Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)
> > Note that there's also > > https://github.com/chschenk/ipxe/tree/feature/tls_fragmentation_buildoption > > which add's a build option. By making this code optional and disable that > > build option by default it at least wouldn't break anything. Regarding > > security concerns: granted. But we're talking about ~50 lines of code here. > > To that, please see https://dox.ipxe.org/ifdef_harmful.html You can introduce > huge security issues with only one line of code. I wasn't suggesting that you can't. I was trying to say that it's "only" 50 lines of code to review. -- Reply to this email directly or view it on GitHub: https://github.com/ipxe/ipxe/pull/116#issuecomment-1096777453 You are receiving this because you commented. Message ID: ___ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo/ipxe-devel
Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)
> Note that there's also > https://github.com/chschenk/ipxe/tree/feature/tls_fragmentation_buildoption > which add's a build option. By making this code optional and disable that > build option by default it at least wouldn't break anything. Regarding > security concerns: granted. But we're talking about ~50 lines of code here. > To that, please see https://dox.ipxe.org/ifdef_harmful.html You can introduce huge security issues with only one line of code. -- Reply to this email directly or view it on GitHub: https://github.com/ipxe/ipxe/pull/116#issuecomment-1096774208 You are receiving this because you commented. Message ID: ___ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo/ipxe-devel
Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)
> Time needed to verify correctness of this patch is one possible issue, maybe > this could be lessened with proper tests, or at least something that can be > used to verify the issue. But this is critical code that and we must be > absolute certain does not introduce any new security issues. Note that there's also https://github.com/chschenk/ipxe/tree/feature/tls_fragmentation_buildoption which add's a build option. By making this code optional and disable that build option by default it at least wouldn't break anything. Regarding security concerns: granted. But we're talking about ~50 lines of code here. -- Reply to this email directly or view it on GitHub: https://github.com/ipxe/ipxe/pull/116#issuecomment-1096766788 You are receiving this because you commented. Message ID: ___ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo/ipxe-devel
Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)
Time needed to verify correctness of this patch is one possible issue, maybe this could be lessened with proper tests, or at least something that can be used to verify the issue. But this is critical code that and we must be absolute certain does not introduce any new security issues. -- Reply to this email directly or view it on GitHub: https://github.com/ipxe/ipxe/pull/116#issuecomment-1096759753 You are receiving this because you commented. Message ID: ___ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo/ipxe-devel
Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)
Today, timezone is CEST, at the iPXE irc channel: ```text 20:23 -!- dvzrv [~dvzrv@archlinux/developer/dvzrv] has joined #ipxe 20:24 < dvzrv> hi! any possibility of this being merged? https://github.com/ipxe/ipxe/pull/116 :) ``` now also at the iPXE mailinglist :-) -- Reply to this email directly or view it on GitHub: https://github.com/ipxe/ipxe/pull/116#issuecomment-1093314417 You are receiving this because you commented. Message ID: ___ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo/ipxe-devel
Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)
On Fri, Apr 08, 2022 at 12:33:44AM -0700, Omniproc wrote: > Can confirm this does fix it for us as well. Would be great if this could be > merged in the next release. So go furher, make it happen -- Reply to this email directly or view it on GitHub: https://github.com/ipxe/ipxe/pull/116#issuecomment-1093130304 You are receiving this because you commented. Message ID: ___ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo/ipxe-devel
Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)
Can confirm this does fix it for us as well. Would be great if this could be merged in the next release. -- Reply to this email directly or view it on GitHub: https://github.com/ipxe/ipxe/pull/116#issuecomment-1092544718 You are receiving this because you commented. Message ID: ___ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo/ipxe-devel
Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)
> We applied this patch to our code base and it seemed to work fine. However, > in the meantime I arrived at the same conclusion as described in [#116 > (comment)](https://github.com/ipxe/ipxe/pull/116#issuecomment-862709507), > reverted the patch and instead switched to the shorter Let's Encrypt > certification chain: `R3 -> ISRG Root X1` instead of `R3 -> ISRG Root X1 -> > DST Root CA X3`. Our certificate chain is now only 2887 bytes long although > we use 4096-bit RSA keys. It is probably worth pointing out that linking to > `DST Root CA X3` is kind of pointless as this root certificate expired `Thu, > 30 Sep 2021 14:01:15 UTC`. This may be a solution for you or other users of Let's Encrypt, but many other people have other long certificate chains, so we need a general solution. I cannot understand why this patch does not get merged. -- Reply to this email directly or view it on GitHub: https://github.com/ipxe/ipxe/pull/116#issuecomment-1070793352 You are receiving this because you commented. Message ID: ___ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo/ipxe-devel
Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)
We applied this patch to our code base and it seemed to work fine. However, in the meantime I arrived at the same conclusion as described in https://github.com/ipxe/ipxe/pull/116#issuecomment-862709507, reverted the patch and instead switched to the shorter Let's Encrypt certification chain: `R3 -> ISRG Root X1` instead of `R3 -> ISRG Root X1 -> DST Root CA X3`. Our certificate chain is only 2887 bytes long although we use 4096-bit RSA keys. Maybe it is worth pointing out that linking to `DST Root CA X3` is kind of pointless as this root certificate expired `Thu, 30 Sep 2021 14:01:15 UTC`. -- Reply to this email directly or view it on GitHub: https://github.com/ipxe/ipxe/pull/116#issuecomment-1069294392 You are receiving this because you commented. Message ID: ___ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo/ipxe-devel
Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)
What's the status of this? Is a merge expected soon(ish)? After almost two years the problem has only got worse. -- Reply to this email directly or view it on GitHub: https://github.com/ipxe/ipxe/pull/116#issuecomment-1068426131 You are receiving this because you commented. Message ID: ___ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo/ipxe-devel
Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)
No good for me. This fixed the error, however now VM's I'm spinning up are hanging whenever I attempt to chain an https address. No output from debug, seems to just hang after "new session ticket" and it says "ok". -- Reply to this email directly or view it on GitHub: https://github.com/ipxe/ipxe/pull/116#issuecomment-1007956377 You are receiving this because you commented. Message ID: ___ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo/ipxe-devel
Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)
I've also applied this patch in our staging environment and it worked flawlessly. We are also eagerly waiting for having it in master. -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/ipxe/ipxe/pull/116#issuecomment-887426909___ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo/ipxe-devel
Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)
On Arch Linux we have been struggling with the issue as well (at the time of writing netboot for users is broken) and applying this patch fixes the problem. It would be really great if this was reviewed and merged! :) -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/ipxe/ipxe/pull/116#issuecomment-885748886___ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo/ipxe-devel
Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)
We also have problems with the chain from Lets Encrypt because of it's size. So a fix upstrea would be awesome. For now i'm not using the fullchain.pem but cert.pem certificate in nginx as a work-around. -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/ipxe/ipxe/pull/116#issuecomment-877091177___ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo/ipxe-devel
Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)
Just in case you're coming across this with the recent LetsEncrypt chain update, you can work around this by preferring the shorter chain in https://community.letsencrypt.org/t/production-chain-changes/150739/1 via the lego flags: `--preferred-chain "ISRG Root X1"`. On NixOS this is provided via: ```nix security.acme.certs."${domain}".extraLegoRunFlags = [ "--preferred-chain" "ISRG Root X1" ]; ``` -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/ipxe/ipxe/pull/116#issuecomment-862709507___ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo/ipxe-devel
Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)
I've tried this in production and it helped me getting booting from TLS working again. I did not intentionally have a large certificate chain, but I'm using LE and apart from allowing non EC-ciphers this has been a blocker for us to properly boot from TLS. Any chance to get this merged in the foreseeable future? Any help needed? -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/ipxe/ipxe/pull/116#issuecomment-856428621___ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo/ipxe-devel
Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)
We are running this patch in production now, works like a charm! -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/ipxe/ipxe/pull/116#issuecomment-664989067___ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo/ipxe-devel
Re: [ipxe-devel] [ipxe/ipxe] [tls] Add support for fragmented tls handshake packets (#116)
Hi, what do you think of this patch? I really would love to see this upstream. Best regards Christopher -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/ipxe/ipxe/pull/116#issuecomment-658116741___ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo/ipxe-devel