From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bounce+27952+110111+7686176+12367111@groups.io>
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108])
	by spool.mail.gandi.net (Postfix) with ESMTPS id EE080D80477
	for <rebecca@openfw.io>; Thu, 26 Oct 2023 14:59:51 +0000 (UTC)
DKIM-Signature: a=rsa-sha256; bh=7D3Gxb8bGXLrzxuZszBj2dZ4BIFw+aPFHa+vSuaAlYk=;
 c=relaxed/simple; d=groups.io;
 h=Subject:To:From:User-Agent:MIME-Version:Date:Message-ID:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type;
 s=20140610; t=1698332390; v=1;
 b=GTJAdtW67K7niEVo6d8IlCHKVJxTx5cIuC/If2GRP016PD3EHtNF1vp4A5R9FrhoAnGWLsbd
 rRnRK9ugdUTBLs30czqOo5pXdyrgHi7qD/sNNGxyYv5hQD+N8NgjQE2MBRAQHJR6fIOtSACP3vV
 W2LzS+x5sS97x+1D7r60fpag=
X-Received: by 127.0.0.2 with SMTP id GRgoYY7687511x5zmP1ixrTw; Thu, 26 Oct 2023 07:59:50 -0700
Subject: [edk2-devel] SSL handshake in HTTPS boot if the certificate was signed with a root certificate
To: devel@edk2.groups.io
From: jacopo.r00ta@gmail.com
X-Originating-Location: IT (95.231.171.15)
X-Originating-Platform: Linux Firefox 118
User-Agent: GROUPS.IO Web Poster
MIME-Version: 1.0
Date: Thu, 26 Oct 2023 05:37:14 -0700
Message-ID: <gdKm.1698323834004760222.k6a5@groups.io>
Precedence: Bulk
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,jacopo.r00ta@gmail.com
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: <https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/plugh>
X-Gm-Message-State: W5XuyR1Y3imycUsQM2NnTfQWx7686176AA=
Content-Type: multipart/alternative; boundary="ovT03uxm94I1FSBRZ4lz"
X-GND-Status: LEGIT
Authentication-Results: spool.mail.gandi.net;
	dkim=pass header.d=groups.io header.s=20140610 header.b=GTJAdtW6;
	spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io;
	dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=gmail.com (policy=none)

--ovT03uxm94I1FSBRZ4lz
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi there,

I was trying to HTTPs boot a virtual machine with the following scenario:

1) I have a self signed root CA root.crt and then I use it to sign another =
self signed certificate myip.crt for the IP address X.X.X.X
2) I have an NGINX server configured to use SSL with the myip.crt certifica=
te and its key.
3) I have a UEFI virtual machine configured to HTTPs boot and trust the CA =
certificate root.crt.

Unfortunately the machine fails in the SSL handshake step and then the UEFI=
 config page is shown again. Using for example curl --cacert root.crt X.X.X=
.X it works perfectly fine (also forcing curl to use tls 1.2).

In addition to that, if I do not use a root certificate for the server's IP=
 (i.e. I do not build a chain of certificates), the machine boots fine.

Unfortunately I don't have a physical server to make a real test. Is this a=
 missing feature, a bug, or am I doing it completely wrong?

Thank you very much!


-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#110111): https://edk2.groups.io/g/devel/message/110111
Mute This Topic: https://groups.io/mt/102201552/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-



--ovT03uxm94I1FSBRZ4lz
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<p>Hi there, <br /><br />I was trying to HTTPs boot a virtual machine with =
the following scenario:</p>
<p>1) I have a self signed root CA <em>root.crt </em>and then I use it to s=
ign another self signed certificate <em>myip.crt </em>for the IP address X.=
X.X.X<br />2) I have an NGINX server configured to use SSL with the <em>myi=
p.crt </em>certificate and its key.<br />3) I have a UEFI virtual machine c=
onfigured to HTTPs boot and trust the CA certificate <em>root.crt </em>.</p=
>
<p>Unfortunately the machine fails in the SSL handshake step and then the U=
EFI config page is shown again. Using for example <em>curl --cacert root.cr=
t X.X.X.X </em>it works perfectly fine (also forcing curl to use tls 1.2).<=
/p>
<p>In addition to that, if I do not use a root certificate for the server's=
 IP (i.e. I do not build a chain of certificates), the machine boots fine.<=
/p>
<p>Unfortunately I don't have a physical server to make a real test. Is thi=
s a missing feature, a bug, or am I doing it completely wrong?</p>
<p>Thank you very much!</p>


<div width=3D"1" style=3D"color:white;clear:both">_._,_._,_</div>
<hr>


Groups.io Links:<p>


 =20
    You receive all messages sent to this group.
 =20
 =20


<p>
<a target=3D"_blank" href=3D"https://edk2.groups.io/g/devel/message/110111"=
>View/Reply Online (#110111)</a> |


 =20

|

  <a target=3D"_blank" href=3D"https://groups.io/mt/102201552/7686176">Mute=
 This Topic</a>


| <a href=3D"https://edk2.groups.io/g/devel/post">New Topic</a>

<br>




<a href=3D"https://edk2.groups.io/g/devel/editsub/7686176">Your Subscriptio=
n</a> |
<a href=3D"mailto:devel+owner@edk2.groups.io">Contact Group Owner</a> |

<a href=3D"https://edk2.groups.io/g/devel/unsub">Unsubscribe</a>

 [rebecca@openfw.io]<br>
<div width=3D"1" style=3D"color:white;clear:both">_._,_._,_</div>


--ovT03uxm94I1FSBRZ4lz--