[ipxe-devel] [tls] received overlength Handshake - GoDaddy certs

Sebastian Roth sebaroth at gmx.de
Fri Jan 18 20:19:02 UTC 2019


trying to tackle this myself I got a little further. From what I
understand the GoDaddy certificate (probably the whole chain together)
is longer than 4096 bytes causing the TLS handshake to be fragmented
into two portions as max_fragmentation_length extension is used and set
to 4096 [1]. Removing that TLS extension from the client request solves
the issue I see with GoDaddy certs right away but would leave us with a
high memory footprint as described in the commit message [1].

The issue as I see it is that iPXE proceeds with handling the first 4096
byte blob of data as TLS_CERTIFICATE handshake although more data from
the subsequent TLS record needs to be processed as well.

I am wondering that this has not been reported by anyone else so maybe I
am on the wrong track with this. But having dug through the code for
hours now I am fairly sure about it. I just don't seem to be able to fix
this by myself as I don't know the IO buffer handling and other things
involved well enough.

See below for hints on how to reproduce the issue - fairly easy.



On 12/14/2018 06:44 PM, Sebastian Roth wrote:
> Hey,
> we are using iPXE to chainload from HTTPS which works fine in most cases
> but fails with GoDaddy certificates. As suggested in the iPXE forums I
> am going to post this to the devel list as well. Hope you don't mind me
> cross posting.
> Steps to reproduce:
> * clone latest ipxe git repo
> * enable DOWNLOAD_PROTO_HTTPS in general.h and maybe adjust other other
> defines for your needs
> * Download GoDaddy CA and intermediate cert:
> https://certs.godaddy.com/repository/gdroot-g2.crt and
> https://certs.godaddy.com/repository/gdig2.crt.pem
> * embedded script:
> #!ipxe
> dhcp
> chain https://www.godaddy.com/
> (I know there is nothing to chainload there but it's just an example for
> a domain using a GoDaddy cert)
> * make bin/undionly.kpxe EMBED=chain DEBUG=tls
> TRUST=/path/to/gdroot-g2.crt,/path/to/gdig2.crt.pem
> Now booting this fails with "Invalid argument
> (http://ipxe.org/1c0de802)". When disabling some of the debug dump
> output (src/net/tls.c line 1810) I see the last message to show TLS ...
> received overlength Handshake.
> If I comment/skip the "return -EINVAL_HANDSHAKE" in line 1811 it
> proceeds but fails on TLS ... overlength certificate (src/net/tls.c line
> 1591)this time.
> Seems like len/remaining variable is set to 4096 (iob_len) and that
> truncates the long (5286 bytes) SSL handshake record / certificate.
> I have looked through the code a bit but I am afraid I will break things
> when I play with io buffer length stuff. Anyone an idea?
> Thanks in advance,
> Sebastian
> _______________________________________________
> ipxe-devel mailing list
> ipxe-devel at lists.ipxe.org
> https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel

More information about the ipxe-devel mailing list