Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for EC certificates #1179

Open
haarp opened this issue Mar 25, 2024 · 3 comments
Open

Support for EC certificates #1179

haarp opened this issue Mar 25, 2024 · 3 comments

Comments

@haarp
Copy link

haarp commented Mar 25, 2024
edited

Hello,

there's an issue when using HTTPS, DOWNLOAD_PROTO_HTTPS, certain kinds of certificates and ipxe as of today's 390bce9.

On servers using EC(256) certificates, the TLS handshake will fail. iPXE will log Operation not permitted (https://ipxe.org/410de18f) and received fatal alert 40. If the server is switched to using RSA certificates, TLS works as expected.

My crypto knowledge is limited, but the crypto page reveals that only the RSA pubkey algorithm is supported, which seems to be the issue.

Unfortunately EC certs are becoming the norm. Tools like lego use EC256 by default. Some servers like nginx allow running both RSA and EC certs in parallel, but that's not always an option, requires cooperation of admins and software, and understanding why iPXE fails in this manner in the first place. And either way, EC is on the way to replace RSA eventually.

I'd like to request that iPXE gain support for EC. I know this is far from trivial, but probably the best solution of dealing with this.

Thanks a lot! and thanks for making iPXE!
@mcb30
Copy link
Member

mcb30 commented Mar 25, 2024

iPXE does not advertise support for EC server certificates. We do have support for elliptic curves, but only for key exchange (i.e. the ECDHE variants of the cipher suites), and the only supported curve is x25519.

I'm happy to add support for EC certificates as soon as anyone wants to fund the development work. (To preempt the inevitable future pull requests: please note that the cost of reviewing a contributed PR is more than the cost of doing the development work, because code review is always more time consuming than code creation.)

@martafolf
Copy link

The lack of support for EC certs caused me some headaches today as I was trying to fetch a resource from a domain which was automatically enrolled with one.

You mention that you're looking for funding for the development work and would prefer to do it yourself instead of others, would you be able to estimate that would look like how much funding would be needed for this to be implemented?

@mcb30
Copy link
Member

mcb30 commented Mar 28, 2024

You mention that you're looking for funding for the development work and would prefer to do it yourself instead of others, would you be able to estimate that would look like how much funding would be needed for this to be implemented?

I've replied directly by email.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mcb30 @haarp @martafolf