[ipxe-devel] [tls] received overlength Handshake - GoDaddy certs

Sebastian Roth sebaroth at gmx.de
Fri Dec 14 17:44:05 UTC 2018


we are using iPXE to chainload from HTTPS which works fine in most cases
but fails with GoDaddy certificates. As suggested in the iPXE forums I
am going to post this to the devel list as well. Hope you don't mind me
cross posting.

Steps to reproduce:

* clone latest ipxe git repo

* enable DOWNLOAD_PROTO_HTTPS in general.h and maybe adjust other other
defines for your needs

* Download GoDaddy CA and intermediate cert:
https://certs.godaddy.com/repository/gdroot-g2.crt and

* embedded script:
chain https://www.godaddy.com/
(I know there is nothing to chainload there but it's just an example for
a domain using a GoDaddy cert)

* make bin/undionly.kpxe EMBED=chain DEBUG=tls

Now booting this fails with "Invalid argument
(http://ipxe.org/1c0de802)". When disabling some of the debug dump
output (src/net/tls.c line 1810) I see the last message to show TLS ...
received overlength Handshake.

If I comment/skip the "return -EINVAL_HANDSHAKE" in line 1811 it
proceeds but fails on TLS ... overlength certificate (src/net/tls.c line
1591)this time.

Seems like len/remaining variable is set to 4096 (iob_len) and that
truncates the long (5286 bytes) SSL handshake record / certificate.

I have looked through the code a bit but I am afraid I will break things
when I play with io buffer length stuff. Anyone an idea?

Thanks in advance,

More information about the ipxe-devel mailing list