Hey, we are using iPXE to chainload from HTTPS which works fine in most cases but fails with GoDaddy certificates. As suggested in the iPXE forums I am going to post this to the devel list as well. Hope you don't mind me cross posting.
Steps to reproduce: * clone latest ipxe git repo * enable DOWNLOAD_PROTO_HTTPS in general.h and maybe adjust other other defines for your needs * Download GoDaddy CA and intermediate cert: https://certs.godaddy.com/repository/gdroot-g2.crt and https://certs.godaddy.com/repository/gdig2.crt.pem * embedded script: #!ipxe dhcp chain https://www.godaddy.com/ (I know there is nothing to chainload there but it's just an example for a domain using a GoDaddy cert) * make bin/undionly.kpxe EMBED=chain DEBUG=tls TRUST=/path/to/gdroot-g2.crt,/path/to/gdig2.crt.pem Now booting this fails with "Invalid argument (http://ipxe.org/1c0de802)". When disabling some of the debug dump output (src/net/tls.c line 1810) I see the last message to show TLS ... received overlength Handshake. If I comment/skip the "return -EINVAL_HANDSHAKE" in line 1811 it proceeds but fails on TLS ... overlength certificate (src/net/tls.c line 1591)this time. Seems like len/remaining variable is set to 4096 (iob_len) and that truncates the long (5286 bytes) SSL handshake record / certificate. I have looked through the code a bit but I am afraid I will break things when I play with io buffer length stuff. Anyone an idea? Thanks in advance, Sebastian _______________________________________________ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel
