Re: [Patch 0/2] NetworkPkg: Support the platform to configure TLS CipherList.

[Laszlo Ersek <lersek@redhat.com>]

On 02/11/18 03:33, Wu, Jiaxin wrote:
> Hi Laszlo,
> 
> Besides the compatibility consideration, we'd better *not* put
> CipherList and CaCertificate into one variable.

I didn't suggest to put them in the same variable -- I meant to put them
in separate variables, just the two variables should belong to the same
namespace GUID.

> In the future, we prefer to manage the CaCertificate with other cert
> configuration items together (e.g. HostPublicCert, HostPrivateCert,
> etc ) rather than the parameters like CipherList.  You know we can't
> save the host cert pairs as variable due to the security
> consideration.
> 
> So, case by case, let's keep current solution to define the variable
> named as "HttpTlsCipherList".

Sure, that works for me.

Thanks,
Laszlo


>> -----Original Message-----
>> From: Laszlo Ersek [mailto:lersek@redhat.com]
>> Sent: Friday, February 9, 2018 6:12 PM
>> To: Fu, Siyuan <siyuan.fu@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>;
>> edk2-devel@lists.01.org
>> Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Zimmer, Vincent
>> <vincent.zimmer@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Ye,
>> Ting <ting.ye@intel.com>
>> Subject: Re: [Patch 0/2] NetworkPkg: Support the platform to configure TLS
>> CipherList.
>>
>> On 02/09/18 06:22, Fu, Siyuan wrote:
>>> Hi, Jiaxin
>>>
>>> I think we can remove the "TlsCipherList.h" to another name like
>>> "HttpTlsCipherListVariable.h" to  highlight that the variable is only
>>> used for HTTP configuration. And also the variable name and GUID
>>> name.
>> If we are renaming gEfiTlsCaCertificateGuid, can we pick a generic term
>> as new name, something like "gHttpTlsVariableGuid"? And then put both
>> variables, the CA List and the Cipher List, in that (same) namespace GUID?
>>
>> It's not that we'll run out of GUIDs any time soon :) , but I think
>> these variables belong closely together.
>>
>> Thanks,
>> Laszlo
>>
>>>> -----Original Message-----
>>>> From: Wu, Jiaxin
>>>> Sent: Friday, February 9, 2018 12:00 PM
>>>> To: edk2-devel@lists.01.org
>>>> Cc: Laszlo Ersek <lersek@redhat.com>; Kinney, Michael D
>>>> <michael.d.kinney@intel.com>; Zimmer, Vincent
>> <vincent.zimmer@intel.com>;
>>>> Yao, Jiewen <jiewen.yao@intel.com>; Ye, Ting <ting.ye@intel.com>; Fu,
>>>> Siyuan <siyuan.fu@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>
>>>> Subject: [Patch 0/2] NetworkPkg: Support the platform to configure TLS
>>>> CipherList.
>>>>
>>>> Cc: Laszlo Ersek <lersek@redhat.com>
>>>> Cc: Kinney Michael D <michael.d.kinney@intel.com>
>>>> Cc: Zimmer Vincent <vincent.zimmer@intel.com>
>>>> Cc: Yao Jiewen <jiewen.yao@intel.com>
>>>> Cc: Ye Ting <ting.ye@intel.com>
>>>> Cc: Fu Siyuan <siyuan.fu@intel.com>
>>>> Contributed-under: TianoCore Contribution Agreement 1.0
>>>> Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
>>>>
>>>> Jiaxin Wu (2):
>>>>   NetworkPkg: Define one private variable for TLS CipherList
>>>>     configuration.
>>>>   NetworkPkg: Read TlsCipherList variable and configure it for HTTPS
>>>>     session.
>>>>
>>>>  NetworkPkg/HttpDxe/HttpDriver.h         |  3 +-
>>>>  NetworkPkg/HttpDxe/HttpDxe.inf          |  3 +-
>>>>  NetworkPkg/HttpDxe/HttpsSupport.c       | 92
>>>> ++++++++++++++++++++++++++++++++-
>>>>  NetworkPkg/Include/Guid/TlsCipherList.h | 38 ++++++++++++++
>>>>  NetworkPkg/NetworkPkg.dec               |  3 ++
>>>>  5 files changed, 136 insertions(+), 3 deletions(-)
>>>>  create mode 100644 NetworkPkg/Include/Guid/TlsCipherList.h
>>>>
>>>> --
>>>> 1.9.5.msysgit.1
>>>
>