public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Wu, Jiaxin" <jiaxin.wu@intel.com>
To: Laszlo Ersek <lersek@redhat.com>,
	"Fu, Siyuan" <siyuan.fu@intel.com>,
	"Ye, Ting" <ting.ye@intel.com>, "Long, Qin" <qin.long@intel.com>,
	"Hsiung, Harry L" <harry.l.hsiung@intel.com>
Cc: edk2-devel-01 <edk2-devel@lists.01.org>
Subject: Re: setting the TLS cipher list for HTTPS booting
Date: Sat, 20 Jan 2018 06:18:33 +0000	[thread overview]
Message-ID: <895558F6EA4E3B41AC93A00D163B72741635E571@SHSMSX103.ccr.corp.intel.com> (raw)
In-Reply-To: <5307d880-d016-ad91-04f5-6b83eb40f905@redhat.com>

> 
> Hello Jiaxin, Siyuan,
> 
> it seems that the "preferred set of ciphers" can be controlled at the
> TLS session level.


Jiaxin: Yes, TLS CipherList can be configured by TLS protocol.  


> 
> With regard to HTTPS booting, "NetworkPkg/HttpDxe" makes several calls
> to EFI_TLS_PROTOCOL.SetSessionData() -- in the file
> "NetworkPkg/HttpDxe/HttpsSupport.c", -- but it never passes
> "EfiTlsCipherList" as argument for the "DataType" parameter.
> 


Jiaxin: Correct, currently, HttpDxe as a TLS protocol consumer doesn't set the its own preferred CipherList because it prefers to use the default CipherList, which has been configured by TLS driver by default. The TLS default setting was happened during the creation  of new OpenSSL SSL_CTX object. The flow path is shown as below: 
TlsCtxNew -> SSL_CTX_new -> ssl_create_cipher_list. 
So, the default CipherList is:
 # define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"


> Is there a way for platform code to control the list of ciphers?


Jiaxin: Currently, not support yet.


> 
> This is different from other "global" TLS aspects, such as
> EFI_TLS_CONFIGURATION_PROTOCOL, because the latter is a singleton
> "service" protocol, while EFI_TLS_PROTOCOL instances are created by
> clients as-needed, via TLS service binding. So, I think if a platform
> wanted to control this on the session level, then it would have to "ask"
> HttpDxe somehow.
> 


Jiaxin: EFI_TLS_CONFIGURATION_PROTOCOL provides the capability to set the client certificate/key pairs, different clients may use the different certificate/key Paris (so does OpenSSL). Based on this, it's not a singleton "service" protocol. So, in TlsDxe driver, we bind it to the same ChildHandle as TLS protocol.
  Status = gBS->InstallMultipleProtocolInterfaces (
                  ChildHandle,
                  &gEfiTlsProtocolGuid,
                  &TlsInstance->Tls,
                  &gEfiTlsConfigurationProtocolGuid,
                  &TlsInstance->TlsConfig,
                  NULL
                  );
But above implementation also doesn't prevent all the clients use the same certificate/key Paris since they can use its own EFI_TLS_CONFIGURATION_PROTOCOL to configure the same "global" certificate/key pair (on the session level). That's depend on the TLS consumer.


> If you agree -- do you suggest a dynamic PCD, or an extension to the
> UEFI spec (at the HTTP level)?
> 


Jiaxin: I agree with the dynamic PCD solution for the CipherList setting, the PCD format can use as following one:
	gEfiNetworkPkgTokenSpaceGuid.PcdHttpsTlsCipherLists |{0x0}|VOID*|0x0000000D
If the platform wants to set the below CipherSuites (RFC 5246 defined):
	CipherSuite TLS_RSA_WITH_AES_256_CBC_SHA = { 0x00,0x35 }; 
	CipherSuite TLS_RSA_WITH_AES_256_CBC_SHA256 = { 0x00,0x3D };
The PCD can be configured by the corresponding platform as below, otherwise it will use the OpenSSL default one:
	gEfiNetworkPkgTokenSpaceGuid.PcdHttpsTlsCipherLists |{0x00,0x35, 0x00,0x3D }|VOID*|4
what do you think?

> Thanks!
> Laszlo

  reply	other threads:[~2018-01-20  6:13 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-01-19 14:33 setting the TLS cipher list for HTTPS booting Laszlo Ersek
2018-01-20  6:18 ` Wu, Jiaxin [this message]
2018-01-22  9:37   ` Laszlo Ersek
2018-01-23  2:43     ` Wu, Jiaxin
2018-01-23 14:01       ` Laszlo Ersek
2018-01-23 15:01         ` Laszlo Ersek
2018-01-24  2:10           ` Wu, Jiaxin
2018-01-24  3:40             ` Wu, Jiaxin
2018-01-24  6:50               ` Wu, Jiaxin
2018-01-24 16:13                 ` Laszlo Ersek
2018-01-25  4:52                   ` Wu, Jiaxin
2018-01-25 12:41                     ` Laszlo Ersek
2018-02-05  3:33                       ` Wu, Jiaxin
2018-02-05 10:46                         ` Laszlo Ersek
2018-02-06  2:34                           ` Wu, Jiaxin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=895558F6EA4E3B41AC93A00D163B72741635E571@SHSMSX103.ccr.corp.intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox