[ipxe-devel] TLS error "Operation not permitted 410de13c"

Roman Gorshunov paye600 at gmail.com
Mon Jun 4 16:17:02 UTC 2018


Michael,

iPXE 1.0.0+ (960d1), it is a few days old, and definitely older than 1e4a3f5ba.
I believe I've found where the problem is. I have enabled debug in iPXE, and
there were the following messages shown on a console:

> Received plaintext data:
> 000f56a2 : 02 28                                   : .(
> TLS 0xf5b24 received fatal alert 40

TLS "02 28" means that no matching cipher was found.
According to https://ipxe.org/crypto, iPXE supports the following cipher suites:
RSA_WITH_AES_256_CBC_SHA256
RSA_WITH_AES_128_CBC_SHA256
RSA_WITH_AES_256_CBC_SHA
RSA_WITH_AES_128_CBC_SHA
Server we are running supports the following cipher sets:
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
So we have at least one matching set of Block cipher (AES_128_CBC) and
Hash (SHA256) algorithms combination, but non-matching key exchange
algorithms (RSA & ECDHE_RSA). I will have to think what to do with that now.
Most probably will add RSA key exchange algorithm to the server.

Are there any plans to add ECDHE_RSA? Also SHA hashing is considered weak,
and probably could be dropped.

Thank you very much for your support and have a great week.

Best regards,
--
Roman Gorshunov

On Thu, May 31, 2018 at 9:49 PM, Michael Brown <mcb30 at ipxe.org> wrote:
> On 31/05/18 20:00, Roman Gorshunov wrote:
>>
>> Kernel and initrd files served via HTTPS by JFrog Artifactory running
>> in docker/kubernetes. Service is proxied by ingress controller
>> (nginx). SSL certificate is valid, but iPXE prints an error and does
>> not load files:
>>
>> TLS 0xf7074 received fatal alert 40
>> Operation not permitted (http://ipxe.org/410de13c)
>
>
> The error URI indicates that the server has sent an explicit fatal error.
> There should therefore be something in the server logs to indicates why the
> server has chosen to do this.
>
> Which iPXE git commit are you using?  (It will be printed as part of the
> startup banner.)  If it's older than
> http://git.ipxe.org/ipxe.git/commitdiff/1e4a3f5ba then updating may solve
> your problem.
>
> Michael



More information about the ipxe-devel mailing list