[ipxe-devel] [tls] received overlength Handshake - GoDaddy certs

Karim Malhas karim at malhas.de
Sun Jan 20 11:56:00 UTC 2019

Just to add some anecdotal evidence: 

I use ipxe to boot via https from two servers that share the exact same 
certificates. They run debian unstable, and when I upgraded one, but 
not the other, the other day it received an openssl update, and ipxe stopped 
working with this problem. 

I looked into the code a little and I've also come to the conclusion 
that it has "Something to do with TLS record fragmentation", but that's 
really as far as my understanding of it goes. 

It didn't help that the Wireshark TLS dissector also seems to have some
bugs[0][1] displaying these records.

$ ssh a.example.com openssl version
OpenSSL 1.1.1a  20 Nov 2018

$ ssh b.example.com openssl version
OpenSSL 1.1.0g  2 Nov 2017 (Library: OpenSSL 1.1.1  11 Sep 2018)


[0] https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3303
[1] https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15043

On Fri, Dec 14, 2018 at 06:44:05PM +0100, Sebastian Roth wrote:
> Hey,
> we are using iPXE to chainload from HTTPS which works fine in most cases
> but fails with GoDaddy certificates. As suggested in the iPXE forums I
> am going to post this to the devel list as well. Hope you don't mind me
> cross posting.
> Steps to reproduce:
> * clone latest ipxe git repo
> * enable DOWNLOAD_PROTO_HTTPS in general.h and maybe adjust other other
> defines for your needs
> * Download GoDaddy CA and intermediate cert:
> https://certs.godaddy.com/repository/gdroot-g2.crt and
> https://certs.godaddy.com/repository/gdig2.crt.pem
> * embedded script:
> #!ipxe
> dhcp
> chain https://www.godaddy.com/
> (I know there is nothing to chainload there but it's just an example for
> a domain using a GoDaddy cert)
> * make bin/undionly.kpxe EMBED=chain DEBUG=tls
> TRUST=/path/to/gdroot-g2.crt,/path/to/gdig2.crt.pem
> Now booting this fails with "Invalid argument
> (http://ipxe.org/1c0de802)". When disabling some of the debug dump
> output (src/net/tls.c line 1810) I see the last message to show TLS ...
> received overlength Handshake.
> If I comment/skip the "return -EINVAL_HANDSHAKE" in line 1811 it
> proceeds but fails on TLS ... overlength certificate (src/net/tls.c line
> 1591)this time.
> Seems like len/remaining variable is set to 4096 (iob_len) and that
> truncates the long (5286 bytes) SSL handshake record / certificate.
> I have looked through the code a bit but I am afraid I will break things
> when I play with io buffer length stuff. Anyone an idea?
> Thanks in advance,
> Sebastian
> _______________________________________________
> ipxe-devel mailing list
> ipxe-devel at lists.ipxe.org
> https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 3173 bytes
Desc: not available
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20190120/bab718d4/attachment.sig>

More information about the ipxe-devel mailing list