From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01on072f.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe42::72f]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id A5EA61A1F58 for ; Thu, 22 Sep 2016 11:10:23 -0700 (PDT) Received: from CS1PR84MB0151.NAMPRD84.PROD.OUTLOOK.COM (10.162.189.30) by CS1PR84MB0150.NAMPRD84.PROD.OUTLOOK.COM (10.162.189.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.629.8; Thu, 22 Sep 2016 18:10:22 +0000 Received: from CS1PR84MB0151.NAMPRD84.PROD.OUTLOOK.COM ([10.162.189.30]) by CS1PR84MB0151.NAMPRD84.PROD.OUTLOOK.COM ([10.162.189.30]) with mapi id 15.01.0629.015; Thu, 22 Sep 2016 18:10:22 +0000 From: "Palmer, Thomas" To: Samer El Haj Mahmoud , Santhapur Naveen , "edk2-devel@lists.01.org" Thread-Topic: Issues with HTTPS Boot Thread-Index: AdITMrB9dQ9WWubnSXaJO1RcrMRFRgAJIYwAACb2LMAAEohmMAAmfOIwAAMjFEAABJQ6AA== Date: Thu, 22 Sep 2016 18:10:22 +0000 Message-ID: References: <625A2455CC232F40B0F38F05ACED6D978C2C2225@VENUS1.in.megatrends.com> <625A2455CC232F40B0F38F05ACED6D978C2C29FD@VENUS1.in.megatrends.com> <625A2455CC232F40B0F38F05ACED6D978C2C2C5E@VENUS1.in.megatrends.com> <54EF1A77C479D840AF005ED34A3DC6597041C6@USMAILMBX02> In-Reply-To: <54EF1A77C479D840AF005ED34A3DC6597041C6@USMAILMBX02> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=thomas.palmer@hpe.com; x-originating-ip: [15.203.227.4] x-ms-office365-filtering-correlation-id: 84e32434-dda6-4489-3073-08d3e313b832 x-microsoft-exchange-diagnostics: 1; CS1PR84MB0150; 6:TvKUQSBMZ37LNPPclHwUz9exjklRcw5u5FGOo1yHcZ+ezZd7N7ch/EYXkT7dESsrG6mB/u8Cj32HUPP4miVie/linr/1vr5ZQNjYd/XFPDEVw42dR6qTYtR92bXmWAK7OW86p5/el3tC+Dcu4sAJWuZmMDgV5ePB6iFKat6nR/DEArfELymvFdK3dAonbljrY589K3/9Q0CW1dGe/Ts5FuzPbmPu3PJRDv6IC8+OrOV174U9FXzm/OdOjDrBm8CX4orfXZCIf+m3L23C3BTTaDBAP94IatL62ynZnDPCbsivEUFSUzfOUrfrbRtWyfV/kUw7eZLBfBDXcB+KP6FhQA==; 5:GUvSv5E+WxBDLLhQUswG9jg6fXej3wAHYAaxC225aGPi3iDnQWxp7evzfcnHl3V4RRG4gwRbI4KDBysQ2wiEXevd4MlzhFIBaNYp9/bzB1J71uFYwnOkckPd0lkX21FghF5VoYT2MjhFYXACj9vWig==; 24:GvmfIYol2+XBZR+930fiEFCCIq9koBapusOSGJ1StxFNnW6cPu9PT1W5RQyMzeo7vaZehRAlIvkydcaDBgVxD5qrxErmm2Yb6sAwY07eXYI=; 7:+ZzVENGZKP9x8DIxP+6Ur/h5lNUEYqP8fbNj+HGGS8TNp95mjQ/XUIHxKu6gFqzBaSAsdz9depcxyzwg9R1xeU6alhxWaZiFZ/ZR2k2ENRfacsYWv+i7Fwp5sGTVmhjDE28S+gKE0+/UoosO2mBIj2Is5eYe4XCeFpPG3vB/R7YuqpeZzrUisK3srnCr4nz9QMWl2ehK+AhoWReZuDKdE9XlCDz5nay7oZUBJ3YMcmOde68MvIgFuvC9DThOIWktBSNKt6AqwTxcox8resLdZPwdPJ9Aek1wK9bp7+EHXEUk7aOMun20mTHoLYvIImqf x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CS1PR84MB0150; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(227479698468861)(158342451672863)(3940261145250)(166708455590820)(162533806227266)(17755550239193); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026); SRVR:CS1PR84MB0150; BCL:0; PCL:0; RULEID:; SRVR:CS1PR84MB0150; x-forefront-prvs: 0073BFEF03 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(13464003)(377454003)(53754006)(199003)(53474002)(189002)(74316002)(105586002)(54356999)(50986999)(586003)(102836003)(76176999)(7696004)(99286002)(7736002)(189998001)(19580405001)(86362001)(19580395003)(3846002)(7846002)(3280700002)(5660300001)(6116002)(305945005)(2906002)(9686002)(3660700001)(77096005)(81166006)(68736007)(81156014)(3480700004)(101416001)(15975445007)(10400500002)(33656002)(93886004)(106356001)(2950100001)(8936002)(122556002)(8676002)(2900100001)(2501003)(107886002)(5001770100001)(97736004)(5890100001)(11100500001)(87936001)(5002640100001)(66066001)(92566002); DIR:OUT; SFP:1102; SCL:1; SRVR:CS1PR84MB0150; H:CS1PR84MB0151.NAMPRD84.PROD.OUTLOOK.COM; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: hpe.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: hpe.com X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Sep 2016 18:10:22.2111 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 105b2061-b669-4b31-92ac-24d304d195dc X-MS-Exchange-Transport-CrossTenantHeadersStamped: CS1PR84MB0150 Subject: Re: Issues with HTTPS Boot X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Sep 2016 18:10:23 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Naveen, I may be interpreting this OpenSSL error code incorrectly, so if anyone has= experience with this please chime in ... Looking at 1.02.h, the 0x105 reason corresponds with SSL_R_WRONG_CIPHER_RE= TURNED. This happens in two places in s3_clnt.c. This would indicate t= hat the TLS server is wanting to use a cipher that the TLS client does not = want to use. 0x105 can also correspond to SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE ... but we= don't support client certificates or DTLS at this point so I would not exp= ect this to be in play. (unless your server is configured for that ...) We should confirm this error code interpretation. If you have a debugger, = set a break point for each instance of SSL_R_WRONG_CIPHER_RETURNED, or add = a print statement. Which openssl version are you using? =20 Regards, Thomas Palmer "I have only made this letter longer because I have not had the time to mak= e it shorter" - Blaise Pascal -----Original Message----- From: Samer El Haj Mahmoud [mailto:smahmoud@lenovo.com]=20 Sent: Thursday, September 22, 2016 10:12 AM To: Santhapur Naveen ; Palmer, Thomas ; edk2-devel@lists.01.org Subject: RE: Issues with HTTPS Boot Naveen, Are you using the latest code form the edk2-staging branch? -----Original Message----- From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Sant= hapur Naveen Sent: Thursday, September 22, 2016 7:07 AM To: Palmer, Thomas ; edk2-devel@lists.01.org Subject: Re: [edk2] Issues with HTTPS Boot Hi Thomas, Regarding your previous question about the server certificates, please fin= d my response as below: Do you have the appropriate certificate installed in UEFI for the target TL= S server? Yes, I do have the appropriate certificate installed on my server. I have = followed the section 2.2 titles " Self-Generated Certificate" in the white = paper to generate the certificates. I have debugged a bit further and went inside TlsConnectSession() to see = where exactly it is failing and I found out like it fails in TlsDoHandshake= () and gives PROTOCOL ERROR. To be precise, it gives error as "TlsDoHandsha= ke ERROR 0x14171105=3DL14:F171:R105". If I'm missing anything anywhere, would you please provide your comments. Thank you, Naveen -----Original Message----- From: Palmer, Thomas [mailto:thomas.palmer@hpe.com]=20 Sent: Thursday, September 22, 2016 12:56 AM To: Santhapur Naveen; edk2-devel@lists.01.org Subject: RE: Issues with HTTPS Boot >>From what you describe, it sounds like they should not have an issue negoti= ating TLS version and cipher. Do you have the appropriate certificate installed in UEFI for the target TL= S server? Either we need the 3rd part CA that signed the web server certi= ficate, or you could install the self-signed certificate of the web server. Also, are you able to see the any DEBUG statements from TlsLib.c? Regards, Thomas Palmer "I have only made this letter longer because I have not had the time to mak= e it shorter" - Blaise Pascal -----Original Message----- From: Santhapur Naveen [mailto:naveens@amiindia.co.in]=20 Sent: Wednesday, September 21, 2016 8:09 AM To: Palmer, Thomas ; edk2-devel@lists.01.org Subject: RE: Issues with HTTPS Boot Hi Thomas, Regarding my previous mail, after TCP handshake, Client Says Hello to seve= r and the Server replies its Hello to the client with TLSv1. =20 Client says hello with the following Cipher Suites: 1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) 2. TLS_DHE_RSA_WITH_AES_128_CB= C_SHA (0x0033) 3. TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) 4. TLS_RSA_WITH_AES= _128_CBC_SHA (0x002f) 5. TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) For the Client Hello, Server responds with its Hello and chooses TLS_RSA_W= ITH_AES_128_CBC_SHA (0x002f) using TLSv1. The client sends an acknowledgeme= nt to the server and then immediately sends RST.=20 After some debugging, it was found that it fails in TlsConnectSession(). W= ould you please provide your comments on this? Thanks, Naveen -----Original Message----- From: Palmer, Thomas [mailto:thomas.palmer@hpe.com] Sent: Tuesday, September 20, 2016 9:30 PM To: Santhapur Naveen; edk2-devel@lists.01.org Subject: RE: Issues with HTTPS Boot Naveen, I cannot see attachments on this email.=20 =09 What TLS versions and ciphers does your web server support? Depending on w= hen you built the UEFI image, your server may need to have TLS v1.0 enabled= and support one of the non-SHA256 ciphers listed at the top of TlsLib.c. = =20 =09 Regards, Thomas Palmer "I have only made this letter longer because I have not had the time to mak= e it shorter" - Blaise Pascal -----Original Message----- From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Sant= hapur Naveen Sent: Tuesday, September 20, 2016 6:42 AM To: edk2-devel@lists.01.org Subject: [edk2] Issues with HTTPS Boot Hello All, Since the HTTPS Boot came into picture, I was very enthusiastic t= o try it. I configured the server as-is explained in the white paper https:= //github.com/tianocore/tianocore.github.io/wiki/EDK%20II%20White%20papers But when I try to go for an HTTPS boot, it stops after the TCP ha= ndshake. Attached is the Wireshark log. Please help me out and also let me = know if any other details are needed. Thank you, Naveen _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel