[ipxe-devel] [tls] received overlength Handshake - GoDaddy certs
Sebastian Roth
sebaroth at gmx.de
Fri Dec 14 17:44:05 UTC 2018
Hey,
we are using iPXE to chainload from HTTPS which works fine in most cases
but fails with GoDaddy certificates. As suggested in the iPXE forums I
am going to post this to the devel list as well. Hope you don't mind me
cross posting.
Steps to reproduce:
* clone latest ipxe git repo
* enable DOWNLOAD_PROTO_HTTPS in general.h and maybe adjust other other
defines for your needs
* Download GoDaddy CA and intermediate cert:
https://certs.godaddy.com/repository/gdroot-g2.crt and
https://certs.godaddy.com/repository/gdig2.crt.pem
* embedded script:
#!ipxe
dhcp
chain https://www.godaddy.com/
(I know there is nothing to chainload there but it's just an example for
a domain using a GoDaddy cert)
* make bin/undionly.kpxe EMBED=chain DEBUG=tls
TRUST=/path/to/gdroot-g2.crt,/path/to/gdig2.crt.pem
Now booting this fails with "Invalid argument
(http://ipxe.org/1c0de802)". When disabling some of the debug dump
output (src/net/tls.c line 1810) I see the last message to show TLS ...
received overlength Handshake.
If I comment/skip the "return -EINVAL_HANDSHAKE" in line 1811 it
proceeds but fails on TLS ... overlength certificate (src/net/tls.c line
1591)this time.
Seems like len/remaining variable is set to 4096 (iob_len) and that
truncates the long (5286 bytes) SSL handshake record / certificate.
I have looked through the code a bit but I am afraid I will break things
when I play with io buffer length stuff. Anyone an idea?
Thanks in advance,
Sebastian
More information about the ipxe-devel
mailing list