Re: [edk2] Issues with HTTPS Boot

Thu, 29 Sep 2016 22:29:29 -0700 

Hi Jiaxin,

        Thank you very much for the information you have provided. I shall try 
and update you. Thank you once again.

Best Regards,
Naveen

-----Original Message-----
From: Wu, Jiaxin [mailto:jiaxin...@intel.com] 
Sent: Friday, September 30, 2016 10:56 AM
To: Santhapur Naveen; Palmer, Thomas; Samer El Haj Mahmoud; 
edk2-devel@lists.01.org
Cc: Fu, Siyuan; Ye, Ting; Li, Ruth
Subject: RE: Issues with HTTPS Boot

Hi Naveen,

I have tried the openssl-1.0.2h and openssl-1.0.2j (the latest edk2-master 
version), both of them work well with the UEFI HTTPS in staging branch. I 
haven't met you issue:(. Now, I have synced the patches from EDK2 
master(https://github.com/tianocore/edk2 ) to HTTPS-TLS branch 
(https://github.com/tianocore/edk2-staging/tree/HTTPS-TLS ). That means current 
HTTPS in branch is developed based on openssl-1.0.2j.   

I noticed you're not using the latest code from the edk2-staging branch because 
your code base seems not support TLS version negotiation feature. Can you retry 
the latest code in current HTTPS-TLS branch? 

In order to eliminate the HTTPS server configuration issue, you can using IE or 
Chrome or any other HTTPS client (Note: don't forget to enroll the server CA 
cert) to verify the HTTPS server's functionality first. That also can help you 
to verify your self-signed certificates:). If you are using IIS8 HTTPS server, 
please also aware the README notes.
 

Thanks,
Jiaxin

> -----Original Message-----
> From: Wu, Jiaxin
> Sent: Monday, September 26, 2016 9:46 AM
> To: Santhapur Naveen <nave...@amiindia.co.in>; Palmer, Thomas 
> <thomas.pal...@hpe.com>; Samer El Haj Mahmoud <smahm...@lenovo.com>; 
> edk2-devel@lists.01.org
> Subject: RE: Issues with HTTPS Boot
> 
> Naveen,
> 
> The version in edk2-staging is openssl-1.0.2g, I can't reproduce the 
> failure case in the latest branch. From the limited debug information, 
> I'm not sure whether it's the compatibility issue with openssl-1.0.2h. 
> It is also possible that your server configuration is incorrect. 
> Anyway, I will try openssl-1.0.2h. But before that, please make sure 
> all the HTTPS related patches has been synced to your platform (From 
> edk2-staging version:
> 891dde7da95bdc5deb11f9262b3bc6fde4e678ef).
> 
> Thanks,
> Jiaxin
> 
> > -----Original Message-----
> > From: Santhapur Naveen [mailto:nave...@amiindia.co.in]
> > Sent: Friday, September 23, 2016 3:01 PM
> > To: Wu, Jiaxin <jiaxin...@intel.com>; Palmer, Thomas 
> > <thomas.pal...@hpe.com>; Samer El Haj Mahmoud
> <smahm...@lenovo.com>;
> > edk2-devel@lists.01.org
> > Subject: RE: Issues with HTTPS Boot
> >
> > Hi Jiaxin,
> >
> >     The openssl version I have been using is 1.0.2h and the cipher 
> > returned by the Sever Hello is "TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)".
> >
> > Thanks,
> > Naveen
> >
> > -----Original Message-----
> > From: Wu, Jiaxin [mailto:jiaxin...@intel.com]
> > Sent: Friday, September 23, 2016 12:25 PM
> > To: Palmer, Thomas; Samer El Haj Mahmoud; Santhapur Naveen; edk2- 
> > de...@lists.01.org
> > Subject: RE: Issues with HTTPS Boot
> >
> > Naveen,
> >
> > For error code L14:F171:R105, it seems not failed in the
> ssl3_get_server_hello().
> > L14 means SLL lib error, R105 means SSL_R_WRONG_CIPHER_RETURNED,
> but
> > for F171, I can't find the corresponding error function represented.
> > Can you tell us the openssl version your platform used? and what's 
> > the cipher returned from server hello?
> >
> >
> > Thanks,
> > Jiaxin
> >
> > > -----Original Message-----
> > > From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On 
> > > Behalf Of Palmer, Thomas
> > > Sent: Friday, September 23, 2016 2:10 AM
> > > To: Samer El Haj Mahmoud <smahm...@lenovo.com>; Santhapur Naveen 
> > > <nave...@amiindia.co.in>; edk2-devel@lists.01.org
> > > Subject: Re: [edk2] Issues with HTTPS Boot
> > >
> > >
> > > Naveen,
> > >
> > > I may be interpreting this OpenSSL error code incorrectly, so if 
> > > anyone has experience with this please chime in ...
> > >
> > > Looking at 1.02.h,  the 0x105 reason corresponds with 
> > > SSL_R_WRONG_CIPHER_RETURNED.  This happens in two places in
> s3_clnt.c.
> > > This would indicate that the TLS server is wanting to use a cipher 
> > > that the TLS client does not want to use.
> > >
> > > 0x105 can also correspond to SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE ...
> > > but we don't support client certificates or DTLS at this point so 
> > > I would not expect this to be in play.  (unless your server is 
> > > configured for that ...)
> > >
> > > We should confirm this error code interpretation.  If you have a 
> > > debugger, set a break point for each instance of 
> > > SSL_R_WRONG_CIPHER_RETURNED, or add a print statement.  Which
> > openssl version are you using?
> > >
> > >
> > > Regards,
> > >
> > > Thomas Palmer
> > >
> > > "I have only made this letter longer because I have not had the 
> > > time to make it shorter" - Blaise Pascal
> > >
> > >
> > > -----Original Message-----
> > > From: Samer El Haj Mahmoud [mailto:smahm...@lenovo.com]
> > > Sent: Thursday, September 22, 2016 10:12 AM
> > > To: Santhapur Naveen <nave...@amiindia.co.in>; Palmer, Thomas 
> > > <thomas.pal...@hpe.com>; edk2-devel@lists.01.org
> > > Subject: RE: Issues with HTTPS Boot
> > >
> > > Naveen,
> > >
> > > Are you using the latest code form the edk2-staging branch?
> > >
> > >
> > > -----Original Message-----
> > > From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On 
> > > Behalf Of Santhapur Naveen
> > > Sent: Thursday, September 22, 2016 7:07 AM
> > > To: Palmer, Thomas <thomas.pal...@hpe.com>; 
> > > edk2-devel@lists.01.org
> > > Subject: Re: [edk2] Issues with HTTPS Boot
> > >
> > > Hi Thomas,
> > >
> > >   Regarding your previous question about the server certificates, 
> > > please find my response as below:
> > >
> > > Do you have the appropriate certificate installed in UEFI for the 
> > > target TLS server?
> > >   Yes, I do have the appropriate certificate installed on my server.
> > > I have followed the section 2.2 titles " Self-Generated Certificate"
> > > in the white paper to generate the certificates.
> > >
> > >   I have debugged a bit  further and went inside 
> > > TlsConnectSession() to see where exactly it is failing and I found 
> > > out like it fails in
> > > TlsDoHandshake() and gives PROTOCOL ERROR. To be precise, it gives 
> > > error as "TlsDoHandshake ERROR 0x14171105=L14:F171:R105".
> > >
> > >   If I'm missing anything anywhere, would you please provide your 
> > > comments.
> > >
> > > Thank you,
> > > Naveen
> > >
> > > -----Original Message-----
> > > From: Palmer, Thomas [mailto:thomas.pal...@hpe.com]
> > > Sent: Thursday, September 22, 2016 12:56 AM
> > > To: Santhapur Naveen; edk2-devel@lists.01.org
> > > Subject: RE: Issues with HTTPS Boot
> > >
> > >
> > > From what you describe, it sounds like they should not have an 
> > > issue negotiating TLS version and cipher.
> > >
> > >
> > > Do you have the appropriate certificate installed in UEFI for the target 
> > > TLS
> > > server?   Either we need the 3rd part CA that signed the web server
> > certificate,
> > > or you could install the self-signed certificate of the web server.
> > >
> > > Also, are you able to see the any DEBUG statements from TlsLib.c?
> > >
> > >
> > > Regards,
> > >
> > > Thomas Palmer
> > >
> > > "I have only made this letter longer because I have not had the 
> > > time to make it shorter" - Blaise Pascal
> > >
> > > -----Original Message-----
> > > From: Santhapur Naveen [mailto:nave...@amiindia.co.in]
> > > Sent: Wednesday, September 21, 2016 8:09 AM
> > > To: Palmer, Thomas <thomas.pal...@hpe.com>; 
> > > edk2-devel@lists.01.org
> > > Subject: RE: Issues with HTTPS Boot
> > >
> > > Hi Thomas,
> > >
> > >   Regarding my previous mail, after TCP handshake, Client Says 
> > > Hello to sever and the Server replies its Hello to the client with TLSv1.
> > >
> > > Client says hello with the following Cipher Suites:
> > >
> > > 1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) 2.
> > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) 3.
> > > TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) 4.
> > > TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) 5.
> > > TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
> > >
> > >   For the Client Hello, Server responds with its Hello and chooses 
> > > TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) using TLSv1. The client 
> > > sends an acknowledgement to the server and then immediately sends RST.
> > >
> > >   After some debugging, it was found that it fails in TlsConnectSession().
> > > Would you please provide your comments on this?
> > >
> > >
> > > Thanks,
> > > Naveen
> > >
> > > -----Original Message-----
> > > From: Palmer, Thomas [mailto:thomas.pal...@hpe.com]
> > > Sent: Tuesday, September 20, 2016 9:30 PM
> > > To: Santhapur Naveen; edk2-devel@lists.01.org
> > > Subject: RE: Issues with HTTPS Boot
> > >
> > > Naveen,
> > >
> > >   I cannot see attachments on this email.
> > >
> > >   What TLS versions and ciphers does your web server support?
> > > Depending on when you built the UEFI image, your server may need 
> > > to have TLS v1.0 enabled and support one of the non-SHA256 ciphers 
> > > listed at the top of TlsLib.c.
> > >
> > >
> > > Regards,
> > >
> > > Thomas Palmer
> > >
> > > "I have only made this letter longer because I have not had the 
> > > time to make it shorter" - Blaise Pascal
> > >
> > > -----Original Message-----
> > > From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On 
> > > Behalf Of Santhapur Naveen
> > > Sent: Tuesday, September 20, 2016 6:42 AM
> > > To: edk2-devel@lists.01.org
> > > Subject: [edk2] Issues with HTTPS Boot
> > >
> > > Hello All,
> > >
> > >           Since the HTTPS Boot came into picture, I was very 
> > > enthusiastic to try it. I configured the server as-is explained in 
> > > the white paper 
> > > https://github.com/tianocore/tianocore.github.io/wiki/EDK%20II%20W
> > > hi
> > > te
> > > %20p
> > > apers
> > >
> > >           But when I try to go for an HTTPS boot, it stops after 
> > > the TCP
> handshake.
> > > Attached is the Wireshark log. Please help me out and also let me 
> > > know if any other details are needed.
> > >
> > > Thank you,
> > > Naveen
> > > _______________________________________________
> > > edk2-devel mailing list
> > > edk2-devel@lists.01.org
> > > https://lists.01.org/mailman/listinfo/edk2-devel
> > > _______________________________________________
> > > edk2-devel mailing list
> > > edk2-devel@lists.01.org
> > > https://lists.01.org/mailman/listinfo/edk2-devel
> > > _______________________________________________
> > > edk2-devel mailing list
> > > edk2-devel@lists.01.org
> > > https://lists.01.org/mailman/listinfo/edk2-devel
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Reply via email to