Differences

This shows you the differences between two versions of the page.

--- crypto [2013/11/12 16:09]
mcb30
+++ crypto [2024/02/20 11:23] (current)
mcb30
@@ Line 9: / Line 9: @@
 ^ Protocol versions        | TLSv1.0 TLSv1.1 TLSv1.2    |
 ^ Public-key algorithms    | RSA                        |
-^ Block cipher algorithms  | AES-128-CBC AES-256-CBC    |
+^ Key exchange algorithms  | RSA DHE ECDHE              |
-^ Hash algorithms          | MD5 SHA-1 SHA-256          |
+^ Block cipher algorithms  | AES-128-GCM AES-256-GCM AES-128-CBC AES-256-CBC    |
+^ Hash algorithms          | MD5 SHA-1 SHA-224 SHA-256 SHA-384 SHA-512 SHA-512/224 SHA-512/256  |
+^ Named curves             | X25519                     |
-The exact list of supported cipher suites is RSA_WITH_AES_256_CBC_SHA256, RSA_WITH_AES_128_CBC_SHA256, RSA_WITH_AES_256_CBC_SHA, and RSA_WITH_AES_128_CBC_SHA.
+The exact list of supported cipher suites is:
+  * TLS_RSA_WITH_AES_128_CBC_SHA
+  * TLS_DHE_RSA_WITH_AES_128_CBC_SHA
+  * TLS_RSA_WITH_AES_256_CBC_SHA
+  * TLS_DHE_RSA_WITH_AES_256_CBC_SHA
+  * TLS_RSA_WITH_AES_128_CBC_SHA256
+  * TLS_RSA_WITH_AES_256_CBC_SHA256
+  * TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+  * TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
+  * TLS_RSA_WITH_AES_128_GCM_SHA256
+  * TLS_RSA_WITH_AES_256_GCM_SHA384
+  * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
+  * TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+  * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+  * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+  * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+  * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+  * TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+  * TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 ===== Trusted root certificates =====
-In the default configuration, iPXE trusts only a single root certificate: the {{:certs:ca.crt|"iPXE root CA" certificate}}.
+In the default configuration, iPXE trusts only a single root certificate: the {{:certs:ca.crt|"iPXE root CA" certificate}}.  This root certificate is used to cross-sign the standard [[https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt|Mozilla list of public CA certificates]].
+In the default configuration, iPXE will therefore automatically trust the same set of certificates as the [[https://www.mozilla.org/firefox/|Firefox]] web browser.
 If you want more control over the chain of trust, then you can generate your own private root certificate ''ca.crt'' using:
@@ Line 36: / Line 59: @@
 {{ :clipart:warning.png?90x75|Warning}}
-The full root certificates are too large to be embedded into the iPXE binary; only the SHA-256 fingerprints of the certificates can be included.  If you are using the default {{:certs:ca.crt|"iPXE root CA" certificate}}, then iPXE will automatically download the full root certificate as needed from [[http://ca.ipxe.org/ca.crt]] (or from a mirror specified using the ''[[:cfg:crosscert]]'' setting).  If you are using a private root certificate, then you must make this certificate available to iPXE either by setting up your own ''[[:cfg:crosscert]]'' server, or by including the root certificate within all certificate chains presented to iPXE as documented below.
+The full root certificates are generally too large to be embedded into the iPXE binary, and so only the SHA-256 fingerprints will be included by default.  If you are using the default {{:certs:ca.crt|"iPXE root CA" certificate}}, then iPXE will automatically download the full root certificate as needed from [[http://ca.ipxe.org/ca.crt]] (or from a mirror specified using the ''[[:cfg:crosscert]]'' setting).
+If you are using a private root certificate, then you must make this certificate available to iPXE either by setting up your own ''[[:cfg:crosscert]]'' server, or by including the root certificate within all certificate chains presented to iPXE (as documented below), or by explicitly [[#embedded_certificates|embedding the full root certificate]] within the iPXE binary.
 {{ :clipart:books.png?160x160|Some books}}
@@ Line 87: / Line 112: @@
     openssl ca -config ca.cnf -in server.req -out server.crt
-This will create a server certificate ''server.crt'' which is signed by your private root certificate.  You can create a full certificate chain including both ''server.crt'' and your private root certificiate ''ca.crt'' using:
+This will create a server certificate ''server.crt'' which is signed by your private root certificate.  You can optionally create a full certificate chain including both ''server.crt'' and your private root certificiate ''ca.crt'' using:
     cat server.crt ca.crt > server-full.crt
@@ Line 123: / Line 148: @@
 This embedded script would refuse to boot unless the downloaded version of ''vmlinuz'' could be successfully verified using the signature file ''vmlinuz.sig''.
+===== Embedded certificates =====
+You can embed one or more full certificates when you [[:download|build]] iPXE using the ''%%CERT=...%%'' build parameter.  For example:
+  make bin/ipxe.iso CERT=cert1.crt,cert2.crt
+Embedded certificates are not automatically trusted; you will need to specify any [[#trusted_root_certificates|trusted root certificates]] explicitly using the ''%%TRUST=...%%'' build parameter.  For example:
+  make bin/ipxe.iso CERT=ca.crt TRUST=ca.crt
+{{ :clipart:warning.png?90x75|Warning}}
+Note that embedded certificates are generally quite large, and you should embed a certificate only if it is not feasible to obtain the certificate from another source (e.g. by configuring a ''[[:cfg:crosscert]]'' server).
 ===== Client certificates =====