public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: Thomas Palmer <thomas.palmer@hpe.com>
To: edk2-devel@lists.01.org
Cc: joseph.shifflett@hpe.com, jiaxin.wu@intel.com,
	Thomas Palmer <thomas.palmer@hpe.com>
Subject: [PATCH 1/2] [edk2-staging/HTTPS-TLS][PATCH]: CryptoPkg/TlsLib: TLS Ver negotiate
Date: Fri, 26 Aug 2016 14:08:44 -0500	[thread overview]
Message-ID: <1472238525-40024-2-git-send-email-thomas.palmer@hpe.com> (raw)
In-Reply-To: <1472238525-40024-1-git-send-email-thomas.palmer@hpe.com>

The TLS protocol allows for clients and servers to negotiate which
version of TLS to use.  Newer versions are deemed safer, so when
they are available the client and server should opt to use them.

The EDK2 TLS code today only allows TLSv1.0 for TLS communication,
regardless of the target server's capabilities. In order to use the
newer protocols, we'll update the EDK2 TlsLib.c code to allow for
TLS version negotiation when a new TLS object is created. The TLS
version specified in TlsCtxNew will be the minimum version accepted.

Because EDK2 is not yet using OpenSSL 1.1, we use SSL_set_options to
simulate SSL_CTX_set_min_proto_version.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Thomas Palmer <thomas.palmer@hpe.com>
---
 CryptoPkg/Library/TlsLib/TlsLib.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/CryptoPkg/Library/TlsLib/TlsLib.c b/CryptoPkg/Library/TlsLib/TlsLib.c
index aa08595..0ff699b 100644
--- a/CryptoPkg/Library/TlsLib/TlsLib.c
+++ b/CryptoPkg/Library/TlsLib/TlsLib.c
@@ -195,26 +195,39 @@ TlsCtxNew (
 
   ProtoVersion = (MajorVer << 8) | MinorVer;
 
-  TlsCtx = NULL;
+  TlsCtx = SSL_CTX_new (SSLv23_client_method ());
+  if (TlsCtx == NULL) {
+    ASSERT (TlsCtx != NULL);
+    return NULL;
+  }
+
+  //
+  // Ensure SSLv3 is disabled
+  //
+  SSL_CTX_set_options (TlsCtx, SSL_OP_NO_SSLv3);
 
+  //
+  // Treat as minimum accepted versions.  Client can use higher
+  // TLS version if server supports it
+  //
   switch (ProtoVersion) {
   case TLS1_VERSION:
     //
     // TLS 1.0
     //
-    TlsCtx = SSL_CTX_new (TLSv1_method ());
     break;
   case TLS1_1_VERSION:
     //
     // TLS 1.1
     //
-    TlsCtx = SSL_CTX_new (TLSv1_1_method ());
+    SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1);
     break;
   case TLS1_2_VERSION:
     //
     // TLS 1.2
     //
-    TlsCtx = SSL_CTX_new (TLSv1_2_method ());
+    SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1);
+    SSL_CTX_set_options (TlsCtx, SSL_OP_NO_TLSv1_1);
     break;
   default:
     //
-- 
2.7.4



  reply	other threads:[~2016-08-26 19:09 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-08-26 19:08 [edk2-staging/HTTPS-TLS][PATCH]: CryptoPkg/TlsLib: Version renegotiate Thomas Palmer
2016-08-26 19:08 ` Thomas Palmer [this message]
2016-09-07  8:21   ` [PATCH 1/2] [edk2-staging/HTTPS-TLS][PATCH]: CryptoPkg/TlsLib: TLS Ver negotiate Wu, Jiaxin
2016-08-26 19:08 ` [PATCH 2/2] [edk2-staging/HTTPS-TLS][PATCH]: NetworkPkg/HttpDxe: Unrestrict TLSv Thomas Palmer
2016-09-07  8:23   ` Wu, Jiaxin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1472238525-40024-2-git-send-email-thomas.palmer@hpe.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox