From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=209.132.183.28; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 17AFA21E256B1 for ; Mon, 12 Feb 2018 10:47:47 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A40B6C047B63; Mon, 12 Feb 2018 18:53:36 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-117-12.phx2.redhat.com [10.3.117.12]) by smtp.corp.redhat.com (Postfix) with ESMTP id C60455C1A1; Mon, 12 Feb 2018 18:53:34 +0000 (UTC) To: "Wu, Jiaxin" , "Fu, Siyuan" , "edk2-devel@lists.01.org" Cc: "Kinney, Michael D" , "Zimmer, Vincent" , "Yao, Jiewen" , "Ye, Ting" References: <1518148778-14300-1-git-send-email-jiaxin.wu@intel.com> <835e4fbd-67bc-ad07-45ce-80b1156702a7@redhat.com> <895558F6EA4E3B41AC93A00D163B727416381A30@SHSMSX103.ccr.corp.intel.com> From: Laszlo Ersek Message-ID: <30486f54-d26c-9607-5119-dcd0801884b0@redhat.com> Date: Mon, 12 Feb 2018 19:53:33 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <895558F6EA4E3B41AC93A00D163B727416381A30@SHSMSX103.ccr.corp.intel.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Mon, 12 Feb 2018 18:53:36 +0000 (UTC) Subject: Re: [Patch 0/2] NetworkPkg: Support the platform to configure TLS CipherList. X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Feb 2018 18:47:48 -0000 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 02/11/18 03:33, Wu, Jiaxin wrote: > Hi Laszlo, > > Besides the compatibility consideration, we'd better *not* put > CipherList and CaCertificate into one variable. I didn't suggest to put them in the same variable -- I meant to put them in separate variables, just the two variables should belong to the same namespace GUID. > In the future, we prefer to manage the CaCertificate with other cert > configuration items together (e.g. HostPublicCert, HostPrivateCert, > etc ) rather than the parameters like CipherList. You know we can't > save the host cert pairs as variable due to the security > consideration. > > So, case by case, let's keep current solution to define the variable > named as "HttpTlsCipherList". Sure, that works for me. Thanks, Laszlo >> -----Original Message----- >> From: Laszlo Ersek [mailto:lersek@redhat.com] >> Sent: Friday, February 9, 2018 6:12 PM >> To: Fu, Siyuan ; Wu, Jiaxin ; >> edk2-devel@lists.01.org >> Cc: Kinney, Michael D ; Zimmer, Vincent >> ; Yao, Jiewen ; Ye, >> Ting >> Subject: Re: [Patch 0/2] NetworkPkg: Support the platform to configure TLS >> CipherList. >> >> On 02/09/18 06:22, Fu, Siyuan wrote: >>> Hi, Jiaxin >>> >>> I think we can remove the "TlsCipherList.h" to another name like >>> "HttpTlsCipherListVariable.h" to highlight that the variable is only >>> used for HTTP configuration. And also the variable name and GUID >>> name. >> If we are renaming gEfiTlsCaCertificateGuid, can we pick a generic term >> as new name, something like "gHttpTlsVariableGuid"? And then put both >> variables, the CA List and the Cipher List, in that (same) namespace GUID? >> >> It's not that we'll run out of GUIDs any time soon :) , but I think >> these variables belong closely together. >> >> Thanks, >> Laszlo >> >>>> -----Original Message----- >>>> From: Wu, Jiaxin >>>> Sent: Friday, February 9, 2018 12:00 PM >>>> To: edk2-devel@lists.01.org >>>> Cc: Laszlo Ersek ; Kinney, Michael D >>>> ; Zimmer, Vincent >> ; >>>> Yao, Jiewen ; Ye, Ting ; Fu, >>>> Siyuan ; Wu, Jiaxin >>>> Subject: [Patch 0/2] NetworkPkg: Support the platform to configure TLS >>>> CipherList. >>>> >>>> Cc: Laszlo Ersek >>>> Cc: Kinney Michael D >>>> Cc: Zimmer Vincent >>>> Cc: Yao Jiewen >>>> Cc: Ye Ting >>>> Cc: Fu Siyuan >>>> Contributed-under: TianoCore Contribution Agreement 1.0 >>>> Signed-off-by: Wu Jiaxin >>>> >>>> Jiaxin Wu (2): >>>> NetworkPkg: Define one private variable for TLS CipherList >>>> configuration. >>>> NetworkPkg: Read TlsCipherList variable and configure it for HTTPS >>>> session. >>>> >>>> NetworkPkg/HttpDxe/HttpDriver.h | 3 +- >>>> NetworkPkg/HttpDxe/HttpDxe.inf | 3 +- >>>> NetworkPkg/HttpDxe/HttpsSupport.c | 92 >>>> ++++++++++++++++++++++++++++++++- >>>> NetworkPkg/Include/Guid/TlsCipherList.h | 38 ++++++++++++++ >>>> NetworkPkg/NetworkPkg.dec | 3 ++ >>>> 5 files changed, 136 insertions(+), 3 deletions(-) >>>> create mode 100644 NetworkPkg/Include/Guid/TlsCipherList.h >>>> >>>> -- >>>> 1.9.5.msysgit.1 >>> >