* [edk2-devel] TlsDxe skips most cipher suites, failing to negotiate a HTTPS connections
@ 2023-12-18 11:32 CrossedCarpet
2023-12-18 12:51 ` CrossedCarpet
0 siblings, 1 reply; 2+ messages in thread
From: CrossedCarpet @ 2023-12-18 11:32 UTC (permalink / raw)
To: devel
[-- Attachment #1: Type: text/plain, Size: 4144 bytes --]
Greetings!
I have been investigating a TLS_HANDSHAKE_ERROR in QEMU running Ovmf caused by an HTTPS call which, upon closer inspection with WireShark, has been tracked down to the cipher suite negotiated being too restrictive.
Enabling additional debugging messages shows them being skipped in TlsConfig.c, only 13 being accepted:
TlsDxe:TlsSetCipherList: skipping CipherId=0x1303
TlsDxe:TlsSetCipherList: skipping CipherId=0xC02C
TlsDxe:TlsSetCipherList: skipping CipherId=0xC030
TlsDxe:TlsSetCipherList: skipping CipherId=0xCCA9
TlsDxe:TlsSetCipherList: skipping CipherId=0xCCA8
TlsDxe:TlsSetCipherList: skipping CipherId=0xCCAA
TlsDxe:TlsSetCipherList: skipping CipherId=0xC02B
TlsDxe:TlsSetCipherList: skipping CipherId=0xC02F
TlsDxe:TlsSetCipherList: skipping CipherId=0xC024
TlsDxe:TlsSetCipherList: skipping CipherId=0xC028
TlsDxe:TlsSetCipherList: skipping CipherId=0xC023
TlsDxe:TlsSetCipherList: skipping CipherId=0xC027
TlsDxe:TlsSetCipherList: skipping CipherId=0xC00A
TlsDxe:TlsSetCipherList: skipping CipherId=0xC014
TlsDxe:TlsSetCipherList: skipping CipherId=0xC009
TlsDxe:TlsSetCipherList: skipping CipherId=0xC013
TlsDxe:TlsSetCipherList: skipping CipherId=0x00AD
TlsDxe:TlsSetCipherList: skipping CipherId=0x00AB
TlsDxe:TlsSetCipherList: skipping CipherId=0xCCAE
TlsDxe:TlsSetCipherList: skipping CipherId=0xCCAD
TlsDxe:TlsSetCipherList: skipping CipherId=0xCCAC
TlsDxe:TlsSetCipherList: skipping CipherId=0x00A9
TlsDxe:TlsSetCipherList: skipping CipherId=0xCCAB
TlsDxe:TlsSetCipherList: skipping CipherId=0x00AC
TlsDxe:TlsSetCipherList: skipping CipherId=0x00AA
TlsDxe:TlsSetCipherList: skipping CipherId=0x00A8
TlsDxe:TlsSetCipherList: skipping CipherId=0xC038
TlsDxe:TlsSetCipherList: skipping CipherId=0xC036
TlsDxe:TlsSetCipherList: skipping CipherId=0xC021
TlsDxe:TlsSetCipherList: skipping CipherId=0xC020
TlsDxe:TlsSetCipherList: skipping CipherId=0x00B7
TlsDxe:TlsSetCipherList: skipping CipherId=0x00B3
TlsDxe:TlsSetCipherList: skipping CipherId=0x0095
TlsDxe:TlsSetCipherList: skipping CipherId=0x0091
TlsDxe:TlsSetCipherList: skipping CipherId=0x00AF
TlsDxe:TlsSetCipherList: skipping CipherId=0x008D
TlsDxe:TlsSetCipherList: skipping CipherId=0xC037
TlsDxe:TlsSetCipherList: skipping CipherId=0xC035
TlsDxe:TlsSetCipherList: skipping CipherId=0xC01E
TlsDxe:TlsSetCipherList: skipping CipherId=0xC01D
TlsDxe:TlsSetCipherList: skipping CipherId=0x00B6
TlsDxe:TlsSetCipherList: skipping CipherId=0x00B2
TlsDxe:TlsSetCipherList: skipping CipherId=0x0094
TlsDxe:TlsSetCipherList: skipping CipherId=0x0090
TlsDxe:TlsSetCipherList: skipping CipherId=0x00AE
TlsDxe:TlsSetCipherList: skipping CipherId=0x008C
TlsDxe:TlsSetCipherList: CipherString={
TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA
-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-S
HA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-
SHA256:AES256-SHA:AES128-SHA
Following OvmfPkg's README, I have tried to no avail feeding my host's ciphersuite to QEMU with the command:
export LC_ALL=C
openssl ciphers -V \
| sed -r -n \
-e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \
| xargs -r -- printf -- '%b' > ciphers.bin
In TlsSetCipherList I can see them being filtered based on the OpensslCipherStack variable.
I have tried diving down into the source code to learn where this variable is being initialized but it's not yet obvious to me.
Is this related to our OpenSSL port?
Any idea on how I can proceed with a fix?
Example website that accepts the connection:
- https://httpbin.org/get
Example website that fails to connect:
- https://www.toptal.com/developers/postbin/
Grateful for your attention,
C.C.
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112640): https://edk2.groups.io/g/devel/message/112640
Mute This Topic: https://groups.io/mt/103240785/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
[-- Attachment #2: Type: text/html, Size: 5489 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [edk2-devel] TlsDxe skips most cipher suites, failing to negotiate a HTTPS connections
2023-12-18 11:32 [edk2-devel] TlsDxe skips most cipher suites, failing to negotiate a HTTPS connections CrossedCarpet
@ 2023-12-18 12:51 ` CrossedCarpet
0 siblings, 0 replies; 2+ messages in thread
From: CrossedCarpet @ 2023-12-18 12:51 UTC (permalink / raw)
To: CrossedCarpet, devel
[-- Attachment #1: Type: text/plain, Size: 443 bytes --]
Solved it! Found a OpensslLibFull.inf that accepts more ciphers. Thank you!
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112641): https://edk2.groups.io/g/devel/message/112641
Mute This Topic: https://groups.io/mt/103240785/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
[-- Attachment #2: Type: text/html, Size: 855 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-12-18 12:51 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-12-18 11:32 [edk2-devel] TlsDxe skips most cipher suites, failing to negotiate a HTTPS connections CrossedCarpet
2023-12-18 12:51 ` CrossedCarpet
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox