[ipxe-devel] iPXE TLS handshake failure for messages in multiple TLS records?
Michael Brown
mcb30 at ipxe.org
Tue Apr 11 12:21:05 UTC 2017
On 10/04/17 12:27, Peter Wagemans wrote:
> It doesn't seem to take into account that the payload_len of the
> handshake message can be bigger than the received TLS record and will
> continue in a subsequent TLS record. Unfortunately, that is the case
> in the current setup of the tested Satellite server.
>
> Can you confirm this theory about a handshake failure mechanism?
Your theory is correct. iPXE does not support fragmentation reassembly
of non-data records. We could potentially add this feature.
> If the code is indeed the culprit, then a workaround is probably to
> reconfigure the Satellite server to either not ask for client
> certificates on the URLs that iPXE retrieves,
That can't work since you don't know the URL until after the handshake
has completed. (If you are using a completely different virtual host
then you could use the SNI to trigger this behaviour.)
> or to configure a smaller list of acceptable client certificate CAs.
That should work.
Michael
More information about the ipxe-devel
mailing list