[ipxe-devel] Error 410de18f
Michael Brown
mcb30 at ipxe.org
Sun Aug 2 13:26:10 UTC 2015
On 01/08/15 16:14, Beima, Charlie wrote:
> IU uses a Brocade Stingray load balancer in front of their web server, both of which I do not manage, and I don't think the IU admins will wish to investigate this issue, so getting the server logs is going to be all but impossible. I was able to get things working via HTTP, but you narrowed it down to a TLSv1.2 handshake issue.
I have identified the root cause. Your web server requires the use of
SHA-384 (which is not one of the standard hash algorithms mandated by
TLSv1.2), and is failing with iPXE for two reasons:
- iPXE does not include the (optional) signature_algorithms extension in
the ClientHello. This is now fixed in commit
http://git.ipxe.org/ipxe.git/commitdiff/fc7885e
- iPXE does not support the use of the SHA-512 family (including
SHA-384) for TLS
We do now have support for the SHA-512 family of digest algorithms in
iPXE, since they were added to support PeerDist (BranchCache) content
encoding. There's a thread a few months ago where the option of
supporting these for TLS was discussed:
http://lists.ipxe.org/pipermail/ipxe-devel/2015-May/004228.html
Michael
More information about the ipxe-devel
mailing list