Re: [ipxe-devel] trying to leverage https address but not with certificates.

2016-11-23 Thread Christian Nilsson
Here is a message sent to the mailing list but without you in the CC:
http://lists.ipxe.org/pipermail/ipxe-devel/2016-November/005271.html
""""
You may want to trying trusting your certificate chain by adding
`TRUST=/path/to/chain.crt` to the make command.  I just did that for the
first time the other day and it's working out well for me.

--
Erik
""""

I'm guessing you are using an embedded script, you might want to first try
and only type it out.
my reason for saying this is that the script must start with
#!ipxe (the # is missing in your example but i guess that is just a typo)
you can test that a script is detected correctly by running imgstat, it
should then say [script] for script files.

sync ; exit 1

seems to be a typo, it will always exit or just fail.

If you still get the weird 001 error then try and compile with
DEBUG=script to get details about what the scripts does so that we can see
exactly which command that fails.

For debuging a https issue here is a old email about how to debug it
http://lists.ipxe.org/pipermail/ipxe-devel/2013-January/002201.html
  make bin/ DEBUG=tls,x509,ocsp

so to combine you might want something like make bin/ipxe.usb
DEBUG=tls,x509,ocsp,script

/Christian


On Wed, Nov 23, 2016 at 2:41 PM, Blatt, Andrew C <
andrew.bl...@bankofamerica.com> wrote:

> I copied ca.ipxe.org to internal webserver to see if that would resolve
> my problem, however, I still get an error:
>
>
>
> Could not boot: Error 0x0001 (http://ipxe.org/0001)
>
>
>
> I’m pointing to local copy in the ipxe file I’m loading:
>
>
>
> !ipxe
>
>
>
> set crosscert http://webserver/ca.ipxe.org/
>
> sync ; exit 1
>
> :crosscert_ok
>
>
>
> #sleep 10
>
> ifstat net0
>
> imgfetch -n kernel https://webserver/pxelinux.cfg/01-${net0/mac:hexhyp}
> && goto image_ok || goto discovery_image
>
> sleep 10
>
>
>
>
>
> *From:* Blatt, Andrew C
> *Sent:* Tuesday, November 22, 2016 6:23 PM
> *To:* 'Christian Nilsson'
> *Cc:* ipxe-devel@lists.ipxe.org
> *Subject:* RE: [ipxe-devel] trying to leverage https address but not with
> certificates.
>
>
>
> Thanks, I will use config/local/general.h going forward.  As for
> downloading certchain from ca.ipxe.org, I do not have access to the
> internet..  Is there anyway to disable that feature? Was hoping “set
> crosscert x-invalid://” would do it?  Trying to leverage https but with
> –insecure (like with curl/wget).
>
>
>
> *From:* Christian Nilsson [mailto:nik...@gmail.com ]
> *Sent:* Tuesday, November 22, 2016 6:11 PM
>
> *To:* Blatt, Andrew C
> *Cc:* ipxe-devel@lists.ipxe.org
> *Subject:* Re: [ipxe-devel] trying to leverage https address but not with
> certificates.
>
>
>
> Then i must suggest to read that ipxe.org url, and also include it so
> that it easier for others to help you.
>
>
>
> By default ipxe https implementation downloads the certchain from
> ca.ipxe.org (if i'm not missremembering)
>
> so to double check this i would strongly suggest that you test with
> internet access available first so you know that testcase works and then go
> on to the next step to make it internal only.
>
>
>
> again, please use config/local/general.h, and don't redefine something
> that is already defined by default (This will make it easier for you when
> there is any updates, and will minimize the risk for any future builds of
> ipxe to fail.)
>
>
>
> On Tue, Nov 22, 2016 at 11:53 PM, Blatt, Andrew C <
> andrew.bl...@bankofamerica.com> wrote:
>
> It gets an error and ipxe.org error, it does not hang, then fails to
> access the https://webserver url.  There is no network access to the
> internet, and I had even tried to disable that by adding:
>
>
>
> set crosscert x-invalid:// && goto crosscert_ok || echo Setting crosscert
> failed
>
> sync ; exit 1
>
> :crosscert_ok
>
>
>
> Not sure where I found the above example to disable crosscert check, but I
> gave it a try anyway.
>
>
>
> > grep HTTP config/general.h
>
> #define DOWNLOAD_PROTO_HTTP /* Hypertext Transfer Protocol */
>
> #define DOWNLOAD_PROTO_HTTPS/* Secure Hypertext Transfer Protocol */
>
>
>
> *From:* Christian Nilsson [mailto:nik...@gmail.com]
> *Sent:* Tuesday, November 22, 2016 5:47 PM
> *To:* Blatt, Andrew C
> *Cc:* ipxe-devel@lists.ipxe.org
> *Subject:* Re: [ipxe-devel] trying to leverage https address but not with
> certificates.
>
>
>
> Do you get a error and a ipxe.org error URL or does it just hang?
>
> Does the network have access to the internet (for possible download of the
> certificate chain)
>
>
>
>

Re: [ipxe-devel] trying to leverage https address but not with certificates.

2016-11-23 Thread Blatt, Andrew C
I copied ca.ipxe.org to internal webserver to see if that would resolve my 
problem, however, I still get an error:

Could not boot: Error 0x0001 (http://ipxe.org/0001)

I’m pointing to local copy in the ipxe file I’m loading:

!ipxe

set crosscert http://webserver/ca.ipxe.org/
sync ; exit 1
:crosscert_ok

#sleep 10
ifstat net0
imgfetch -n kernel https://webserver/pxelinux.cfg/01-${net0/mac:hexhyp} && goto 
image_ok || goto discovery_image
sleep 10


From: Blatt, Andrew C
Sent: Tuesday, November 22, 2016 6:23 PM
To: 'Christian Nilsson'
Cc: ipxe-devel@lists.ipxe.org
Subject: RE: [ipxe-devel] trying to leverage https address but not with 
certificates.

Thanks, I will use config/local/general.h going forward.  As for downloading 
certchain from ca.ipxe.org, I do not have access to the internet..  Is there 
anyway to disable that feature? Was hoping “set crosscert x-invalid://” would 
do it?  Trying to leverage https but with –insecure (like with curl/wget).

From: Christian Nilsson [mailto:nik...@gmail.com]
Sent: Tuesday, November 22, 2016 6:11 PM
To: Blatt, Andrew C
Cc: ipxe-devel@lists.ipxe.org<mailto:ipxe-devel@lists.ipxe.org>
Subject: Re: [ipxe-devel] trying to leverage https address but not with 
certificates.

Then i must suggest to read that ipxe.org<http://ipxe.org> url, and also 
include it so that it easier for others to help you.

By default ipxe https implementation downloads the certchain from 
ca.ipxe.org<http://ca.ipxe.org> (if i'm not missremembering)
so to double check this i would strongly suggest that you test with internet 
access available first so you know that testcase works and then go on to the 
next step to make it internal only.

again, please use config/local/general.h, and don't redefine something that is 
already defined by default (This will make it easier for you when there is any 
updates, and will minimize the risk for any future builds of ipxe to fail.)

On Tue, Nov 22, 2016 at 11:53 PM, Blatt, Andrew C 
mailto:andrew.bl...@bankofamerica.com>> wrote:
It gets an error and ipxe.org<http://ipxe.org> error, it does not hang, then 
fails to access the https://webserver url.  There is no network access to the 
internet, and I had even tried to disable that by adding:

set crosscert x-invalid:// && goto crosscert_ok || echo Setting crosscert failed
sync ; exit 1
:crosscert_ok

Not sure where I found the above example to disable crosscert check, but I gave 
it a try anyway.

> grep HTTP config/general.h
#define DOWNLOAD_PROTO_HTTP /* Hypertext Transfer Protocol */
#define DOWNLOAD_PROTO_HTTPS/* Secure Hypertext Transfer Protocol */

From: Christian Nilsson [mailto:nik...@gmail.com<mailto:nik...@gmail.com>]
Sent: Tuesday, November 22, 2016 5:47 PM
To: Blatt, Andrew C
Cc: ipxe-devel@lists.ipxe.org<mailto:ipxe-devel@lists.ipxe.org>
Subject: Re: [ipxe-devel] trying to leverage https address but not with 
certificates.

Do you get a error and a ipxe.org<http://ipxe.org> error URL or does it just 
hang?
Does the network have access to the internet (for possible download of the 
certificate chain)

the proper way to enable functions is to add the just needed ones to the proper 
config/local file, in this case adding
#define  DOWNLOAD_PROTO_HTTPS/* Secure Hypertext Transfer Protocol */
into src/config/local/general.h

note the #define instead of $define (which should cause compilation error i 
hope)

/Christian

On Tue, Nov 22, 2016 at 5:59 PM, Blatt, Andrew C 
mailto:andrew.bl...@bankofamerica.com>> wrote:
Hi,

I’m trying to access a pxelinux.cfg file over HTTPS instead of HTTP:

#!ipxe
# Disable automated download of certificates since it is done against
# unauthenticated host which may lead to exploits

ifstat net0
imgfetch -n kernel 
https://WEBSERVER/pxelinux.cfg/01-${net0/mac:hexhyp}<https://WEBSERVER/pxelinux.cfg/01-$%7Bnet0/mac:hexhyp%7D>
 && goto image_ok || goto discovery_image

:discovery_image
ifstat net0
imgfetch -n kernel https://WEBSERVER/pxelinux.cfg/default || echo 
${net0/mac}:${ip} - Boot Failed

:image_ok
imgload kernel
boot kernel

I’ve tried compiling ipxe-fd95c78 and updated config/general.h to include 
$define DOWNLOAD_PROTO_HTTPS but it still fails to access the URL, if I change 
it back to http://WEBSERVER, it works.

Any advice?

Thank you.

Andrew

This message, and any attachments, is for the intended recipient(s) only, may 
contain information that is privileged, confidential and/or proprietary and 
subject to important terms and conditions available at 
http://www.bankofamerica.com/emaildisclaimer. If you are not the intended 
recipient, please delete this message.

___
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org<mailto:ipxe-devel@lists.ipxe.org>
https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel


This

Re: [ipxe-devel] trying to leverage https address but not with certificates.

2016-11-22 Thread Blatt, Andrew C
Thanks, I will use config/local/general.h going forward.  As for downloading 
certchain from ca.ipxe.org, I do not have access to the internet..  Is there 
anyway to disable that feature? Was hoping “set crosscert x-invalid://” would 
do it?  Trying to leverage https but with –insecure (like with curl/wget).

From: Christian Nilsson [mailto:nik...@gmail.com]
Sent: Tuesday, November 22, 2016 6:11 PM
To: Blatt, Andrew C
Cc: ipxe-devel@lists.ipxe.org
Subject: Re: [ipxe-devel] trying to leverage https address but not with 
certificates.

Then i must suggest to read that ipxe.org<http://ipxe.org> url, and also 
include it so that it easier for others to help you.

By default ipxe https implementation downloads the certchain from 
ca.ipxe.org<http://ca.ipxe.org> (if i'm not missremembering)
so to double check this i would strongly suggest that you test with internet 
access available first so you know that testcase works and then go on to the 
next step to make it internal only.

again, please use config/local/general.h, and don't redefine something that is 
already defined by default (This will make it easier for you when there is any 
updates, and will minimize the risk for any future builds of ipxe to fail.)

On Tue, Nov 22, 2016 at 11:53 PM, Blatt, Andrew C 
mailto:andrew.bl...@bankofamerica.com>> wrote:
It gets an error and ipxe.org<http://ipxe.org> error, it does not hang, then 
fails to access the https://webserver url.  There is no network access to the 
internet, and I had even tried to disable that by adding:

set crosscert x-invalid:// && goto crosscert_ok || echo Setting crosscert failed
sync ; exit 1
:crosscert_ok

Not sure where I found the above example to disable crosscert check, but I gave 
it a try anyway.

> grep HTTP config/general.h
#define DOWNLOAD_PROTO_HTTP /* Hypertext Transfer Protocol */
#define DOWNLOAD_PROTO_HTTPS/* Secure Hypertext Transfer Protocol */

From: Christian Nilsson [mailto:nik...@gmail.com<mailto:nik...@gmail.com>]
Sent: Tuesday, November 22, 2016 5:47 PM
To: Blatt, Andrew C
Cc: ipxe-devel@lists.ipxe.org<mailto:ipxe-devel@lists.ipxe.org>
Subject: Re: [ipxe-devel] trying to leverage https address but not with 
certificates.

Do you get a error and a ipxe.org<http://ipxe.org> error URL or does it just 
hang?
Does the network have access to the internet (for possible download of the 
certificate chain)

the proper way to enable functions is to add the just needed ones to the proper 
config/local file, in this case adding
#define  DOWNLOAD_PROTO_HTTPS/* Secure Hypertext Transfer Protocol */
into src/config/local/general.h

note the #define instead of $define (which should cause compilation error i 
hope)

/Christian

On Tue, Nov 22, 2016 at 5:59 PM, Blatt, Andrew C 
mailto:andrew.bl...@bankofamerica.com>> wrote:
Hi,

I’m trying to access a pxelinux.cfg file over HTTPS instead of HTTP:

#!ipxe
# Disable automated download of certificates since it is done against
# unauthenticated host which may lead to exploits

ifstat net0
imgfetch -n kernel 
https://WEBSERVER/pxelinux.cfg/01-${net0/mac:hexhyp}<https://WEBSERVER/pxelinux.cfg/01-$%7Bnet0/mac:hexhyp%7D>
 && goto image_ok || goto discovery_image

:discovery_image
ifstat net0
imgfetch -n kernel https://WEBSERVER/pxelinux.cfg/default || echo 
${net0/mac}:${ip} - Boot Failed

:image_ok
imgload kernel
boot kernel

I’ve tried compiling ipxe-fd95c78 and updated config/general.h to include 
$define DOWNLOAD_PROTO_HTTPS but it still fails to access the URL, if I change 
it back to http://WEBSERVER, it works.

Any advice?

Thank you.

Andrew

This message, and any attachments, is for the intended recipient(s) only, may 
contain information that is privileged, confidential and/or proprietary and 
subject to important terms and conditions available at 
http://www.bankofamerica.com/emaildisclaimer. If you are not the intended 
recipient, please delete this message.

___
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org<mailto:ipxe-devel@lists.ipxe.org>
https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel


This message, and any attachments, is for the intended recipient(s) only, may 
contain information that is privileged, confidential and/or proprietary and 
subject to important terms and conditions available at 
http://www.bankofamerica.com/emaildisclaimer. If you are not the intended 
recipient, please delete this message.


--
This message, and any attachments, is for the intended recipient(s) only, may 
contain information that is privileged, confidential and/or proprietary and 
subject to important terms and conditions available at 
http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended 
recipient, please delete this message.

Re: [ipxe-devel] trying to leverage https address but not with certificates.

2016-11-22 Thread Christian Nilsson
Then i must suggest to read that ipxe.org url, and also include it so that
it easier for others to help you.

By default ipxe https implementation downloads the certchain from
ca.ipxe.org (if i'm not missremembering)
so to double check this i would strongly suggest that you test with
internet access available first so you know that testcase works and then go
on to the next step to make it internal only.

again, please use config/local/general.h, and don't redefine something that
is already defined by default (This will make it easier for you when there
is any updates, and will minimize the risk for any future builds of ipxe to
fail.)

On Tue, Nov 22, 2016 at 11:53 PM, Blatt, Andrew C <
andrew.bl...@bankofamerica.com> wrote:

> It gets an error and ipxe.org error, it does not hang, then fails to
> access the https://webserver url.  There is no network access to the
> internet, and I had even tried to disable that by adding:
>
>
>
> set crosscert x-invalid:// && goto crosscert_ok || echo Setting crosscert
> failed
>
> sync ; exit 1
>
> :crosscert_ok
>
>
>
> Not sure where I found the above example to disable crosscert check, but I
> gave it a try anyway.
>
>
>
> > grep HTTP config/general.h
>
> #define DOWNLOAD_PROTO_HTTP /* Hypertext Transfer Protocol */
>
> #define DOWNLOAD_PROTO_HTTPS/* Secure Hypertext Transfer Protocol */
>
>
>
> *From:* Christian Nilsson [mailto:nik...@gmail.com]
> *Sent:* Tuesday, November 22, 2016 5:47 PM
> *To:* Blatt, Andrew C
> *Cc:* ipxe-devel@lists.ipxe.org
> *Subject:* Re: [ipxe-devel] trying to leverage https address but not with
> certificates.
>
>
>
> Do you get a error and a ipxe.org error URL or does it just hang?
>
> Does the network have access to the internet (for possible download of the
> certificate chain)
>
>
>
> the proper way to enable functions is to add the just needed ones to the
> proper config/local file, in this case adding
>
> #define  DOWNLOAD_PROTO_HTTPS/* Secure Hypertext Transfer Protocol */
>
> into src/config/local/general.h
>
>
>
> note the #define instead of $define (which should cause compilation error
> i hope)
>
>
>
> /Christian
>
>
>
> On Tue, Nov 22, 2016 at 5:59 PM, Blatt, Andrew C <
> andrew.bl...@bankofamerica.com> wrote:
>
> Hi,
>
>
>
> I’m trying to access a pxelinux.cfg file over HTTPS instead of HTTP:
>
>
>
> #!ipxe
>
> # Disable automated download of certificates since it is done against
>
> # unauthenticated host which may lead to exploits
>
>
>
> ifstat net0
>
> imgfetch -n kernel https://WEBSERVER/pxelinux.cfg/01-${net0/mac:hexhyp}
> && goto image_ok || goto discovery_image
>
>
>
> :discovery_image
>
> ifstat net0
>
> imgfetch -n kernel https://WEBSERVER/pxelinux.cfg/default || echo
> ${net0/mac}:${ip} - Boot Failed
>
>
>
> :image_ok
>
> imgload kernel
>
> boot kernel
>
>
>
> I’ve tried compiling ipxe-fd95c78 and updated config/general.h to include
> $define DOWNLOAD_PROTO_HTTPS but it still fails to access the URL, if I
> change it back to http://WEBSERVER, it works.
>
>
>
> Any advice?
>
>
>
> Thank you.
>
>
>
> Andrew
> --
>
> This message, and any attachments, is for the intended recipient(s) only,
> may contain information that is privileged, confidential and/or proprietary
> and subject to important terms and conditions available at
> http://www.bankofamerica.com/emaildisclaimer. If you are not the intended
> recipient, please delete this message.
>
>
> ___
> ipxe-devel mailing list
> ipxe-devel@lists.ipxe.org
> https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel
>
>
> --
> This message, and any attachments, is for the intended recipient(s) only,
> may contain information that is privileged, confidential and/or proprietary
> and subject to important terms and conditions available at
> http://www.bankofamerica.com/emaildisclaimer. If you are not the intended
> recipient, please delete this message.
>
___
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel


Re: [ipxe-devel] trying to leverage https address but not with certificates.

2016-11-22 Thread Blatt, Andrew C
It gets an error and ipxe.org error, it does not hang, then fails to access the 
https://webserver url.  There is no network access to the internet, and I had 
even tried to disable that by adding:

set crosscert x-invalid:// && goto crosscert_ok || echo Setting crosscert failed
sync ; exit 1
:crosscert_ok

Not sure where I found the above example to disable crosscert check, but I gave 
it a try anyway.

> grep HTTP config/general.h
#define DOWNLOAD_PROTO_HTTP /* Hypertext Transfer Protocol */
#define DOWNLOAD_PROTO_HTTPS/* Secure Hypertext Transfer Protocol */

From: Christian Nilsson [mailto:nik...@gmail.com]
Sent: Tuesday, November 22, 2016 5:47 PM
To: Blatt, Andrew C
Cc: ipxe-devel@lists.ipxe.org
Subject: Re: [ipxe-devel] trying to leverage https address but not with 
certificates.

Do you get a error and a ipxe.org<http://ipxe.org> error URL or does it just 
hang?
Does the network have access to the internet (for possible download of the 
certificate chain)

the proper way to enable functions is to add the just needed ones to the proper 
config/local file, in this case adding
#define  DOWNLOAD_PROTO_HTTPS/* Secure Hypertext Transfer Protocol */
into src/config/local/general.h

note the #define instead of $define (which should cause compilation error i 
hope)

/Christian

On Tue, Nov 22, 2016 at 5:59 PM, Blatt, Andrew C 
mailto:andrew.bl...@bankofamerica.com>> wrote:
Hi,

I’m trying to access a pxelinux.cfg file over HTTPS instead of HTTP:

#!ipxe
# Disable automated download of certificates since it is done against
# unauthenticated host which may lead to exploits

ifstat net0
imgfetch -n kernel 
https://WEBSERVER/pxelinux.cfg/01-${net0/mac:hexhyp}<https://WEBSERVER/pxelinux.cfg/01-$%7Bnet0/mac:hexhyp%7D>
 && goto image_ok || goto discovery_image

:discovery_image
ifstat net0
imgfetch -n kernel https://WEBSERVER/pxelinux.cfg/default || echo 
${net0/mac}:${ip} - Boot Failed

:image_ok
imgload kernel
boot kernel

I’ve tried compiling ipxe-fd95c78 and updated config/general.h to include 
$define DOWNLOAD_PROTO_HTTPS but it still fails to access the URL, if I change 
it back to http://WEBSERVER, it works.

Any advice?

Thank you.

Andrew

This message, and any attachments, is for the intended recipient(s) only, may 
contain information that is privileged, confidential and/or proprietary and 
subject to important terms and conditions available at 
http://www.bankofamerica.com/emaildisclaimer. If you are not the intended 
recipient, please delete this message.

___
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org<mailto:ipxe-devel@lists.ipxe.org>
https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel


--
This message, and any attachments, is for the intended recipient(s) only, may 
contain information that is privileged, confidential and/or proprietary and 
subject to important terms and conditions available at 
http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended 
recipient, please delete this message.
___
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel


Re: [ipxe-devel] trying to leverage https address but not with certificates.

2016-11-22 Thread Christian Nilsson
Do you get a error and a ipxe.org error URL or does it just hang?
Does the network have access to the internet (for possible download of the
certificate chain)

the proper way to enable functions is to add the just needed ones to the
proper config/local file, in this case adding
#define  DOWNLOAD_PROTO_HTTPS/* Secure Hypertext Transfer Protocol */
into src/config/local/general.h

note the #define instead of $define (which should cause compilation error i
hope)

/Christian

On Tue, Nov 22, 2016 at 5:59 PM, Blatt, Andrew C <
andrew.bl...@bankofamerica.com> wrote:

> Hi,
>
>
>
> I’m trying to access a pxelinux.cfg file over HTTPS instead of HTTP:
>
>
>
> #!ipxe
>
> # Disable automated download of certificates since it is done against
>
> # unauthenticated host which may lead to exploits
>
>
>
> ifstat net0
>
> imgfetch -n kernel https://WEBSERVER/pxelinux.cfg/01-${net0/mac:hexhyp}
> && goto image_ok || goto discovery_image
>
>
>
> :discovery_image
>
> ifstat net0
>
> imgfetch -n kernel https://WEBSERVER/pxelinux.cfg/default || echo
> ${net0/mac}:${ip} - Boot Failed
>
>
>
> :image_ok
>
> imgload kernel
>
> boot kernel
>
>
>
> I’ve tried compiling ipxe-fd95c78 and updated config/general.h to include
> $define DOWNLOAD_PROTO_HTTPS but it still fails to access the URL, if I
> change it back to http://WEBSERVER, it works.
>
>
>
> Any advice?
>
>
>
> Thank you.
>
>
>
> Andrew
> --
> This message, and any attachments, is for the intended recipient(s) only,
> may contain information that is privileged, confidential and/or proprietary
> and subject to important terms and conditions available at
> http://www.bankofamerica.com/emaildisclaimer. If you are not the intended
> recipient, please delete this message.
>
> ___
> ipxe-devel mailing list
> ipxe-devel@lists.ipxe.org
> https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel
>
>
___
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel


[ipxe-devel] trying to leverage https address but not with certificates.

2016-11-22 Thread Blatt, Andrew C
Hi,

I'm trying to access a pxelinux.cfg file over HTTPS instead of HTTP:

#!ipxe
# Disable automated download of certificates since it is done against
# unauthenticated host which may lead to exploits

ifstat net0
imgfetch -n kernel https://WEBSERVER/pxelinux.cfg/01-${net0/mac:hexhyp} && goto 
image_ok || goto discovery_image

:discovery_image
ifstat net0
imgfetch -n kernel https://WEBSERVER/pxelinux.cfg/default || echo 
${net0/mac}:${ip} - Boot Failed

:image_ok
imgload kernel
boot kernel

I've tried compiling ipxe-fd95c78 and updated config/general.h to include 
$define DOWNLOAD_PROTO_HTTPS but it still fails to access the URL, if I change 
it back to http://WEBSERVER, it works.

Any advice?

Thank you.

Andrew

--
This message, and any attachments, is for the intended recipient(s) only, may 
contain information that is privileged, confidential and/or proprietary and 
subject to important terms and conditions available at 
http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended 
recipient, please delete this message.
___
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel