[ipxe-devel] https with letsencrypt certificate

Tamas Baumgartner-Kis

2018-10-04 18:29:20 UTC

Hi,

ok this is because I used hiawatha as the webserver and hiawatha is very
conservative with the ssl cipher.

I tried lighttpd with the intermediate profile from :

https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=lighttpd-1.4.50&openssl=1.0.1e&hsts=no&profile=intermediate

```
lighttpd 1.4.50 | intermediate profile | OpenSSL 1.0.1e |
Oldest compatible clients : Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1,
Windows XP IE8, Android 2.3, Java 7

...

ssl.cipher-list =
"ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"

```

with this ssl cipher setup its working fine out of the box with a letsencrypt
certificate

Regards
Tamas

Post by Tamas Baumgartner-Kis
Hi,
TLS 0x865b0228 received fatal alert 40
Operation not permitted (http://ipxe.org/410de18f)
I enable the HTTPS protocol.
My webserver uses a letsencrypt certificate and when I understand the instruction

In the default configuration, iPXE will [...] automatically trust the same set
of certificates as the Firefox web browser.

this should work because Firefox trust the "DST ROOT CA X3" (letsencrypt)
Regards
Tamas
_______________________________________________
ipxe-devel mailing list
https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel