Hello,

I want to contribute to the documentation on ipxe.org but the registration is disabled ("Action disabled: register"). Can I have an account or I write my speech on this list and you will copy+paste on ipxe.org?

On <https://ipxe.org/err/0f0a60>, in "Additional notes", I want to write that this error also occurs when booting on HTTPS chain on a network without Internet access because OCSP check (against IPXE root CA certificate) *and* because of the download of IPXE cross-signed Mozilla's list of CA certificates. To solve this issue, we need to disable OCSP check (<https://github.com/ipxe/ipxe/commit/9759860ec>) and add our x509 full chain in the "CERT" variable (or have a local mirror of IPXE cross-signed Mozilla's CA certificates).

On <https://ipxe.org/err/1c0de8>, I want to write that this error can occur when the certificate or the certificate chain is too large (> 4k). In this case, "DEBUG=TLS" displays "Received overlenght Handshake".

On <https://ipxe.org/crypto>, I want to write about OCSP. Presence. How to disable OCSP check at compilation time (<https://github.com/ipxe/ipxe/commit/9759860ec>). I also want to say that an Internet access is required to boot on HTTPS chain unless OCSP check is disabled *and* we don't use x509 chain provided by IPXE. I also want to complete the sentence "Note that embedded certificates are generally quite large, and you should embed a certificate only if it is not feasible to obtain the certificate from another source (e.g. by configuring a crosscert server)." by "With large certificate or large certificate chain, the error "Invalid argument (1c0de8)" can occur." (with link to <https://ipxe.org/err/1c0de8>)

On <https://ipxe.org/buildcfg>, I want to add the "OCSP_CHECK" and "CROSSCERT" variables (they are defined in crypto.h).

Bye.
_______________________________________________
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo/ipxe-devel

Reply via email to