Naveen, For error code L14:F171:R105, it seems not failed in the ssl3_get_server_hello(). L14 means SLL lib error, R105 means SSL_R_WRONG_CIPHER_RETURNED, but for F171, I can't find the corresponding error function represented. Can you tell us the openssl version your platform used? and what's the cipher returned from server hello?
Thanks, Jiaxin > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of > Palmer, Thomas > Sent: Friday, September 23, 2016 2:10 AM > To: Samer El Haj Mahmoud <smahm...@lenovo.com>; Santhapur Naveen > <nave...@amiindia.co.in>; edk2-devel@lists.01.org > Subject: Re: [edk2] Issues with HTTPS Boot > > > Naveen, > > I may be interpreting this OpenSSL error code incorrectly, so if anyone has > experience with this please chime in ... > > Looking at 1.02.h, the 0x105 reason corresponds with > SSL_R_WRONG_CIPHER_RETURNED. This happens in two places in s3_clnt.c. > This would indicate that the TLS server is wanting to use a cipher that the > TLS > client does not want to use. > > 0x105 can also correspond to SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE ... but > we don't support client certificates or DTLS at this point so I would not > expect > this to be in play. (unless your server is configured for that ...) > > We should confirm this error code interpretation. If you have a debugger, > set a > break point for each instance of SSL_R_WRONG_CIPHER_RETURNED, or add a > print statement. Which openssl version are you using? > > > Regards, > > Thomas Palmer > > "I have only made this letter longer because I have not had the time to make > it > shorter" - Blaise Pascal > > > -----Original Message----- > From: Samer El Haj Mahmoud [mailto:smahm...@lenovo.com] > Sent: Thursday, September 22, 2016 10:12 AM > To: Santhapur Naveen <nave...@amiindia.co.in>; Palmer, Thomas > <thomas.pal...@hpe.com>; edk2-devel@lists.01.org > Subject: RE: Issues with HTTPS Boot > > Naveen, > > Are you using the latest code form the edk2-staging branch? > > > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of > Santhapur Naveen > Sent: Thursday, September 22, 2016 7:07 AM > To: Palmer, Thomas <thomas.pal...@hpe.com>; edk2-devel@lists.01.org > Subject: Re: [edk2] Issues with HTTPS Boot > > Hi Thomas, > > Regarding your previous question about the server certificates, please > find my response as below: > > Do you have the appropriate certificate installed in UEFI for the target TLS > server? > Yes, I do have the appropriate certificate installed on my server. I > have > followed the section 2.2 titles " Self-Generated Certificate" in the white > paper > to generate the certificates. > > I have debugged a bit further and went inside TlsConnectSession() to > see where exactly it is failing and I found out like it fails in > TlsDoHandshake() > and gives PROTOCOL ERROR. To be precise, it gives error as "TlsDoHandshake > ERROR 0x14171105=L14:F171:R105". > > If I'm missing anything anywhere, would you please provide your > comments. > > Thank you, > Naveen > > -----Original Message----- > From: Palmer, Thomas [mailto:thomas.pal...@hpe.com] > Sent: Thursday, September 22, 2016 12:56 AM > To: Santhapur Naveen; edk2-devel@lists.01.org > Subject: RE: Issues with HTTPS Boot > > > From what you describe, it sounds like they should not have an issue > negotiating TLS version and cipher. > > > Do you have the appropriate certificate installed in UEFI for the target TLS > server? Either we need the 3rd part CA that signed the web server > certificate, > or you could install the self-signed certificate of the web server. > > Also, are you able to see the any DEBUG statements from TlsLib.c? > > > Regards, > > Thomas Palmer > > "I have only made this letter longer because I have not had the time to make > it > shorter" - Blaise Pascal > > -----Original Message----- > From: Santhapur Naveen [mailto:nave...@amiindia.co.in] > Sent: Wednesday, September 21, 2016 8:09 AM > To: Palmer, Thomas <thomas.pal...@hpe.com>; edk2-devel@lists.01.org > Subject: RE: Issues with HTTPS Boot > > Hi Thomas, > > Regarding my previous mail, after TCP handshake, Client Says Hello to > sever and the Server replies its Hello to the client with TLSv1. > > Client says hello with the following Cipher Suites: > > 1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) 2. > TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) 3. > TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) 4. > TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) 5. > TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) > > For the Client Hello, Server responds with its Hello and chooses > TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) using TLSv1. The client sends an > acknowledgement to the server and then immediately sends RST. > > After some debugging, it was found that it fails in TlsConnectSession(). > Would you please provide your comments on this? > > > Thanks, > Naveen > > -----Original Message----- > From: Palmer, Thomas [mailto:thomas.pal...@hpe.com] > Sent: Tuesday, September 20, 2016 9:30 PM > To: Santhapur Naveen; edk2-devel@lists.01.org > Subject: RE: Issues with HTTPS Boot > > Naveen, > > I cannot see attachments on this email. > > What TLS versions and ciphers does your web server support? > Depending on when you built the UEFI image, your server may need to have > TLS v1.0 enabled and support one of the non-SHA256 ciphers listed at the top > of > TlsLib.c. > > > Regards, > > Thomas Palmer > > "I have only made this letter longer because I have not had the time to make > it > shorter" - Blaise Pascal > > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of > Santhapur Naveen > Sent: Tuesday, September 20, 2016 6:42 AM > To: edk2-devel@lists.01.org > Subject: [edk2] Issues with HTTPS Boot > > Hello All, > > Since the HTTPS Boot came into picture, I was very enthusiastic to > try it. I > configured the server as-is explained in the white paper > https://github.com/tianocore/tianocore.github.io/wiki/EDK%20II%20White%20p > apers > > But when I try to go for an HTTPS boot, it stops after the TCP > handshake. > Attached is the Wireshark log. Please help me out and also let me know if any > other details are needed. > > Thank you, > Naveen > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
