From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by mx.groups.io with SMTP id smtpd.web12.37297.1597028412432826134 for ; Sun, 09 Aug 2020 20:00:12 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=UJcox8i/; spf=pass (domain: intel.com, ip: 192.55.52.120, mailfrom: zhiguang.liu@intel.com) IronPort-SDR: g0Gzwa9lsOYQ+TC4LBz6LTjvHGTvN8f83oBwRVIrxreXB1mV2sccTd0QEzUWPui5RBmao2AhPv xzPl7wZ3g0QA== X-IronPort-AV: E=McAfee;i="6000,8403,9708"; a="150906128" X-IronPort-AV: E=Sophos;i="5.75,456,1589266800"; d="scan'208,217";a="150906128" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Aug 2020 20:00:11 -0700 IronPort-SDR: nIgX+ldR/MSoSOLy/xzQMTHKqP1Mdrz65ZYxPNTw/7llyGLWXINR5ISN+yyuUBz7mO8KzDRZeh llNkztdiLogw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.75,456,1589266800"; d="scan'208,217";a="494647619" Received: from orsmsx601.amr.corp.intel.com ([10.22.229.14]) by fmsmga005.fm.intel.com with ESMTP; 09 Aug 2020 20:00:10 -0700 Received: from orsmsx610.amr.corp.intel.com (10.22.229.23) by ORSMSX601.amr.corp.intel.com (10.22.229.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Sun, 9 Aug 2020 20:00:07 -0700 Received: from ORSEDG001.ED.cps.intel.com (10.7.248.4) by orsmsx610.amr.corp.intel.com (10.22.229.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.1713.5 via Frontend Transport; Sun, 9 Aug 2020 20:00:05 -0700 Received: from NAM02-SN1-obe.outbound.protection.outlook.com (104.47.57.43) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (TLS) id 14.3.439.0; Sun, 9 Aug 2020 20:00:00 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ePFUIBQ3ZIYWD3X5hAYQaKg9SrBm9glE6vKSvaXWtjiUn79V8GO8GYVB9OOl5WmNVx12rDEBWtQH9JhVaBEqPe8n8bHB1Em275Z3IjzO06G8asHcbfjotpPLsrmdFmycWeHOf8gHhf2Mm0HgGDkvtpV+88dZeyj7lTbEKlL+Z9A6LcPx6gZPZQA56gGLSH00n4uGqvKYRiIE1UEzVO2l9QElHh/EFG0vFrVZbk9Jy04KXJPMAaFSVR0IlpslEFtaT5i2wHW3y3IXAp6KkFYlg/wWSQx0sjr9EaFFXokg/iwzbJL+3R8Mj8lgerYRCc8o1emdlVEaNcYXFKru1rzf+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tUv1Yn9xeE1iRhXVam8an4xA6f/MNJ21A6tkGHiUEuQ=; b=Y8ISWCsFA1rkQ82+MBt1w/G8qiM3n8XgtAwFtewNNjMgZxwbxuj4i2D4FlNIcI/Z9CDaI4a8Yg2WEBvRKOWPUZbRjjj5+w7VK6J+lmMPNcAltSVckiCxjySB71WkTiGNBfQLJOUP8GrXIjY1H1pWybRYh2feBkOaWYmCuCBDnBgeExeeLcdutUdYE0c4Tc6wqCkB6rqsWX/A6Rf58cBg9EjZI61XUhvBx4pbJnUxPKmzjAzskyDNNbnVManNhs73J7RF9ZssnSje3+kHFrEb3+DUyw/C0AZOeAGzgYjNI1As1lBBcV0PRJUTz5Iwbp142b2FSesYCIJg+cDUJ5Mw9w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tUv1Yn9xeE1iRhXVam8an4xA6f/MNJ21A6tkGHiUEuQ=; b=UJcox8i/eQT7/7dj6IcVdy6gZi9F6lMdLKRVYtC2a9otsa5jA+WtMnZwiqit538DuOT+LbIzHOWrfLE0btbCZe151j6q/e12eGmLLlMRVRc7OtZDB7OGcHCk+UcRl3bbQ5fLQZxDAbe8JjWWLD3DmNQzC4XUqFg8T7jVIBYy8e8= Received: from CY4PR11MB1687.namprd11.prod.outlook.com (2603:10b6:903:2e::11) by CY4PR11MB1640.namprd11.prod.outlook.com (2603:10b6:910:8::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3261.19; Mon, 10 Aug 2020 02:59:58 +0000 Received: from CY4PR11MB1687.namprd11.prod.outlook.com ([fe80::1490:81c1:9ca1:df58]) by CY4PR11MB1687.namprd11.prod.outlook.com ([fe80::1490:81c1:9ca1:df58%9]) with mapi id 15.20.3261.022; Mon, 10 Aug 2020 02:59:58 +0000 From: "Zhiguang Liu" To: "devel@edk2.groups.io" , "chao-jui.huang@hpe.com" CC: "Wei, Kent (HPS SW)" , "Lin, Derek (HPS SW)" , "Wang, Nickle (HPS SW)" , "Wang, Sunny (HPS SW)" Subject: Re: Propose on enabling TLSv1.3 Thread-Topic: Propose on enabling TLSv1.3 Thread-Index: AdZpWmvoAXobJMOeQRG4knQWP/jTWwFZ5VYg Date: Mon, 10 Aug 2020 02:59:58 +0000 Message-ID: References: In-Reply-To: Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-reaction: no-action dlp-version: 11.5.1.3 dlp-product: dlpe-windows authentication-results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=intel.com; x-originating-ip: [192.55.46.46] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 0cacd0d8-c6f1-45ce-a4a5-08d83cd977c3 x-ms-traffictypediagnostic: CY4PR11MB1640: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: ogHFt1w+ScdxRMG8w6xA631RmL6ZUjhEgFDcOyUTY3Gq/K6MGv1MSVomEqG7+LtcUU889Q9fhjkHh+c7wIijZtd8q2SwXyahjG7iRK2Wqhc96LGWGdx4bTfNsoED86z/OVbpok7idA89fjkwBQjJ2ThVf389ICsqJ9krwj1jG1KprWLT1bLBD1vloXtD/M/Th7hpgrG2+6MLPkXSrq41hjp4khnuUvFQIAuIX+UUlcSouTVruQBQ19IMNZq7AmR4nJV+1xGQ6eViWnJMx1XoGY1txr0RHHaDANfEKuiFRJWoiY7v4TsrOXql0J4WuZ/LBrcrgNdIxp7M3DsVpY0B16uHkv7N6ua1MkqnFLmzSRTPZuTOsJpN0zGOcBR/LKy9U3rLR4EGvUHt7kACvAbObg== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CY4PR11MB1687.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(4636009)(366004)(376002)(39860400002)(396003)(346002)(136003)(166002)(186003)(71200400001)(316002)(66446008)(2906002)(5660300002)(8936002)(64756008)(66556008)(9326002)(52536014)(76116006)(478600001)(66476007)(66946007)(54906003)(110136005)(83380400001)(55016002)(76236003)(33656002)(26005)(8676002)(7696005)(4326008)(9686003)(86362001)(53546011)(6506007);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: FxwHy9VTwaY5l7hRwkZTrizhTOQEh5iChq7zGdJ7e6k14OSgbWfAh1dAZ0bfhBxo4fw3TYuCWQ4tIaPb3n55xeVXOiJwHbdbZvgVSnhuF/4FWL/STtg1enX6ZwvqlyvUYFrDRWfvHjxxyG7mATcty6Ksi2O+OqoQyEecOZpvS2GKL+QU8kAYoXqhb8g6IU9fJDprpm0Vut3yKjI12mlG2nIbzpw7hjH8EBwqFLGAOmXxdT/vgoaF5rCw2Ht8eTZLYDNfEiZWGdRAE8RsqZYltImBs0L5XYgDZVORfFTTZ/w5u7mJ+Y7LYcHKF0arhx8X1eH0EHFCIR3A/EfRitMBoRU2umx8AxiJ1rU2mgGXjqShbefqcMq+7SJu5KQsHmSCw59YLIH8PdgEBj1XvGtbUHpXzjXF0pwdtcBoIUTtC4Wwx9BtPDvHNdxA54PsE3qiTV41qN2r45TCwlZqC/XbTGwSGrLWo2JQqtbthXnMP8gSv1um/+P6lRSR9KXQzPgL3WWYtryDpPXaEYUFMEf5TVAfvBZdivTbUkr79+odYquIqebhVUnPZanDY7wRybAl7TI3wnfJPmmbOlrYfCPZ034EszOc4WCng6UmzDPrDGWp8rOB2fyrq1QAXdGP8xjzQOsQ3OJPXBBlRUxlPiMpwQ== x-ms-exchange-transport-forked: True MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: CY4PR11MB1687.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 0cacd0d8-c6f1-45ce-a4a5-08d83cd977c3 X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Aug 2020 02:59:58.7285 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: WY4bGz0nVcSk5dCCr7eYU1YJZysBQ38fz1a378mVsvjB4SPsTsitGJFhr6qLIEm23f+6Fwnnn+0he/ShBTUXWw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR11MB1640 Return-Path: zhiguang.liu@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_CY4PR11MB168717AEA14BE9306DDDED1C90440CY4PR11MB1687namp_" --_000_CY4PR11MB168717AEA14BE9306DDDED1C90440CY4PR11MB1687namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Matthew, Can you share the code about implementing tls 1.3 to the community? We can discuss the problems according to the code. Thanks Zhiguang From: devel@edk2.groups.io On Behalf Of Huang, Matt= hew (HPS SW) Sent: Monday, August 3, 2020 1:55 PM To: devel@edk2.groups.io Cc: Wei, Kent (HPS SW) ; Lin, Derek (HPS SW) ; Wang, Nickle (HPS SW) ; Wang, Sunny (HPS SW= ) Subject: [edk2-devel] Propose on enabling TLSv1.3 Hi: It's Matthew from HPE UEFI team. There is no TLSv1.3 support under current= EDK2 releases, and I'm working on enabling TLSv1.3 under UEFI and the resu= lt looks promising. OpenSSL have already made RFC8446 happens in late 2018,= the submodule we're having on the master branch is more than enough to mak= e the whole thing work. There are several problems needed to be addressed:' 1. OpenSslLib needs a reconfiguration with "no-ec" option on in process_fi= les.pl, and no off the shelf Perl built with native Windows command prompt = could've processed the file correctly. But I've managed to remove the block= age using Perl MSYS2 build under Windows without any error. Since this is o= nly a one-timer, I don't think that would've caused too much of a trouble. = The produced opensslconf.h seems correct, and this is all we need. 2. There are some policies issues caused by OpenSSL, OpenSSL explicitly de= scribes that SSL_set_cipher_list is for TLS version 1.2 and lower, SSL_set_= ciphersuites is for TLSv1.3, but these function are tangled to each other a= nd the behavior is not equally fair. In current revision EDK2 included in t= he OpenSSL submodule, SSL_set_cipher_list can parse v1.3 cipher suites but = will not apply them, meanwhile SSL_set_ciphersuites cannot support any ciph= er lower than v1.3. This will cause a problem that when user applies auto v= ersioning, TLSv1.3 will not be applied even if v1.3 is enabled except setti= ng an empty list using SSL_set_cipher_list. 3. Apart from point 2., SSL_set_ciphersuites in current revision EDK2 incl= uded in the OpenSSL submodule, cannot exclude ciphersuites that user disabl= ed, so every cipher suites will be in the list for server to But I browsed all OpenSSL github PRs or merge-pending patches, both point = 2 and 3 have somewhat one or more solutions going on, I've applied them for= testing and the result is fairly satisfying. If there's a chance we discuss this in code? It will be easier this way, I= have a working patch we can start with, thanks. Regards, Matthew --_000_CY4PR11MB168717AEA14BE9306DDDED1C90440CY4PR11MB1687namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi Matthew,

Can you share the = code about implementing tls 1.3 to the community?

We can discuss the= problems according to the code.

Thanks<= /span>

Zhiguang

 <= /span>

From: devel@edk2.groups.io <devel@edk2.grou= ps.io> On Behalf Of Huang, Matthew (HPS SW)
Sent: Monday, August 3, 2020 1:55 PM
To: devel@edk2.groups.io
Cc: Wei, Kent (HPS SW) <kent.wei@hpe.com>; Lin, Derek (HPS SW= ) <derek.lin2@hpe.com>; Wang, Nickle (HPS SW) <nickle.wang@hpe.com= >; Wang, Sunny (HPS SW) <sunnywang@hpe.com>
Subject: [edk2-devel] Propose on enabling TLSv1.3=

 

Hi:=

&nb= sp;

It’= ;s Matthew from HPE UEFI team. There is no TLSv1.3 support under current ED= K2 releases, and I’m working on enabling TLSv1.3 under UEFI and the r= esult looks promising. OpenSSL have already made RFC8446 happens in late 2018, the submodule we’re having on the mas= ter branch is more than enough to make the whole thing work.

&nb= sp;

There ar= e several problems needed to be addressed:'

&nb= sp;

1. OpenS= slLib needs a reconfiguration with “no-ec” option on in process= _files.pl, and no off the shelf Perl built with native Windows command prom= pt could’ve processed the file correctly. But I’ve managed to remove the blockage using Perl MSYS2 build under Windows witho= ut any error. Since this is only a one-timer, I don’t think that woul= d’ve caused too much of a trouble. The produced opensslconf.h seems c= orrect, and this is all we need.

&nb= sp;

2. There= are some policies issues caused by OpenSSL, OpenSSL explicitly describes t= hat SSL_set_cipher_list is for TLS version 1.2 and lower, SSL_set_ciphersui= tes is for TLSv1.3, but these function are tangled to each other and the behavior is not equally fair. In curren= t revision EDK2 included in the OpenSSL submodule, SSL_set_cipher_list can = parse v1.3 cipher suites but will not apply them, meanwhile SSL_set_ciphers= uites cannot support any cipher lower than v1.3. This will cause a problem that when user applies auto versioni= ng, TLSv1.3 will not be applied even if v1.3 is enabled except setting an e= mpty list using SSL_set_cipher_list.

&nb= sp;

3. Apart= from point 2., SSL_set_ciphersuites in current revision EDK2 included in t= he OpenSSL submodule, cannot exclude ciphersuites that user disabled, so ev= ery cipher suites will be in the list for server to

&nb= sp;

But I br= owsed all OpenSSL github PRs or merge-pending patches, both point 2 and 3 h= ave somewhat one or more solutions going on, I’ve applied them for te= sting and the result is fairly satisfying.

&nb= sp;

If there= ’s a chance we discuss this in code? It will be easier this way, I ha= ve a working patch we can start with, thanks.

&nb= sp;

Regards,=

Matthew<= o:p>

--_000_CY4PR11MB168717AEA14BE9306DDDED1C90440CY4PR11MB1687namp_--