From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id EE080D80477 for ; Thu, 26 Oct 2023 14:59:51 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=7D3Gxb8bGXLrzxuZszBj2dZ4BIFw+aPFHa+vSuaAlYk=; c=relaxed/simple; d=groups.io; h=Subject:To:From:User-Agent:MIME-Version:Date:Message-ID:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type; s=20140610; t=1698332390; v=1; b=GTJAdtW67K7niEVo6d8IlCHKVJxTx5cIuC/If2GRP016PD3EHtNF1vp4A5R9FrhoAnGWLsbd rRnRK9ugdUTBLs30czqOo5pXdyrgHi7qD/sNNGxyYv5hQD+N8NgjQE2MBRAQHJR6fIOtSACP3vV W2LzS+x5sS97x+1D7r60fpag= X-Received: by 127.0.0.2 with SMTP id GRgoYY7687511x5zmP1ixrTw; Thu, 26 Oct 2023 07:59:50 -0700 Subject: [edk2-devel] SSL handshake in HTTPS boot if the certificate was signed with a root certificate To: devel@edk2.groups.io From: jacopo.r00ta@gmail.com X-Originating-Location: IT (95.231.171.15) X-Originating-Platform: Linux Firefox 118 User-Agent: GROUPS.IO Web Poster MIME-Version: 1.0 Date: Thu, 26 Oct 2023 05:37:14 -0700 Message-ID: Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jacopo.r00ta@gmail.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: W5XuyR1Y3imycUsQM2NnTfQWx7686176AA= Content-Type: multipart/alternative; boundary="ovT03uxm94I1FSBRZ4lz" X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=GTJAdtW6; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=gmail.com (policy=none) --ovT03uxm94I1FSBRZ4lz Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi there, I was trying to HTTPs boot a virtual machine with the following scenario: 1) I have a self signed root CA root.crt and then I use it to sign another = self signed certificate myip.crt for the IP address X.X.X.X 2) I have an NGINX server configured to use SSL with the myip.crt certifica= te and its key. 3) I have a UEFI virtual machine configured to HTTPs boot and trust the CA = certificate root.crt. Unfortunately the machine fails in the SSL handshake step and then the UEFI= config page is shown again. Using for example curl --cacert root.crt X.X.X= .X it works perfectly fine (also forcing curl to use tls 1.2). In addition to that, if I do not use a root certificate for the server's IP= (i.e. I do not build a chain of certificates), the machine boots fine. Unfortunately I don't have a physical server to make a real test. Is this a= missing feature, a bug, or am I doing it completely wrong? Thank you very much! -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#110111): https://edk2.groups.io/g/devel/message/110111 Mute This Topic: https://groups.io/mt/102201552/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- --ovT03uxm94I1FSBRZ4lz Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable

Hi there,

I was trying to HTTPs boot a virtual machine with = the following scenario:

1) I have a self signed root CA root.crt and then I use it to s= ign another self signed certificate myip.crt for the IP address X.= X.X.X
2) I have an NGINX server configured to use SSL with the myi= p.crt certificate and its key.
3) I have a UEFI virtual machine c= onfigured to HTTPs boot and trust the CA certificate root.crt .

Unfortunately the machine fails in the SSL handshake step and then the U= EFI config page is shown again. Using for example curl --cacert root.cr= t X.X.X.X it works perfectly fine (also forcing curl to use tls 1.2).<= /p>

In addition to that, if I do not use a root certificate for the server's= IP (i.e. I do not build a chain of certificates), the machine boots fine.<= /p>

Unfortunately I don't have a physical server to make a real test. Is thi= s a missing feature, a bug, or am I doing it completely wrong?

Thank you very much!

_._,_._,_

Groups.io Links:

=20 You receive all messages sent to this group. =20 =20

View/Reply Online (#110111) | =20 | Mute= This Topic | New Topic
Your Subscriptio= n | Contact Group Owner | Unsubscribe [rebecca@openfw.io]

_._,_._,_
--ovT03uxm94I1FSBRZ4lz--