<div dir="ltr"><div>FWIW, I took a tentative swing at at least IPv4 iPAddress subjectAltName support on top of the patches you did:<br><a href="https://git.ipxe.org/vendor/xcat/ipxe.git/commitdiff/e4a9069fe792f702d24bf725586fb209f8faf541">https://git.ipxe.org/vendor/xcat/ipxe.git/commitdiff/e4a9069fe792f702d24bf725586fb209f8faf541</a><br>
</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Nov 25, 2013 at 2:12 PM, Alex Chernyakhovsky <span dir="ltr"><<a href="mailto:achernya@google.com" target="_blank">achernya@google.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>Are there any other comments or concerns with this patchset? I'd love to see it merged.</div>
<div><br></div><div>Sincerely,</div><div>-Alex</div><div><br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra">
<br><br><div class="gmail_quote">On Tue, Nov 12, 2013 at 12:08 PM, Kevin Landreth <span dir="ltr"><<a href="mailto:crackerjackmack@gmail.com" target="_blank">crackerjackmack@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">This is working great for me using a StartCom Class 2 wildcard certificate with alternate names. I only applied patches 1 and 4 though. Seems like patches 2 and 3 are unrelated to the SSL parts ? I did not test with a non-wildcard, non-alternate name cert.<div>
<br></div><div>Tested on master with this build</div><div>CA: <a href="https://www.startssl.com/certs/ca.pem" target="_blank">https://www.startssl.com/certs/ca.pem</a> & <a href="https://www.startssl.com/certs/sub.class2.client.ca.pem" target="_blank">https://www.startssl.com/certs/sub.class2.client.ca.pem</a></div>
<div>make -s EMBED=~/work/media.ipxe TRUST=~/work/trust/ca.pem,~/work/trust/sub.class2.server.ca.pem<br></div><div><br></div><div>media.ipxe:</div><div>#!ipxe</div><div>dhcp</div><div>chain <a href="https://cdn.ubooty.org/bootstrap.ipxe" target="_blank">https://cdn.ubooty.org/bootstrap.ipxe</a><br>
</div><div><br></div><div>At any rate, thank you for this.<span><font color="#888888"><br><div class="gmail_extra"><br></div><div class="gmail_extra">- Kevin Landreth</div></font></span><div><div>
<div class="gmail_extra"><br><div class="gmail_quote">On Tue, Nov 12, 2013 at 9:53 AM, Alex Chernyakhovsky <span dir="ltr"><<a href="mailto:achernya@google.com" target="_blank">achernya@google.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">Whoops, mail client ate the attachment. Should be attached (really!) this time.<div>
<br></div><div>Sincerely,</div><div>-Alex</div></div><div class="gmail_extra"><br><br><div class="gmail_quote"><div>On Fri, Nov 8, 2013 at 3:45 PM, Alex Chernyakhovsky <span dir="ltr"><<a href="mailto:achernya@google.com" target="_blank">achernya@google.com</a>></span> wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div dir="ltr">Hi all,<div><br></div>
<div>I found the bug that was preventing certificate validation for certs without sAN from working. I've corrected the patchset (attached). (The bug was that the extensions was incorrectly always being flagged as enabled even if the parse failed).</div>
<div><br></div><div>Please let me know if you find any further issues.</div><div><br></div><div>Sincerely,</div><div>-Alex</div><div><br></div></div></div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">
<div>
On Fri, Nov 1, 2013 at 4:33 PM, Alex Chernyakhovsky <span dir="ltr"><<a href="mailto:achernya@google.com" target="_blank">achernya@google.com</a>></span> wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div dir="ltr">Can you reproduce against a public cert so that I can test with it? That code path should be getting called unless the extensions is being detected, and this seems to imply the cert claims its presence but does not have any values.<div>
<br></div><div>Sincerely,</div><div>-Alex</div><div><br></div></div></div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote"><div>On Fri, Nov 1, 2013 at 4:31 PM, Jarrod Johnson <span dir="ltr"><<a href="mailto:jarrod.b.johnson@gmail.com" target="_blank">jarrod.b.johnson@gmail.com</a>></span> wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div dir="ltr"><div>So I found a bug, it's probably easy to fix but I've about burned out my brain making TLS work in EFI mode.<br>
<br>assert(((&cert->extensions.subject_alt_name.names))->prev != NULL) failed at net/tls.c line 2449<br>
assert(((&cert->extensions.subject_alt_name.names))->next != NULL) failed at net/tls.c line 2449<br>assert(((&cert->extensions.subject_alt_name.names))->next->prev == ((&cert->extensions.subject_alt_name.names))) failed at net/tls.c line 2449<br>
assert(((&cert->extensions.subject_alt_name.names))->prev->next == ((&cert->extensions.subject_alt_name.names))) failed at net/tls.c line 2449<br>assert((((&cert->extensions.subject_alt_name.names)->next)) != NULL) failed at net/tls.c line 2449<br>
<br></div>My cert has no alt names.<br></div></div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote"><div>On Fri, Nov 1, 2013 at 1:10 PM, Alex Chernyakhovsky <span dir="ltr"><<a href="mailto:achernya@google.com" target="_blank">achernya@google.com</a>></span> wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div dir="ltr">Hi,<div><br></div><div>
I'm still interested in getting these patches merged, so I'd appreciate review comments.</div>
<div><br></div><div>Sincerely,</div><div>-Alex</div><div><br></div></div></div><div><div><div class="gmail_extra">
<br><br><div class="gmail_quote"><div>On Tue, Oct 15, 2013 at 4:31 PM, Alex Chernyakhovsky <span dir="ltr"><<a href="mailto:achernya@google.com" target="_blank">achernya@google.com</a>></span> wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div>
<div dir="ltr">Just finished testing the OCSP patch, it applies on top of the previous 3, hence the 4/4 in the subject.<div><br></div><div>Sincerely,</div><div>-Alex</div><div><br></div></div></div><div><div>
<div class="gmail_extra"><br><br>
<div class="gmail_quote"><div>On Tue, Oct 15, 2013 at 4:16 PM, Alex Chernyakhovsky <span dir="ltr"><<a href="mailto:achernya@google.com" target="_blank">achernya@google.com</a>></span> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div>
<div dir="ltr">Hi Ken,<div><br></div><div>You're correct, looks like I typo'd something while preparing the patches. Here's an updated copy of the patchset. I've also found an issue in the OCSP code while doing this testing, a patch likely forthcoming.</div>
<div><br></div><div>Sincerely,</div><div>-Alex</div><div><br></div></div></div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote"><div>On Tue, Oct 15, 2013 at 2:13 PM, Ken Simon <span dir="ltr"><<a href="mailto:ninkendo@gmail.com" target="_blank">ninkendo@gmail.com</a>></span> wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div>Alex,<br>
<br>
I think there's a typo in your implementation of dns_wildcard_matcher:<br>
<br>
+ const char* first_dot = strchr (dns, '*') ;<br>
<br>
you probably want:<br>
<br>
+ const char* first_dot = strchr (dns, '.') ;<br>
<br>
Fixing the patch in that way I was able to get wildcard certificates<br>
to work with iPXE.<br>
<br>
--<br>
Ken<br>
_______________________________________________<br>
ipxe-devel mailing list<br>
</div><a href="mailto:ipxe-devel@lists.ipxe.org" target="_blank">ipxe-devel@lists.ipxe.org</a><br>
<a href="https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel" target="_blank">https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel</a><br>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
ipxe-devel mailing list<br>
<a href="mailto:ipxe-devel@lists.ipxe.org" target="_blank">ipxe-devel@lists.ipxe.org</a><br>
<a href="https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel" target="_blank">https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel</a><br>
<br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
<br>_______________________________________________<br>
ipxe-devel mailing list<br>
<a href="mailto:ipxe-devel@lists.ipxe.org" target="_blank">ipxe-devel@lists.ipxe.org</a><br>
<a href="https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel" target="_blank">https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel</a><br>
<br></blockquote></div><br></div></div></div></div></div>
<br>_______________________________________________<br>
ipxe-devel mailing list<br>
<a href="mailto:ipxe-devel@lists.ipxe.org" target="_blank">ipxe-devel@lists.ipxe.org</a><br>
<a href="https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel" target="_blank">https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel</a><br>
<br></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
ipxe-devel mailing list<br>
<a href="mailto:ipxe-devel@lists.ipxe.org">ipxe-devel@lists.ipxe.org</a><br>
<a href="https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel" target="_blank">https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel</a><br>
<br></blockquote></div><br></div>