[ipxe-devel] Validation of SSL certificates for HTTPS

Terry Burton tez at terryburton.co.uk
Thu Mar 22 16:44:54 UTC 2012


On 19 March 2012 04:25, Michael Brown <mbrown at fensystems.co.uk> wrote:
> On Tuesday 13 Mar 2012 17:51:55 Terry Burton wrote:
>> On 13 March 2012 13:22, Michael Brown <mbrown at fensystems.co.uk> wrote:
>> > On Monday 12 Mar 2012 15:25:54 Terry Burton wrote:
>> >> Is validation of HTTPs certificates (akin to this earlier patch [1]) a
>> >> feature that is on the roadmap?
>> >
>> > Yes.
>
> Done, with the exception of time and date checking (which will be implemented
> soon; at the moment even expired certificates will be accepted).
>
> Some basic instructions are in place at
>
>  http://ipxe.org/crypto
>
> iPXE embeds only the SHA-256 fingerprints of the trusted root certificates, not
> the whole certificate.  A consequence of this is that the server must currently
> provide the full certificate chain, including the root certificate and any
> cross-signing certificates.  This limitation will eventually be lifted, by
> enabling iPXE to automatically download the relevant cross-signing certificates
> when needed.

Thanks for this!

It's working perfectly well for my purposes using an embedded
self-signed certificate but I will report on success with CA-signed
(and cross-signed) certificates if we go that way.


All the best,

Terry



More information about the ipxe-devel mailing list