Hello,
I want to contribute to the documentation on ipxe.org but the
registration is disabled ("Action disabled: register").
Can I have an account or I write my speech on this list and you will
copy+paste on ipxe.org?
On <https://ipxe.org/err/0f0a60>, in "Additional notes", I want to write
that this error also occurs when booting on HTTPS chain on a network
without Internet access because OCSP check (against IPXE root CA
certificate) *and* because of the download of IPXE cross-signed
Mozilla's list of CA certificates.
To solve this issue, we need to disable OCSP check
(<https://github.com/ipxe/ipxe/commit/9759860ec>) and add our x509 full
chain in the "CERT" variable (or have a local mirror of IPXE
cross-signed Mozilla's CA certificates).
On <https://ipxe.org/err/1c0de8>, I want to write that this error can
occur when the certificate or the certificate chain is too large (> 4k).
In this case, "DEBUG=TLS" displays "Received overlenght Handshake".
On <https://ipxe.org/crypto>, I want to write about OCSP. Presence. How
to disable OCSP check at compilation time
(<https://github.com/ipxe/ipxe/commit/9759860ec>). I also want to say
that an Internet access is required to boot on HTTPS chain unless OCSP
check is disabled *and* we don't use x509 chain provided by IPXE.
I also want to complete the sentence "Note that embedded certificates
are generally quite large, and you should embed a certificate only if it
is not feasible to obtain the certificate from another source (e.g. by
configuring a crosscert server)." by "With large certificate or large
certificate chain, the error "Invalid argument (1c0de8)" can occur."
(with link to <https://ipxe.org/err/1c0de8>)
On <https://ipxe.org/buildcfg>, I want to add the "OCSP_CHECK" and
"CROSSCERT" variables (they are defined in crypto.h).
Bye.
_______________________________________________
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo/ipxe-devel