Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)

2022-04-12 Thread Omniproc via ipxe-devel
> > Note that there's also 
> > https://github.com/chschenk/ipxe/tree/feature/tls_fragmentation_buildoption 
> > which add's a build option. By making this code optional and disable that 
> > build option by default it at least wouldn't break anything. Regarding 
> > security concerns: granted. But we're talking about ~50 lines of code here.
> 
> To that, please see https://dox.ipxe.org/ifdef_harmful.html You can introduce 
> huge security issues with only one line of code.

I wasn't suggesting that you can't. I was trying to say that it's "only" 50 
lines of code to review.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/ipxe/ipxe/pull/116#issuecomment-1096777453
You are receiving this because you commented.

Message ID: ___
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo/ipxe-devel


Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)

2022-04-12 Thread Christian Nilsson via ipxe-devel
> Note that there's also 
> https://github.com/chschenk/ipxe/tree/feature/tls_fragmentation_buildoption 
> which add's a build option. By making this code optional and disable that 
> build option by default it at least wouldn't break anything. Regarding 
> security concerns: granted. But we're talking about ~50 lines of code here.
> 

To that, please see https://dox.ipxe.org/ifdef_harmful.html
You can introduce huge security issues with only one line of code.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/ipxe/ipxe/pull/116#issuecomment-1096774208
You are receiving this because you commented.

Message ID: ___
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo/ipxe-devel


Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)

2022-04-12 Thread Omniproc via ipxe-devel
> Time needed to verify correctness of this patch is one possible issue, maybe 
> this could be lessened with proper tests, or at least something that can be 
> used to verify the issue. But this is critical code that and we must be 
> absolute certain does not introduce any new security issues.

Note that there's also 
https://github.com/chschenk/ipxe/tree/feature/tls_fragmentation_buildoption 
which add's a build option. By making this code optional and disable that build 
option by default it at least wouldn't break anything. Regarding security 
concerns: granted. But we're talking about ~50 lines of code here.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/ipxe/ipxe/pull/116#issuecomment-1096766788
You are receiving this because you commented.

Message ID: ___
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo/ipxe-devel


Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)

2022-04-12 Thread Christian Nilsson via ipxe-devel
Time needed to verify correctness of this patch is one possible issue, maybe 
this could be lessened with proper tests, or at least something that can be 
used to verify the issue. But this is critical code that and we must be 
absolute certain does not introduce any new security issues.


-- 
Reply to this email directly or view it on GitHub:
https://github.com/ipxe/ipxe/pull/116#issuecomment-1096759753
You are receiving this because you commented.

Message ID: ___
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo/ipxe-devel


Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)

2022-04-08 Thread Geert Stappers via ipxe-devel
Today, timezone is CEST, at the iPXE  irc channel:
```text
20:23 -!- dvzrv [~dvzrv@archlinux/developer/dvzrv] has joined #ipxe
20:24 < dvzrv> hi! any possibility of this being merged? 
https://github.com/ipxe/ipxe/pull/116 :)
```
now also at the iPXE mailinglist   :-)

-- 
Reply to this email directly or view it on GitHub:
https://github.com/ipxe/ipxe/pull/116#issuecomment-1093314417
You are receiving this because you commented.

Message ID: ___
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo/ipxe-devel


Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)

2022-04-08 Thread Geert Stappers via ipxe-devel
On Fri, Apr 08, 2022 at 12:33:44AM -0700, Omniproc wrote:
> Can confirm this does fix it for us as well. Would be great if this could be 
> merged in the next release.

So go furher,  make it happen


-- 
Reply to this email directly or view it on GitHub:
https://github.com/ipxe/ipxe/pull/116#issuecomment-1093130304
You are receiving this because you commented.

Message ID: ___
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo/ipxe-devel


Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)

2022-04-08 Thread Omniproc via ipxe-devel
Can confirm this does fix it for us as well. Would be great if this could be 
merged in the next release.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/ipxe/ipxe/pull/116#issuecomment-1092544718
You are receiving this because you commented.

Message ID: ___
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo/ipxe-devel


Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)

2022-03-17 Thread Christopher Odenbach via ipxe-devel
> We applied this patch to our code base and it seemed to work fine. However, 
> in the meantime I arrived at the same conclusion as described in [#116 
> (comment)](https://github.com/ipxe/ipxe/pull/116#issuecomment-862709507), 
> reverted the patch and instead switched to the shorter Let's Encrypt 
> certification chain: `R3 -> ISRG Root X1` instead of `R3 -> ISRG Root X1 -> 
> DST Root CA X3`. Our certificate chain is now only 2887 bytes long although 
> we use 4096-bit RSA keys. It is probably worth pointing out that linking to 
> `DST Root CA X3` is kind of pointless as this root certificate expired `Thu, 
> 30 Sep 2021 14:01:15 UTC`.

This may be a solution for you or other users of Let's Encrypt, but many other 
people have other long certificate chains, so we need a general solution. I 
cannot understand why this patch does not get merged.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/ipxe/ipxe/pull/116#issuecomment-1070793352
You are receiving this because you commented.

Message ID: ___
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo/ipxe-devel


Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)

2022-03-16 Thread Andreas Fischer via ipxe-devel
We applied this patch to our code base and it seemed to work fine. However, in 
the meantime I arrived at the same conclusion as described in 
https://github.com/ipxe/ipxe/pull/116#issuecomment-862709507, reverted the 
patch and instead switched to the shorter Let's Encrypt certification chain: 
`R3 -> ISRG Root X1` instead of `R3 -> ISRG Root X1 -> DST Root CA X3`. Our 
certificate chain is only 2887 bytes long although we use 4096-bit RSA keys. 
Maybe it is worth pointing out that linking to `DST Root CA X3` is kind of 
pointless as this root certificate expired `Thu, 30 Sep 2021 14:01:15 UTC`.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/ipxe/ipxe/pull/116#issuecomment-1069294392
You are receiving this because you commented.

Message ID: ___
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo/ipxe-devel


Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)

2022-03-15 Thread waldner via ipxe-devel
What's the status of this? Is a merge expected soon(ish)? After almost two 
years the problem has only got worse.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/ipxe/ipxe/pull/116#issuecomment-1068426131
You are receiving this because you commented.

Message ID: ___
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo/ipxe-devel


Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)

2022-01-08 Thread eb3095 via ipxe-devel
No good for me. This fixed the error, however now VM's I'm spinning up are 
hanging whenever I attempt to chain an https address. No output from debug, 
seems to just hang after "new session ticket" and it says "ok".

-- 
Reply to this email directly or view it on GitHub:
https://github.com/ipxe/ipxe/pull/116#issuecomment-1007956377
You are receiving this because you commented.

Message ID: ___
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo/ipxe-devel


Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)

2021-07-27 Thread Ivan Marton via ipxe-devel
I've also applied this patch in our staging environment and it worked 
flawlessly. We are also eagerly waiting for having it in master.

-- 
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
https://github.com/ipxe/ipxe/pull/116#issuecomment-887426909___
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo/ipxe-devel


Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)

2021-07-23 Thread David Runge via ipxe-devel
On Arch Linux we have been struggling with the issue as well (at the time of 
writing netboot for users is broken) and applying this patch fixes the problem.

It would be really great if this was reviewed and merged! :)

-- 
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
https://github.com/ipxe/ipxe/pull/116#issuecomment-885748886___
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo/ipxe-devel


Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)

2021-07-09 Thread rodehoed via ipxe-devel
We also have problems with the chain from Lets Encrypt because of it's size. So 
a fix upstrea would be awesome. 

For now i'm not using the fullchain.pem but cert.pem certificate in nginx as a 
work-around. 

-- 
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
https://github.com/ipxe/ipxe/pull/116#issuecomment-877091177___
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo/ipxe-devel


Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)

2021-06-16 Thread Graham Christensen via ipxe-devel
Just in case you're coming across this with the recent LetsEncrypt chain 
update, you can work around this by preferring the shorter chain in 
https://community.letsencrypt.org/t/production-chain-changes/150739/1 via the 
lego flags: `--preferred-chain "ISRG Root X1"`. On NixOS this is provided via:

```nix
   security.acme.certs."${domain}".extraLegoRunFlags = [
"--preferred-chain" "ISRG Root X1"
   ];
```

-- 
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
https://github.com/ipxe/ipxe/pull/116#issuecomment-862709507___
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo/ipxe-devel


Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)

2021-06-07 Thread Christian Theune via ipxe-devel
I've tried this in production and it helped me getting booting from TLS working 
again. I did not intentionally have a large certificate chain, but I'm using LE 
and apart from allowing non EC-ciphers this has been a blocker for us to 
properly boot from TLS.

Any chance to get this merged in the foreseeable future? Any help needed?

-- 
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
https://github.com/ipxe/ipxe/pull/116#issuecomment-856428621___
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo/ipxe-devel


Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)

2020-07-28 Thread Christopher Odenbach
We are running this patch in production now, works like a charm!

-- 
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
https://github.com/ipxe/ipxe/pull/116#issuecomment-664989067___
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo/ipxe-devel


Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)

2020-07-14 Thread Christopher
Hi,
what do you think of this patch? I really would love to see this upstream.

Best regards
Christopher 

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/ipxe/ipxe/pull/116#issuecomment-658116741___
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo/ipxe-devel