[ipxe-devel] trying to leverage https address but not with certificates.

Blatt, Andrew C andrew.blatt at bankofamerica.com
Tue Nov 22 23:23:08 UTC 2016 

Thanks, I will use config/local/general.h going forward.  As for downloading certchain from ca.ipxe.org, I do not have access to the internet..  Is there anyway to disable that feature? Was hoping “set crosscert x-invalid://” would do it?  Trying to leverage https but with –insecure (like with curl/wget).

From: Christian Nilsson [mailto:nikize at gmail.com]
Sent: Tuesday, November 22, 2016 6:11 PM
To: Blatt, Andrew C
Cc: ipxe-devel at lists.ipxe.org
Subject: Re: [ipxe-devel] trying to leverage https address but not with certificates.

Then i must suggest to read that ipxe.org<http://ipxe.org> url, and also include it so that it easier for others to help you.

By default ipxe https implementation downloads the certchain from ca.ipxe.org<http://ca.ipxe.org> (if i'm not missremembering)
so to double check this i would strongly suggest that you test with internet access available first so you know that testcase works and then go on to the next step to make it internal only.

again, please use config/local/general.h, and don't redefine something that is already defined by default (This will make it easier for you when there is any updates, and will minimize the risk for any future builds of ipxe to fail.)

On Tue, Nov 22, 2016 at 11:53 PM, Blatt, Andrew C <andrew.blatt at bankofamerica.com<mailto:andrew.blatt at bankofamerica.com>> wrote:
It gets an error and ipxe.org<http://ipxe.org> error, it does not hang, then fails to access the https://webserver url.  There is no network access to the internet, and I had even tried to disable that by adding:

set crosscert x-invalid:// && goto crosscert_ok || echo Setting crosscert failed
sync ; exit 1
:crosscert_ok

Not sure where I found the above example to disable crosscert check, but I gave it a try anyway.

> grep HTTP config/general.h
#define DOWNLOAD_PROTO_HTTP     /* Hypertext Transfer Protocol */
#define DOWNLOAD_PROTO_HTTPS    /* Secure Hypertext Transfer Protocol */

From: Christian Nilsson [mailto:nikize at gmail.com<mailto:nikize at gmail.com>]
Sent: Tuesday, November 22, 2016 5:47 PM
To: Blatt, Andrew C
Cc: ipxe-devel at lists.ipxe.org<mailto:ipxe-devel at lists.ipxe.org>
Subject: Re: [ipxe-devel] trying to leverage https address but not with certificates.

Do you get a error and a ipxe.org<http://ipxe.org> error URL or does it just hang?
Does the network have access to the internet (for possible download of the certificate chain)

the proper way to enable functions is to add the just needed ones to the proper config/local file, in this case adding
#define  DOWNLOAD_PROTO_HTTPS    /* Secure Hypertext Transfer Protocol */
into src/config/local/general.h

note the #define instead of $define (which should cause compilation error i hope)

/Christian

On Tue, Nov 22, 2016 at 5:59 PM, Blatt, Andrew C <andrew.blatt at bankofamerica.com<mailto:andrew.blatt at bankofamerica.com>> wrote:
Hi,

I’m trying to access a pxelinux.cfg file over HTTPS instead of HTTP:

#!ipxe
# Disable automated download of certificates since it is done against
# unauthenticated host which may lead to exploits

ifstat net0
imgfetch -n kernel https://WEBSERVER/pxelinux.cfg/01-${net0/mac:hexhyp}<https://WEBSERVER/pxelinux.cfg/01-$%7Bnet0/mac:hexhyp%7D> && goto image_ok || goto discovery_image

:discovery_image
ifstat net0
imgfetch -n kernel https://WEBSERVER/pxelinux.cfg/default || echo ${net0/mac}:${ip} - Boot Failed

:image_ok
imgload kernel
boot kernel

I’ve tried compiling ipxe-fd95c78 and updated config/general.h to include $define DOWNLOAD_PROTO_HTTPS but it still fails to access the URL, if I change it back to http://WEBSERVER, it works.

Any advice?

Thank you.

Andrew
________________________________
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.

_______________________________________________
ipxe-devel mailing list
ipxe-devel at lists.ipxe.org<mailto:ipxe-devel at lists.ipxe.org>
https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel

________________________________
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.


----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended recipient, please delete this message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20161122/00ca9157/attachment.htm>

More information about the ipxe-devel mailing list