[ipxe-devel] trying to leverage https address but not with certificates.

Christian Nilsson nikize at gmail.com
Tue Nov 22 23:11:00 GMT 2016


Then i must suggest to read that ipxe.org url, and also include it so that
it easier for others to help you.

By default ipxe https implementation downloads the certchain from
ca.ipxe.org (if i'm not missremembering)
so to double check this i would strongly suggest that you test with
internet access available first so you know that testcase works and then go
on to the next step to make it internal only.

again, please use config/local/general.h, and don't redefine something that
is already defined by default (This will make it easier for you when there
is any updates, and will minimize the risk for any future builds of ipxe to
fail.)

On Tue, Nov 22, 2016 at 11:53 PM, Blatt, Andrew C <
andrew.blatt at bankofamerica.com> wrote:

> It gets an error and ipxe.org error, it does not hang, then fails to
> access the https://webserver url.  There is no network access to the
> internet, and I had even tried to disable that by adding:
>
>
>
> set crosscert x-invalid:// && goto crosscert_ok || echo Setting crosscert
> failed
>
> sync ; exit 1
>
> :crosscert_ok
>
>
>
> Not sure where I found the above example to disable crosscert check, but I
> gave it a try anyway.
>
>
>
> > grep HTTP config/general.h
>
> #define DOWNLOAD_PROTO_HTTP     /* Hypertext Transfer Protocol */
>
> #define DOWNLOAD_PROTO_HTTPS    /* Secure Hypertext Transfer Protocol */
>
>
>
> *From:* Christian Nilsson [mailto:nikize at gmail.com]
> *Sent:* Tuesday, November 22, 2016 5:47 PM
> *To:* Blatt, Andrew C
> *Cc:* ipxe-devel at lists.ipxe.org
> *Subject:* Re: [ipxe-devel] trying to leverage https address but not with
> certificates.
>
>
>
> Do you get a error and a ipxe.org error URL or does it just hang?
>
> Does the network have access to the internet (for possible download of the
> certificate chain)
>
>
>
> the proper way to enable functions is to add the just needed ones to the
> proper config/local file, in this case adding
>
> #define  DOWNLOAD_PROTO_HTTPS    /* Secure Hypertext Transfer Protocol */
>
> into src/config/local/general.h
>
>
>
> note the #define instead of $define (which should cause compilation error
> i hope)
>
>
>
> /Christian
>
>
>
> On Tue, Nov 22, 2016 at 5:59 PM, Blatt, Andrew C <
> andrew.blatt at bankofamerica.com> wrote:
>
> Hi,
>
>
>
> I’m trying to access a pxelinux.cfg file over HTTPS instead of HTTP:
>
>
>
> #!ipxe
>
> # Disable automated download of certificates since it is done against
>
> # unauthenticated host which may lead to exploits
>
>
>
> ifstat net0
>
> imgfetch -n kernel https://WEBSERVER/pxelinux.cfg/01-${net0/mac:hexhyp}
> && goto image_ok || goto discovery_image
>
>
>
> :discovery_image
>
> ifstat net0
>
> imgfetch -n kernel https://WEBSERVER/pxelinux.cfg/default || echo
> ${net0/mac}:${ip} - Boot Failed
>
>
>
> :image_ok
>
> imgload kernel
>
> boot kernel
>
>
>
> I’ve tried compiling ipxe-fd95c78 and updated config/general.h to include
> $define DOWNLOAD_PROTO_HTTPS but it still fails to access the URL, if I
> change it back to http://WEBSERVER, it works.
>
>
>
> Any advice?
>
>
>
> Thank you.
>
>
>
> Andrew
> ------------------------------
>
> This message, and any attachments, is for the intended recipient(s) only,
> may contain information that is privileged, confidential and/or proprietary
> and subject to important terms and conditions available at
> http://www.bankofamerica.com/emaildisclaimer. If you are not the intended
> recipient, please delete this message.
>
>
> _______________________________________________
> ipxe-devel mailing list
> ipxe-devel at lists.ipxe.org
> https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel
>
>
> ------------------------------
> This message, and any attachments, is for the intended recipient(s) only,
> may contain information that is privileged, confidential and/or proprietary
> and subject to important terms and conditions available at
> http://www.bankofamerica.com/emaildisclaimer. If you are not the intended
> recipient, please delete this message.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20161123/227edbd5/attachment-0001.html>


More information about the ipxe-devel mailing list