Re: [edk2] Issues with HTTPS Boot

[Santhapur Naveen]

Hi,
        I've downloaded the source from edk2-staging a couple weeks ago and 
have been using the same source since then.

Thanks,
Naveen

-----Original Message-----
From: Samer El Haj Mahmoud [mailto:smahm...@lenovo.com] 
Sent: Thursday, September 22, 2016 8:42 PM
To: Santhapur Naveen; Palmer, Thomas; edk2-devel@lists.01.org
Subject: RE: Issues with HTTPS Boot

Naveen,

Are you using the latest code form the edk2-staging branch?


-----Original Message-----
From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of 
Santhapur Naveen
Sent: Thursday, September 22, 2016 7:07 AM
To: Palmer, Thomas <thomas.pal...@hpe.com>; edk2-devel@lists.01.org
Subject: Re: [edk2] Issues with HTTPS Boot

Hi Thomas,

        Regarding your previous question about the server certificates, please 
find my response as below:

Do you have the appropriate certificate installed in UEFI for the target TLS 
server?
        Yes, I do have the appropriate certificate installed on my server. I 
have followed the section 2.2 titles " Self-Generated Certificate" in the white 
paper to generate the certificates.

        I have debugged a bit  further and went inside TlsConnectSession() to 
see where exactly it is failing and I found out like it fails in 
TlsDoHandshake() and gives PROTOCOL ERROR. To be precise, it gives error as 
"TlsDoHandshake ERROR 0x14171105=L14:F171:R105".

        If I'm missing anything anywhere, would you please provide your 
comments.

Thank you,
Naveen

-----Original Message-----
From: Palmer, Thomas [mailto:thomas.pal...@hpe.com] 
Sent: Thursday, September 22, 2016 12:56 AM
To: Santhapur Naveen; edk2-devel@lists.01.org
Subject: RE: Issues with HTTPS Boot


>From what you describe, it sounds like they should not have an issue 
>negotiating TLS version and cipher.


Do you have the appropriate certificate installed in UEFI for the target TLS 
server?   Either we need the 3rd part CA that signed the web server 
certificate, or you could install the self-signed certificate of the web server.

Also, are you able to see the any DEBUG statements from TlsLib.c?


Regards,

Thomas Palmer

"I have only made this letter longer because I have not had the time to make it 
shorter" - Blaise Pascal

-----Original Message-----
From: Santhapur Naveen [mailto:nave...@amiindia.co.in] 
Sent: Wednesday, September 21, 2016 8:09 AM
To: Palmer, Thomas <thomas.pal...@hpe.com>; edk2-devel@lists.01.org
Subject: RE: Issues with HTTPS Boot

Hi Thomas,

        Regarding my previous mail, after TCP handshake, Client Says Hello to 
sever and the Server replies its Hello to the client with TLSv1.
 
Client says hello with the following Cipher Suites:

1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) 2. 
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) 3. TLS_RSA_WITH_AES_256_CBC_SHA 
(0x0035) 4. TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) 5. 
TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

        For the Client Hello, Server responds with its Hello and chooses 
TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) using TLSv1. The client sends an 
acknowledgement to the server and then immediately sends RST. 

        After some debugging, it was found that it fails in 
TlsConnectSession(). Would you please provide your comments on this?


Thanks,
Naveen

-----Original Message-----
From: Palmer, Thomas [mailto:thomas.pal...@hpe.com]
Sent: Tuesday, September 20, 2016 9:30 PM
To: Santhapur Naveen; edk2-devel@lists.01.org
Subject: RE: Issues with HTTPS Boot

Naveen,

        I cannot see attachments on this email. 
        
        What TLS versions and ciphers does your web server support? Depending 
on when you built the UEFI image, your server may need to have TLS v1.0 enabled 
and support one of the non-SHA256 ciphers listed at the top of TlsLib.c.   
        

Regards,

Thomas Palmer

"I have only made this letter longer because I have not had the time to make it 
shorter" - Blaise Pascal

-----Original Message-----
From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of 
Santhapur Naveen
Sent: Tuesday, September 20, 2016 6:42 AM
To: edk2-devel@lists.01.org
Subject: [edk2] Issues with HTTPS Boot

Hello All,

          Since the HTTPS Boot came into picture, I was very enthusiastic to 
try it. I configured the server as-is explained in the white paper 
https://github.com/tianocore/tianocore.github.io/wiki/EDK%20II%20White%20papers

          But when I try to go for an HTTPS boot, it stops after the TCP 
handshake. Attached is the Wireshark log. Please help me out and also let me 
know if any other details are needed.

Thank you,
Naveen
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel