From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-002e3701.pphosted.com (mx0a-002e3701.pphosted.com [148.163.147.86]) by mx.groups.io with SMTP id smtpd.web11.100185.1597878966742361955 for ; Wed, 19 Aug 2020 16:16:06 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: hpe.com, ip: 148.163.147.86, mailfrom: prvs=0500c6b4b3=chao-jui.huang@hpe.com) Received: from pps.filterd (m0150242.ppops.net [127.0.0.1]) by mx0a-002e3701.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 07JN8ueG007066 for ; Wed, 19 Aug 2020 23:16:05 GMT Received: from g2t2353.austin.hpe.com (g2t2353.austin.hpe.com [15.233.44.26]) by mx0a-002e3701.pphosted.com with ESMTP id 331cs2r8eg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 19 Aug 2020 23:16:05 +0000 Received: from G1W8108.americas.hpqcorp.net (g1w8108.austin.hp.com [16.193.72.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by g2t2353.austin.hpe.com (Postfix) with ESMTPS id D8E4386 for ; Wed, 19 Aug 2020 23:16:04 +0000 (UTC) Received: from G9W8456.americas.hpqcorp.net (2002:10d8:a15f::10d8:a15f) by G1W8108.americas.hpqcorp.net (2002:10c1:483c::10c1:483c) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 19 Aug 2020 23:16:04 +0000 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (15.241.52.11) by G9W8456.americas.hpqcorp.net (16.216.161.95) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 19 Aug 2020 23:16:04 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JPpnNEitusMRrWFDOhnnViJEVRQ6T9yuwDPP8tzWsvsMGBiu4tUZzz/zvwpEvhnVh44BTafD4I+vTdVmMqotVj06Hl2pF5E1ZbpnLJ07k+B2bGg9fWSi7+cS+ixlW7au+u7vj1b7DTCcy2Wy47EhWbcc0XP7HsUrwXQ3WKTU3ImmrNStu1kcFDQk51foKlNWqqh11hQHqecLHs5jn/8SFjD9mS+gKtKgcGkLbGxtffWpzAhFD6FP/Z6uYbHaHDrTUqV6bbuiojZ05sdgm9ZDaupQqmA/NNo5tOz5GEH3F4v5cRw0mzUTCr3FOuSaD/eVCoksZWeeI7eT+QSH4MTPGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=g31Wji4qYG99BorMkDvblI8E034esw5oVh4cDqAVEnE=; b=ViqiZpwSckelTzHJBoIxPU/FTlASmb9OdzP2067/eMBbj02Gzw42n6ICk8YyLMec8mwcKVVdFhgsesF3lnaBZQirq/Q/ZW/qZ4umIdbng24DV+teSLBZKYVbDRsBO2324FXsFzsG4UMHE5X2DQ+ocsh+PM5WZKT3mrP+Y3/ajpwOtphNoKNbmxBhpW7V5bmdZ/tteyjYXc817NlTGwEFDYu00Mjk99D6UVI+u4FDhT3mLrtJuqxh206bDqOoXzUB4vem72w29zcU0mqUK8K2Dwb65NTz+ZPOyhUyrTIGvbUzpobS7HCynL68yEajIVmFrbS5SqTM0mYLa5CrnQaqsg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=hpe.com; dmarc=pass action=none header.from=hpe.com; dkim=pass header.d=hpe.com; arc=none Received: from DF4PR8401MB1067.NAMPRD84.PROD.OUTLOOK.COM (2a01:111:e400:7612::8) by DF4PR8401MB0475.NAMPRD84.PROD.OUTLOOK.COM (2a01:111:e400:7606::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3305.24; Wed, 19 Aug 2020 23:16:02 +0000 Received: from DF4PR8401MB1067.NAMPRD84.PROD.OUTLOOK.COM ([fe80::1821:aee6:15d9:b4d5]) by DF4PR8401MB1067.NAMPRD84.PROD.OUTLOOK.COM ([fe80::1821:aee6:15d9:b4d5%11]) with mapi id 15.20.3305.024; Wed, 19 Aug 2020 23:16:02 +0000 From: "Huang, Matthew (HPS SW)" To: "devel@edk2.groups.io" , "Huang, Matthew (HPS SW)" , "zhiguang.liu@intel.com" CC: "Wei, Kent (HPS SW)" , "Lin, Derek (HPS SW)" , "Wang, Nickle (HPS SW)" , "Wang, Sunny (HPS SW)" Subject: =?UTF-8?B?5Zue6KaGOiBbZWRrMi1kZXZlbF0gUHJvcG9zZSBvbiBlbmFibGluZyBUTFN2MS4z?= Thread-Topic: [edk2-devel] Propose on enabling TLSv1.3 Thread-Index: AdZpWmvoAXobJMOeQRG4knQWP/jTWwFZ5VYgAAMPThAAciZZQAF55gyw Date: Wed, 19 Aug 2020 23:16:02 +0000 Message-ID: References: <1629CD946C53C473.23035@groups.io> <162A80E91C03CB2F.12108@groups.io> In-Reply-To: <162A80E91C03CB2F.12108@groups.io> Accept-Language: zh-TW, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=hpe.com; x-originating-ip: [16.242.247.129] x-ms-publictraffictype: Email x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: 049a0cf5-8c4b-42cc-a1df-08d84495d746 x-ms-traffictypediagnostic: DF4PR8401MB0475: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 7xXMfuAdwPCHs422AWRBLsBrB7jMi2vUCjLyXW30FAFfjBTpRlZMqljHSaavr2JZ+xmyZDqAuW14+DXvsGeh1cvOLvOqexevgbtZ4xfUoj3tZv++6gy2GVvFn4urz0qjtRrpcKG72a3sBKT/h9GCaTHAIKYBjJUEVF9ndsymOI9gapFgT5gRSfqdmrZeG4YvCf7n1ieo7TNwADn2zPgxc+znvf1BmTWnZ6+BPEZauxzp1/yLw0lBnXQgMFrXCnKlGc4Pwk5xTbMPb8olu7eYLBHF+Lc8Cb38bXr1cD6KWMnkWJYXbhxdsZCuEuR4jSd4fHzSjWQQiKY0oEn3YMwYah5At1oq9Oz8kwF7EcMaHd40UL8Qh77gn/eF6jpfhQe6+LhO1JRf5SqV56PYnc8RJA== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DF4PR8401MB1067.NAMPRD84.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(136003)(346002)(366004)(396003)(39860400002)(376002)(86362001)(224303003)(166002)(4326008)(52536014)(76236003)(186003)(66556008)(66946007)(33656002)(66476007)(26005)(83380400001)(76116006)(64756008)(66446008)(5660300002)(71200400001)(478600001)(55016002)(53546011)(54906003)(7696005)(9686003)(110136005)(316002)(2906002)(6506007)(8936002);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: iux0/e7sJqcPmyDx+Y0T8G2ARg+raggf3IpGrrI9JF8hEr38X583TSn/0UmnLM4rnDXO/HuxrgQ5Q54kiBcKh5AjUTalVZBBPMPwphT38W+vA/5OfJ7BJ8JQ/Cf/v58c8xze6xHyV/irWnxAmIxkebs93kj4Cl0jMiH/LPiw7JITSszWOlXehlC/tlp4jKxBYcWLfdRig/zSP2Ke46EUaLAgZtUvDx3DyC4UeA0+RJDbhEWFytgK0dSU047VZ0j1nZBNsiBg9+miudy+QNcamdOk47jFulONmND1MtLZb0S9M0AVOyZ4rHsoHOq70URhjkE43gj7GiQ1t9jPqoE/XXD+WVO76b/Qjz+6kjUWqvIBoNBhAIpY2Jt2lCXxN6xPwlcaVbv7gEC13sdCO254bAVbeb7PWb+gca3b22dtvxIyU/MTf5JrehF8c3OKNv1YkC55UZL97vh57ih3A1DNImNOlnU5zunxx6fsVLdhYDym+VaC5PmefFC9Vqe7H65nXOwREcSDGVsRVtUqBllhhGlBidT/f4uxKIn+FsxIIBCAKbP1uoW9DWbhofWV8dsgUCPXrD9oUfHGyqocJyfVUbg3Z2F3XMRfFkMjYluAZfTq7erD7GNWmjvRdmRt+PkJvCpxoXzBUnhK9nDdQEW9bw== X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DF4PR8401MB1067.NAMPRD84.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: 049a0cf5-8c4b-42cc-a1df-08d84495d746 X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Aug 2020 23:16:02.3272 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 105b2061-b669-4b31-92ac-24d304d195dc X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: nh+ZxH8gIeUFk9MzSoiWsTcUuWNxsZjhLkG4ftyJ7GYpscY1+NvZkzHNfbu1gqmJ2k7R9Zby58SAn+KeQGjC0A== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DF4PR8401MB0475 X-OriginatorOrg: hpe.com X-Proofpoint-UnRewURL: 10 URL's were un-rewritten MIME-Version: 1.0 X-HPE-SCL: -1 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-08-19_13:2020-08-19,2020-08-19 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 spamscore=0 mlxlogscore=999 clxscore=1015 impostorscore=0 bulkscore=0 mlxscore=0 malwarescore=0 phishscore=0 suspectscore=0 lowpriorityscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2008190188 Content-Language: zh-TW Content-Type: multipart/alternative; boundary="_000_DF4PR8401MB106700274C830BC47F00CCFBCD5D0DF4PR8401MB1067_" --_000_DF4PR8401MB106700274C830BC47F00CCFBCD5D0DF4PR8401MB1067_ Content-Type: text/plain; charset="iso-2022-jp" Content-Transfer-Encoding: quoted-printable Hi Zhiguang: Any comments on these patches? Matthew. =1B$B4s7o =1B$BBeM}=1B= (B Huang, Matthew (HPS SW) =1B$B4s7oF|4|=1B(B: Wednesday, August 12, 2020 7:13 PM =1B$BZ@7o; zhiguang.liu@intel.com =1B$BI{K\=1B(B: Wei, Kent (HPS SW) ; Lin, Derek (HPS SW)= ; Wang, Nickle (HPS SW) ; Wang, S= unny (HPS SW) =1B$B > =1B$BBeM}=1B(B Huang, Matthew= (HPS SW) =1B$B4s7oF|4|=1B(B: Monday, August 10, 2020 12:26 PM =1B$BZ@7o; zhigu= ang.liu@intel.com =1B$BI{K\=1B(B: Wei, Kent (HPS SW) >; Lin, Derek (HPS SW) >; = Wang, Nickle (HPS SW) >; Wa= ng, Sunny (HPS SW) > =1B$B > On Behalf Of Zhiguang Liu Sent: Monday, August 10, 2020 11:00 AM To: devel@edk2.groups.io; Huang, Matthew (HPS= SW) > Cc: Wei, Kent (HPS SW) >; Lin, D= erek (HPS SW) >; Wang, Nickle= (HPS SW) >; Wang, Sunny (H= PS SW) > Subject: Re: [edk2-devel] Propose on enabling TLSv1.3 Hi Matthew, Can you share the code about implementing tls 1.3 to the community? We can discuss the problems according to the code. Thanks Zhiguang From: devel@edk2.groups.io > On Behalf Of Huang, Matthew (HPS SW) Sent: Monday, August 3, 2020 1:55 PM To: devel@edk2.groups.io Cc: Wei, Kent (HPS SW) >; Lin, D= erek (HPS SW) >; Wang, Nickle= (HPS SW) >; Wang, Sunny (H= PS SW) > Subject: [edk2-devel] Propose on enabling TLSv1.3 Hi: It=1B$B!G=1B(Bs Matthew from HPE UEFI team. There is no TLSv1.3 support un= der current EDK2 releases, and I=1B$B!G=1B(Bm working on enabling TLSv1.3 u= nder UEFI and the result looks promising. OpenSSL have already made RFC8446= happens in late 2018, the submodule we=1B$B!G=1B(Bre having on the master = branch is more than enough to make the whole thing work. There are several problems needed to be addressed:' 1. OpenSslLib needs a reconfiguration with =1B$B!H=1B(Bno-ec=1B$B!I=1B(B o= ption on in process_files.pl, and no off the shelf Perl built with native W= indows command prompt could=1B$B!G=1B(Bve processed the file correctly. But= I=1B$B!G=1B(Bve managed to remove the blockage using Perl MSYS2 build unde= r Windows without any error. Since this is only a one-timer, I don=1B$B!G= =1B(Bt think that would=1B$B!G=1B(Bve caused too much of a trouble. The pr= oduced opensslconf.h seems correct, and this is all we need. 2. There are some policies issues caused by OpenSSL, OpenSSL explicitly de= scribes that SSL_set_cipher_list is for TLS version 1.2 and lower, SSL_set_= ciphersuites is for TLSv1.3, but these function are tangled to each other a= nd the behavior is not equally fair. In current revision EDK2 included in t= he OpenSSL submodule, SSL_set_cipher_list can parse v1.3 cipher suites but = will not apply them, meanwhile SSL_set_ciphersuites cannot support any ciph= er lower than v1.3. This will cause a problem that when user applies auto v= ersioning, TLSv1.3 will not be applied even if v1.3 is enabled except setti= ng an empty list using SSL_set_cipher_list. 3. Apart from point 2., SSL_set_ciphersuites in current revision EDK2 incl= uded in the OpenSSL submodule, cannot exclude ciphersuites that user disabl= ed, so every cipher suites will be in the list for server to But I browsed all OpenSSL github PRs or merge-pending patches, both point = 2 and 3 have somewhat one or more solutions going on, I=1B$B!G=1B(Bve appli= ed them for testing and the result is fairly satisfying. If there=1B$B!G=1B(Bs a chance we discuss this in code? It will be easier = this way, I have a working patch we can start with, thanks. Regards, Matthew --_000_DF4PR8401MB106700274C830BC47F00CCFBCD5D0DF4PR8401MB1067_ Content-Type: text/html; charset="iso-2022-jp" Content-Transfer-Encoding: quoted-printable

Hi Zhiguang:

 

Any comments on these patches?

 

Matthew.

 

=1B$B4s7o= : devel@edk2.groups.io <devel@edk2.groups.io> =1B$BBeM}=1B(B Huang, Matthew (HPS SW)
=1B$B4s7oF|4|=1B(B: Wednesday, August 1= 2, 2020 7:13 PM
=1B$BZ@7o: devel@edk2.groups.io;= Huang, Matthew (HPS SW) <chao-jui.huang@hpe.com>; zhiguang.liu@intel= .com
=1B$BI{K\=1B(B: Wei, Kent (HPS SW) <= kent.wei@hpe.com>; Lin, Derek (HPS SW) <derek.lin2@hpe.com>; Wang,= Nickle (HPS SW) <nickle.wang@hpe.com>; Wang, Sunny (HPS SW) <sunn= ywang@hpe.com>
=1B$B: = =1B$B2sJ$=1B(B: [edk2-devel] Propose on enabling TLSv1.3=

 

Hi Zhiguang:

 =

Please refer to th= e attached =1B$B!F=1B(Btlsv13.patch=1B$B!G=1B(B based on tianocore/edk2@be0= 1087e07.

   =             &nb= sp;            =             &nb= sp;           

As I mentioned, = =1B$B!F=1B(Bprocess_files.pl=1B$B!G=1B(B is processed with ActivePerl 5.28= Build 0000 (64-bit) and MSYS2 MinGW 64-bit, log is attached as =1B$B!F=1B(= Bprocess_openssl.txt=1B$B!G=1B(B.

 =

The problems are s= till the same, current OpenSSL has two problems:

 =

  1. It will not ignore disabled TLSv1.3= cipher suites, which results in all the TLSv1.3 cipher suites defined in T= lsCipherMappingTable will be published no matter what the actual value is in gEdkiiHttpTlsCipherListGuid.HttpTls= CipherList.
  2. SS= L_set_ciphersuites cannot handle non-TLSv1.3 ciphers, which results in the = function fails to set any ciphersuite if there are TLSv1.2 ciphers in the =1B$B!F=1B(BCipherString=1B$B!G=1B(B argument.

    3.  =

    They are minor one= s, but would=1B$B!G=1B(Bve caused the whole flow acts weird. Those two prob= lems are more or less solved or discussed in the OpenSSL scene, but not inc= luded in EDK2 yet. If anyone wants to test TLSv1.3, attachment =1B$B!F=1B(Bopenssl.patch=1B$B!G=1B(B is suggested to be appli= ed for a more reasonable outcome.

     =

    Regards,

    Matthew.

    =1B$B4s7o: devel@edk2.groups.io <devel@edk2.groups.io> =1B$BBeM}= =1B(B Huang, Matthew (HPS SW)
    =1B$B4s7oF= |4|=1B(B: Monday, August 10, 2020 12:26 PM
    =1B$BZ@7o<= T=1B(B: devel@edk2.groups.io; zhiguang.liu@intel.com
    =1B$BI{K\= =1B(B: Wei, Kent (HPS SW) <kent.wei@hpe.c= om>; Lin, Derek (HPS SW) <d= erek.lin2@hpe.com>; Wang, Nickle (HPS SW) <nickle.wang@hpe.com>; Wang, Sunny (HPS SW) <sunnywang@hpe.com&g= t;
    =1B$B: Re: [edk2-devel] Propose on enabling TLSv1.3

     

    Hi Zhiguang:

     

    Sure, I love to. But I=1B$B!G=1B(Bm new to the scen= e, please give me some time to figure out how to share the snippet properly= , thanks.

     

    Regards,

    Matthew.

    From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Zhiguang Liu
    Sent: Monday, August 10, 2020 11:00 AM
    To: devel@edk2.groups.io; Huang, Matthew (HPS SW) <ch= ao-jui.huang@hpe.com>
    Cc: Wei, Kent (HPS SW) <kent= .wei@hpe.com>; Lin, Derek (HPS SW) <derek.lin2@hpe.com>; Wang, Nickle (HPS SW) <nickle.wang@hpe.com>; Wang, Sunny (HPS SW) <sunnywang@hpe.com= >
    Subject: Re: [edk2-devel] Propose on enabling TLSv1.3

     

    Hi Matthew,=

    Can you share the = code about implementing tls 1.3 to the community?

    We can discuss the= problems according to the code.

    Thanks=

    Zhiguang

     =

    From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Huang, Matthew (HPS SW)
    Sent: Monday, August 3, 2020 1:55 PM
    To: devel@edk2.groups.io
    Cc: Wei, Kent (HPS SW) <    kent= .wei@hpe.com>; Lin, Derek (HPS SW) <derek.lin2@hpe.com>; Wang, Nickle (HPS SW) <nickle.wang@hpe.com>; Wang, Sunny (HPS SW) <sunnywang@hpe.com= >
    Subject: [edk2-devel] Propose on enabling TLSv1.3    =

     

    Hi:

     

    It=1B$B!G=1B(Bs Matthew from HPE UEFI team. There i= s no TLSv1.3 support under current EDK2 releases, and I=1B$B!G=1B(Bm workin= g on enabling TLSv1.3 under UEFI and the result looks promising. OpenSSL ha= ve already made RFC8446 happens in late 2018, the submodule we=1B$B!G=1B(Bre having on the master branch is more than enough to make = the whole thing work.

     

    There are several problems needed to be addressed:'=

     

    1. OpenSslLib needs a reconfiguration with =1B$B!H= =1B(Bno-ec=1B$B!I=1B(B option on in process_files.pl, and no off the shelf= Perl built with native Windows command prompt could=1B$B!G=1B(Bve processe= d the file correctly. But I=1B$B!G=1B(Bve managed to remove the blockage us= ing Perl MSYS2 build under Windows without any error. Since this is only a one-tim= er, I don=1B$B!G=1B(Bt think that would=1B$B!G=1B(Bve caused too much of a = trouble. The produced opensslconf.h seems correct, and this is all we need.=

     

    2. There are some policies issues caused by OpenSSL= , OpenSSL explicitly describes that SSL_set_cipher_list is for TLS version = 1.2 and lower, SSL_set_ciphersuites is for TLSv1.3, but these function are = tangled to each other and the behavior is not equally fair. In current revision EDK2 included in the OpenSSL sub= module, SSL_set_cipher_list can parse v1.3 cipher suites but will not apply= them, meanwhile SSL_set_ciphersuites cannot support any cipher lower than = v1.3. This will cause a problem that when user applies auto versioning, TLSv1.3 will not be applied even if v1= .3 is enabled except setting an empty list using SSL_set_cipher_list.<= /o:p>

     

    3. Apart from point 2., SSL_set_ciphersuites in cur= rent revision EDK2 included in the OpenSSL submodule, cannot exclude cipher= suites that user disabled, so every cipher suites will be in the list for s= erver to

     

    But I browsed all OpenSSL github PRs or merge-pendi= ng patches, both point 2 and 3 have somewhat one or more solutions going on= , I=1B$B!G=1B(Bve applied them for testing and the result is fairly satisfy= ing.

     

    If there=1B$B!G=1B(Bs a chance we discuss this in c= ode? It will be easier this way, I have a working patch we can start with, = thanks.

     

    Regards,

    Matthew

--_000_DF4PR8401MB106700274C830BC47F00CCFBCD5D0DF4PR8401MB1067_--