[ipxe-devel] SSL/TLS support in iPXE
Michael Brown
mbrown at fensystems.co.uk
Wed May 9 14:23:11 UTC 2012
On Wednesday 09 May 2012 15:08:46 Mark Gollahon wrote:
> > As of a few minutes ago, SSL/TLS support in iPXE should be working for
> > all valid HTTPS addresses. You can now use an unmodified web server
> > with a certificate issued by any public CA (Verisign, Equifax, etc.).
> > Any certificate trusted by Firefox should now be trusted by iPXE.
>
> I admit that I am a noob on this, but how will iPXE handle another
> DigiNotar? Will fresh iPXE source have to be compiled and
> re-deployed?
No; a compromised CA such as DigiNotar would not require a new iPXE binary.
Only one certificate is compiled in to iPXE, which is the "iPXE root CA"
certificate. Only a compromise of _this_ certificate (or whichever alternative
root certificate you build in using TRUST=...) would require a rebuild and
redeployment.
If a public CA certificate is compromised (as with DigiNotar), then this CA
certificate will be removed from the set of cross-signed certificates hosted on
http://ca.ipxe.org/. Existing iPXE builds would no longer be able to obtain a
valid cross-signing certificate, and so would no longer trust the compromised
CA.
(At present, there is a 90-day window during which an attacker could use a
previously-issued cross-signing certificate to cause iPXE to trust the
compromised CA. This window will be reduced to a few hours once OCSP has been
implemented.)
Michael
More information about the ipxe-devel
mailing list