Naveen,

For error code L14:F171:R105, it seems not failed in the 
ssl3_get_server_hello(). L14 means SLL lib error, R105 means 
SSL_R_WRONG_CIPHER_RETURNED, but for F171, I can't find the corresponding error 
function represented. Can you tell us the openssl version your platform used? 
and what's the cipher returned from server hello? 


Thanks,
Jiaxin

> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of
> Palmer, Thomas
> Sent: Friday, September 23, 2016 2:10 AM
> To: Samer El Haj Mahmoud <smahm...@lenovo.com>; Santhapur Naveen
> <nave...@amiindia.co.in>; edk2-devel@lists.01.org
> Subject: Re: [edk2] Issues with HTTPS Boot
> 
> 
> Naveen,
> 
> I may be interpreting this OpenSSL error code incorrectly, so if anyone has
> experience with this please chime in ...
> 
> Looking at 1.02.h,  the 0x105 reason corresponds with
> SSL_R_WRONG_CIPHER_RETURNED.  This happens in two places in s3_clnt.c.
> This would indicate that the TLS server is wanting to use a cipher that the 
> TLS
> client does not want to use.
> 
> 0x105 can also correspond to SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE ... but
> we don't support client certificates or DTLS at this point so I would not 
> expect
> this to be in play.  (unless your server is configured for that ...)
> 
> We should confirm this error code interpretation.  If you have a debugger, 
> set a
> break point for each instance of SSL_R_WRONG_CIPHER_RETURNED, or add a
> print statement.  Which openssl version are you using?
> 
> 
> Regards,
> 
> Thomas Palmer
> 
> "I have only made this letter longer because I have not had the time to make 
> it
> shorter" - Blaise Pascal
> 
> 
> -----Original Message-----
> From: Samer El Haj Mahmoud [mailto:smahm...@lenovo.com]
> Sent: Thursday, September 22, 2016 10:12 AM
> To: Santhapur Naveen <nave...@amiindia.co.in>; Palmer, Thomas
> <thomas.pal...@hpe.com>; edk2-devel@lists.01.org
> Subject: RE: Issues with HTTPS Boot
> 
> Naveen,
> 
> Are you using the latest code form the edk2-staging branch?
> 
> 
> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of
> Santhapur Naveen
> Sent: Thursday, September 22, 2016 7:07 AM
> To: Palmer, Thomas <thomas.pal...@hpe.com>; edk2-devel@lists.01.org
> Subject: Re: [edk2] Issues with HTTPS Boot
> 
> Hi Thomas,
> 
>       Regarding your previous question about the server certificates, please
> find my response as below:
> 
> Do you have the appropriate certificate installed in UEFI for the target TLS
> server?
>       Yes, I do have the appropriate certificate installed on my server. I 
> have
> followed the section 2.2 titles " Self-Generated Certificate" in the white 
> paper
> to generate the certificates.
> 
>       I have debugged a bit  further and went inside TlsConnectSession() to
> see where exactly it is failing and I found out like it fails in 
> TlsDoHandshake()
> and gives PROTOCOL ERROR. To be precise, it gives error as "TlsDoHandshake
> ERROR 0x14171105=L14:F171:R105".
> 
>       If I'm missing anything anywhere, would you please provide your
> comments.
> 
> Thank you,
> Naveen
> 
> -----Original Message-----
> From: Palmer, Thomas [mailto:thomas.pal...@hpe.com]
> Sent: Thursday, September 22, 2016 12:56 AM
> To: Santhapur Naveen; edk2-devel@lists.01.org
> Subject: RE: Issues with HTTPS Boot
> 
> 
> From what you describe, it sounds like they should not have an issue
> negotiating TLS version and cipher.
> 
> 
> Do you have the appropriate certificate installed in UEFI for the target TLS
> server?   Either we need the 3rd part CA that signed the web server 
> certificate,
> or you could install the self-signed certificate of the web server.
> 
> Also, are you able to see the any DEBUG statements from TlsLib.c?
> 
> 
> Regards,
> 
> Thomas Palmer
> 
> "I have only made this letter longer because I have not had the time to make 
> it
> shorter" - Blaise Pascal
> 
> -----Original Message-----
> From: Santhapur Naveen [mailto:nave...@amiindia.co.in]
> Sent: Wednesday, September 21, 2016 8:09 AM
> To: Palmer, Thomas <thomas.pal...@hpe.com>; edk2-devel@lists.01.org
> Subject: RE: Issues with HTTPS Boot
> 
> Hi Thomas,
> 
>       Regarding my previous mail, after TCP handshake, Client Says Hello to
> sever and the Server replies its Hello to the client with TLSv1.
> 
> Client says hello with the following Cipher Suites:
> 
> 1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) 2.
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) 3.
> TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) 4.
> TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) 5.
> TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
> 
>       For the Client Hello, Server responds with its Hello and chooses
> TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) using TLSv1. The client sends an
> acknowledgement to the server and then immediately sends RST.
> 
>       After some debugging, it was found that it fails in TlsConnectSession().
> Would you please provide your comments on this?
> 
> 
> Thanks,
> Naveen
> 
> -----Original Message-----
> From: Palmer, Thomas [mailto:thomas.pal...@hpe.com]
> Sent: Tuesday, September 20, 2016 9:30 PM
> To: Santhapur Naveen; edk2-devel@lists.01.org
> Subject: RE: Issues with HTTPS Boot
> 
> Naveen,
> 
>       I cannot see attachments on this email.
> 
>       What TLS versions and ciphers does your web server support?
> Depending on when you built the UEFI image, your server may need to have
> TLS v1.0 enabled and support one of the non-SHA256 ciphers listed at the top 
> of
> TlsLib.c.
> 
> 
> Regards,
> 
> Thomas Palmer
> 
> "I have only made this letter longer because I have not had the time to make 
> it
> shorter" - Blaise Pascal
> 
> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of
> Santhapur Naveen
> Sent: Tuesday, September 20, 2016 6:42 AM
> To: edk2-devel@lists.01.org
> Subject: [edk2] Issues with HTTPS Boot
> 
> Hello All,
> 
>           Since the HTTPS Boot came into picture, I was very enthusiastic to 
> try it. I
> configured the server as-is explained in the white paper
> https://github.com/tianocore/tianocore.github.io/wiki/EDK%20II%20White%20p
> apers
> 
>           But when I try to go for an HTTPS boot, it stops after the TCP 
> handshake.
> Attached is the Wireshark log. Please help me out and also let me know if any
> other details are needed.
> 
> Thank you,
> Naveen
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Reply via email to