iPXE doesn't correctly handle TLS handshakes over 4KiB
If you use a cert with several domains that goes over 4K in size (it seems), then you will get errors from iPXE.
We could probably fix the iPXE client fairly easily if we get some time in the future to sit down and debug. The TLS recieve buffer code looks like it could reworked to support our use cases, this would avoid us having to worry about it in the future, and also allow us to reference gitlab.fd.o, which will be nice.
See,
- https://ipxe.org/err/1c0de8 the error that gets returned if you use a cert that is too big
- https://lists.ipxe.org/pipermail/ipxe-devel/2019-January/006457.html
- https://github.com/ipxe/ipxe/commit/72db14640c2a9eac0ba53baa955b180f1f4b9c2f
- https://github.com/ipxe/ipxe/commit/9a8c6b00d4433eb5c24f50c0c4a93c127d77def0
- https://lists.ipxe.org/pipermail/ipxe-devel/2019-March/006613.html
- https://www.google.com/search?q=RFC3546+maximum+fragment+length+extension&oq=RFC3546+maximum+fragment+length+extension&aqs=chrome..69i57&sourceid=chrome&ie=UTF-8
/cc @mupuf
Edited by Charlie Turner