[ipxe-devel] iPXE TLS handshake failure for messages in multiple TLS records?

Peter Wagemans pwml_no001spam at xs4all.nl
Mon Apr 10 11:27:07 UTC 2017

Dear iPXE developers,

Apologies if you feel this is not an appropriate mail for this
address. In that case please tell me where I should submit this issue

In some experiments, I tried to get iPXE to talk https to a RedHat
Satellite server. That resulted in http://ipxe.org/1c0de802, "Error:
Invalid Handshake record".

Using openssl s_client I noticed that this Satellite server does a
client certificate request with a rather large list of acceptable CA's
(about 20k) that is transferred in two TLS records. My suspicion is
that the iPXE TLS code has problems with that. If I read the code
correctly, in tls.c, for each received record, tls_new_record, for
records of type handshake, calls tls_new_handshake. That routine does

     payload_len = tls_uint24 ( &handshake->length );
     if ( payload_len > ( remaining - sizeof ( *handshake ) ) ) {
         return -EINVAL_HANDSHAKE;

which is one of the two lines with the error code in the test.

It doesn't seem to take into account that the payload_len of the
handshake message can be bigger than the received TLS record and will
continue in a subsequent TLS record. Unfortunately, that is the case
in the current setup of the tested Satellite server.

Can you confirm this theory about a handshake failure mechanism?

If the code is indeed the culprit, then a workaround is probably to
reconfigure the Satellite server to either not ask for client
certificates on the URLs that iPXE retrieves, or to configure a
smaller list of acceptable client certificate CAs.

Regards and thanks,

Peter Wagemans

More information about the ipxe-devel mailing list