From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from g2t2354.austin.hpe.com (g2t2354.austin.hpe.com [15.233.44.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id BB7E61A1E5B for ; Fri, 26 Aug 2016 12:08:54 -0700 (PDT) Received: from arm-build-server.us.rdlabs.hpecorp.net (arm-build-server.us.rdlabs.hpecorp.net [16.84.24.54]) by g2t2354.austin.hpe.com (Postfix) with ESMTP id 02F984B; Fri, 26 Aug 2016 19:08:53 +0000 (UTC) From: Thomas Palmer To: edk2-devel@lists.01.org Cc: joseph.shifflett@hpe.com, jiaxin.wu@intel.com Date: Fri, 26 Aug 2016 14:08:43 -0500 Message-Id: <1472238525-40024-1-git-send-email-thomas.palmer@hpe.com> X-Mailer: git-send-email 2.7.4 Subject: [edk2-staging/HTTPS-TLS][PATCH]: CryptoPkg/TlsLib: Version renegotiate X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Aug 2016 19:08:54 -0000 The TLS protocol allows for clients and servers to negotiate which version of TLS to use. Newer versions are deemed safer, so when they are available the client and server should opt to use them. The EDK2 TLS code today only allows TLSv1.0 for TLS communication, regardless of the target server's capabilities. In order to use the newer protocols, we'll update the EDK2 TlsLib.c code to allow for TLS version negotiation when a new TLS object is created. The TLS version specified in TlsCtxNew will be the minimum version accepted. Because EDK2 is not yet using OpenSSL 1.1, we use SSL_set_options to simulate SSL_CTX_set_min_proto_version. We'll leave the current "EfiTlsVersion" functionality intact, which will restrict which version of TLS to use and prevent negotiation. However, to demonstrate the TLS regotiation in this feature branch, we'll remove the code that calls EfiTlsVersion in the HttpDxe module. [PATCH 1/2] [edk2-staging/HTTPS-TLS][PATCH]: CryptoPkg/TlsLib: TLS [PATCH 2/2] [edk2-staging/HTTPS-TLS][PATCH]: NetworkPkg/HttpDxe: