From: Palmer, Thomas [mailto:thomas.palmer@hpe.com]
Sent: Tuesday, September 20, 2016 9:30 PM
To: Santhapur Naveen; edk2-devel@lists.01.org
Subject: RE: Issues with HTTPS Boot
Naveen,
I cannot see attachments on this email.
What TLS versions and ciphers does your web server support? Depending on when you built the UEFI image, your server may need to have TLS v1.0 enabled and support one of the non-SHA256 ciphers listed at the top of TlsLib.c.
Regards,
Thomas Palmer
"I have only made this letter longer because I have not had the time to make it shorter" - Blaise Pascal
-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Santhapur Naveen
Sent: Tuesday, September 20, 2016 6:42 AM
To: edk2-devel@lists.01.org
Subject: [edk2] Issues with HTTPS Boot
Hello All,
Since the HTTPS Boot came into picture, I was very enthusiastic to try it. I configured the server as-is explained in the white paper https://github.com/tianocore/tianocore.github.io/wiki/EDK%20II%20White%20papers
But when I try to go for an HTTPS boot, it stops after the TCP handshake. Attached is the Wireshark log. Please help me out and also let me know if any other details are needed.
Thank you,
Naveen
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
next prev parent reply other threads:[~2016-09-22 18:10 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-20 11:41 Issues with HTTPS Boot Santhapur Naveen
2016-09-20 15:59 ` Palmer, Thomas
2016-09-21 13:09 ` Santhapur Naveen
2016-09-21 19:25 ` Palmer, Thomas
2016-09-22 14:06 ` Santhapur Naveen
2016-09-22 15:12 ` Samer El Haj Mahmoud
2016-09-22 18:10 ` Palmer, Thomas [this message]
2016-09-23 6:54 ` Wu, Jiaxin
2016-09-23 7:01 ` Santhapur Naveen
2016-09-26 1:46 ` Wu, Jiaxin
2016-09-30 5:26 ` Wu, Jiaxin
2016-09-30 5:29 ` Santhapur Naveen
[not found] ` <625A2455CC232F40B0F38F05ACED6D978C2F865D@VENUS1.in.megatrends.com>
2016-10-20 6:16 ` Wu, Jiaxin
2016-09-23 7:04 ` Santhapur Naveen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CS1PR84MB01512C1EFFFD2B0A45AB7FAAEDC90@CS1PR84MB0151.NAMPRD84.PROD.OUTLOOK.COM \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox