[ipxe-devel] https with letsencrypt certificate

Tamas Baumgartner-Kis tbk-ipxe at yals.de
Thu Oct 4 18:29:20 UTC 2018


Hi,

ok this is because I used hiawatha as the webserver and hiawatha is very
conservative with the ssl cipher.

I tried lighttpd with the intermediate profile from : 

https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=lighttpd-1.4.50&openssl=1.0.1e&hsts=no&profile=intermediate

```
lighttpd 1.4.50 | intermediate profile | OpenSSL 1.0.1e | 
Oldest compatible clients : Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1,
Windows XP IE8, Android 2.3, Java 7

... 

ssl.cipher-list           =
"ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"

```

with this ssl cipher setup its working fine out of the box with a letsencrypt
certificate 

Regards
   Tamas
  

On 03/10/18 at 02:59pm, Tamas Baumgartner-Kis wrote:
>Hi,
>
>I try to set up https for ipxe but I fail with the DEBUG=tls error:
>
>TLS 0x865b0228 received fatal alert 40
>
>and PXE error:
>
>Operation not permitted (http://ipxe.org/410de18f)
>
>I enable the HTTPS protocol.
>
>My webserver uses a letsencrypt certificate and when I understand the instruction
>in https://ipxe.org/crypto:
>
>>In the default configuration, iPXE will [...] automatically trust the same set
>>of certificates as the Firefox web browser.
>
>this should work because Firefox trust the "DST ROOT CA X3" (letsencrypt)
>
>Regards
>    Tamas



>_______________________________________________
>ipxe-devel mailing list
>ipxe-devel at lists.ipxe.org
>https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel




More information about the ipxe-devel mailing list