From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-002e3701.pphosted.com (mx0a-002e3701.pphosted.com [148.163.147.86]) by mx.groups.io with SMTP id smtpd.web12.5437.1596434084120446974 for ; Sun, 02 Aug 2020 22:54:44 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: hpe.com, ip: 148.163.147.86, mailfrom: prvs=0484d19b59=chao-jui.huang@hpe.com) Received: from pps.filterd (m0150242.ppops.net [127.0.0.1]) by mx0a-002e3701.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 0735rciJ008787 for ; Mon, 3 Aug 2020 05:54:43 GMT Received: from g4t3427.houston.hpe.com (g4t3427.houston.hpe.com [15.241.140.73]) by mx0a-002e3701.pphosted.com with ESMTP id 32nhxhn26y-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 03 Aug 2020 05:54:43 +0000 Received: from G4W9121.americas.hpqcorp.net (exchangepmrr1.us.hpecorp.net [16.210.21.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by g4t3427.houston.hpe.com (Postfix) with ESMTPS id 3DDB95E for ; Mon, 3 Aug 2020 05:54:42 +0000 (UTC) Received: from G4W9121.americas.hpqcorp.net (2002:10d2:1510::10d2:1510) by G4W9121.americas.hpqcorp.net (2002:10d2:1510::10d2:1510) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 3 Aug 2020 05:54:42 +0000 Received: from NAM10-DM6-obe.outbound.protection.outlook.com (15.241.52.12) by G4W9121.americas.hpqcorp.net (16.210.21.16) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 3 Aug 2020 05:54:42 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SD2DHJ+NoiF0yU0AtOSbAer+wtvOwkWZCNl+1CRqujtQ11ubH065eC+u60AQrCXrFo/4hRpQOlHEXa4THIK6ybvJ8lo9VAjoYwryOY76cjqNREwQRV7L/ouyv0Flzl4dXU5dO8I1ZRF4vGui05w8DFHeEMa1RmdKhyGlGk4jyZXy/iOqJ+pJKeGXUjehPw4K7eDMI4iGfEOKbLQ4qwrmBGWQH4XoPNCsnMsGceFydwp9uE8/T/T6+QM8riJSmzCz4RrVpu5s4KlkuAecBusePfmICFLf8J763vLdj8XfzRG107VJu2rUaGtEfL43c0Gfc+RcRSRBxjDITgnfrTTZ/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7pQuujbEgEOqmU15b2sc3zUR7OEZPArLRUgX4h2tnfc=; b=ViBRejzFFVuLdAl4zuLPzRLV+Beju1aVA/V6agMuk/Vv7OotNW0AI2ARmFLGxvahx/om33SiPQTkXmRhK6RpkJ9+GbH5tzxvFDtQHe3J9d39A06eum3O8STf4Ra8qf1mQ0uWiPHgKcX1P2G3ybgGd16jyaDdkGIdv/Z3/3x7aXM0isE1nbCupoNZqWysIabBWxINP5GmGbbmHk08rF02F2UYxCG/IR9CmbjcJONj4MKaUC5ebeL9OEyhes6MdUN8KEwB/Ru8EZkuzYU1yN7HYx2TF5Ow7qWs955npLeim1nH6yzYh4g8PB7DGTi6cwCXo1JPQHlVgWslPEFIhnomrQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=hpe.com; dmarc=pass action=none header.from=hpe.com; dkim=pass header.d=hpe.com; arc=none Received: from DF4PR8401MB1067.NAMPRD84.PROD.OUTLOOK.COM (2a01:111:e400:7612::8) by DF4PR8401MB0745.NAMPRD84.PROD.OUTLOOK.COM (2a01:111:e400:7611::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3239.20; Mon, 3 Aug 2020 05:54:41 +0000 Received: from DF4PR8401MB1067.NAMPRD84.PROD.OUTLOOK.COM ([fe80::2d0f:f9a3:f94f:9f4d]) by DF4PR8401MB1067.NAMPRD84.PROD.OUTLOOK.COM ([fe80::2d0f:f9a3:f94f:9f4d%6]) with mapi id 15.20.3239.021; Mon, 3 Aug 2020 05:54:40 +0000 From: "Huang, Matthew (HPS SW)" To: "devel@edk2.groups.io" CC: "Wei, Kent (HPS SW)" , "Lin, Derek (HPS SW)" , "Wang, Nickle (HPS SW)" , "Wang, Sunny (HPS SW)" Subject: Propose on enabling TLSv1.3 Thread-Topic: Propose on enabling TLSv1.3 Thread-Index: AdZpWmvoAXobJMOeQRG4knQWP/jTWw== Date: Mon, 3 Aug 2020 05:54:40 +0000 Message-ID: Accept-Language: zh-TW, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=hpe.com; x-originating-ip: [2001:b011:2013:160b:906e:d9b5:1993:3f24] x-ms-publictraffictype: Email x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: 5e9e9f49-6663-4e59-b412-08d83771b6b6 x-ms-traffictypediagnostic: DF4PR8401MB0745: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: YqxpV9weZcYQxJs1jacXKJAL30hgPY8xEzrNuwXb4CgLir4Vc37Gkv84qUMG+yuAms49z+j7FsfqGZro3ZU749r6pj/cGyFknRw0I1jxYsYRn+LIMNkT5fp60W9OKSmk14bTeRPDxvJPGAN2h1Iw42gzj/TIAV+yP9YtulCi+aZQGdWp4MgmgisZQqeB4IkziiRRKWQgS0Kqt7qXi0otd3NgAWzOkgxvlwCGAYeIh4VGhmmRFqT7HKMkVzXzEvP//KmWltaell4dvOf2YT0Zjs6rqfLuyI1jPQ3mrPPKr8tub+wpcuBr8pRlStACHWvgONqJJ48b8rtZfP/1DqqwQw== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DF4PR8401MB1067.NAMPRD84.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFTY:;SFS:(346002)(376002)(366004)(39860400002)(396003)(136003)(186003)(76116006)(66946007)(6506007)(64756008)(66476007)(66446008)(66556008)(71200400001)(52536014)(5660300002)(83380400001)(478600001)(6916009)(316002)(86362001)(4326008)(33656002)(7696005)(8676002)(2906002)(8936002)(9686003)(55016002)(54906003);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: RDH5HXx2Ib/UyWry69vIjon7nfLNbEq+8dmmAB2ogfUXYW9sjCUKw+veY+ToqzieUwdXff7qlCkc1EqXdm2+mWWVYidFr/WsyXdoPcXs3g2P3I7WpcvUkiRuz4Qr3yfvzk2X2EyfglNWRBn/v7tYNB1gFhm+F4c6o3uAA5twmiRXTqRBJq1mWdoUjhTq/hRq5zQGW3aqjsXop277NyAxeIdNWP67OD4kl7S8gLKCEBxmmfAraHT9HNJOjEmoYKVff/2aiLiniCH/Tv9l3omDXqTFHulhmEtM9qpm+HJJJ4BFX8EM1RhzCUdgz/XWENAvLNaH0bGczwTwpvxghU5fiUNVhjblD2hO3GcEvoFMjFZGZscJ44hf5AEDKvy5u1IWl70llIMMW6PAzDETp12kfiNOWD0BotjMCwemrNo8DjcblYH2sj+TV1UdvOWAh8I0sU2CkYOgDyyJ/o2YA5RERctvo2DO2JPK06yWmL110+OtysJKm0CSENyBxIHDEo1OiwoXZ5fE4xsbglEuPtsd151i3e27Bn32JEc2fxyuimyaMVYtuCBDE8LJMz5DR5LPuqfqoPTqa/4KSrU566H5uKS3z/bcdIV5CoP6iCTIopSy0VCzSlABRFv71xrfBITc7YaSTbQuAM0o423lJV/uatBfyRv4D/L+felNxioduDnTlPMta/217QS8Dt5Z0hOhOJWTA01LKqxnLvORZF0vOA== MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DF4PR8401MB1067.NAMPRD84.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: 5e9e9f49-6663-4e59-b412-08d83771b6b6 X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Aug 2020 05:54:40.7724 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 105b2061-b669-4b31-92ac-24d304d195dc X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: yMj4x7LpGHUx8NNW/huIAEIveF+DP6aWseAv2TFcHkknCY/O4PS7cBtymklB1ekmyg7r14HdEMDDwSEPmYdxrA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DF4PR8401MB0745 X-OriginatorOrg: hpe.com X-HPE-SCL: -1 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-08-03_04:2020-07-31,2020-08-03 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 spamscore=0 priorityscore=1501 impostorscore=0 phishscore=0 mlxlogscore=999 suspectscore=0 bulkscore=0 clxscore=1011 malwarescore=0 adultscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2008030043 Content-Language: zh-TW Content-Type: multipart/alternative; boundary="_000_DF4PR8401MB1067E1659BBAA855D904A51CCD4D0DF4PR8401MB1067_" --_000_DF4PR8401MB1067E1659BBAA855D904A51CCD4D0DF4PR8401MB1067_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi: It's Matthew from HPE UEFI team. There is no TLSv1.3 support under current = EDK2 releases, and I'm working on enabling TLSv1.3 under UEFI and the resul= t looks promising. OpenSSL have already made RFC8446 happens in late 2018, = the submodule we're having on the master branch is more than enough to make= the whole thing work. There are several problems needed to be addressed:' 1. OpenSslLib needs a reconfiguration with "no-ec" option on in process_fil= es.pl, and no off the shelf Perl built with native Windows command prompt c= ould've processed the file correctly. But I've managed to remove the blocka= ge using Perl MSYS2 build under Windows without any error. Since this is on= ly a one-timer, I don't think that would've caused too much of a trouble. T= he produced opensslconf.h seems correct, and this is all we need. 2. There are some policies issues caused by OpenSSL, OpenSSL explicitly des= cribes that SSL_set_cipher_list is for TLS version 1.2 and lower, SSL_set_c= iphersuites is for TLSv1.3, but these function are tangled to each other an= d the behavior is not equally fair. In current revision EDK2 included in th= e OpenSSL submodule, SSL_set_cipher_list can parse v1.3 cipher suites but w= ill not apply them, meanwhile SSL_set_ciphersuites cannot support any ciphe= r lower than v1.3. This will cause a problem that when user applies auto ve= rsioning, TLSv1.3 will not be applied even if v1.3 is enabled except settin= g an empty list using SSL_set_cipher_list. 3. Apart from point 2., SSL_set_ciphersuites in current revision EDK2 inclu= ded in the OpenSSL submodule, cannot exclude ciphersuites that user disable= d, so every cipher suites will be in the list for server to But I browsed all OpenSSL github PRs or merge-pending patches, both point 2= and 3 have somewhat one or more solutions going on, I've applied them for = testing and the result is fairly satisfying. If there's a chance we discuss this in code? It will be easier this way, I = have a working patch we can start with, thanks. Regards, Matthew --_000_DF4PR8401MB1067E1659BBAA855D904A51CCD4D0DF4PR8401MB1067_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi:

 

It’s Matthew from HPE UEF= I team. There is no TLSv1.3 support under current EDK2 releases, and I̵= 7;m working on enabling TLSv1.3 under UEFI and the result looks promising. = OpenSSL have already made RFC8446 happens in late 2018, the submodule we’re having on the master branch is more than e= nough to make the whole thing work.

 

There are several problems need= ed to be addressed:'

 

1. OpenSslLib needs a reconfigu= ration with “no-ec” option on in process_files.pl, and no off t= he shelf Perl built with native Windows command prompt could’ve proce= ssed the file correctly. But I’ve managed to remove the blockage using Perl MSYS2 build under Windows without any error. Since thi= s is only a one-timer, I don’t think that would’ve caused too m= uch of a trouble. The produced opensslconf.h seems correct, and this is all= we need.

 

2. There are some policies issu= es caused by OpenSSL, OpenSSL explicitly describes that SSL_set_cipher_list= is for TLS version 1.2 and lower, SSL_set_ciphersuites is for TLSv1.3, but= these function are tangled to each other and the behavior is not equally fair. In current revision EDK2 inclu= ded in the OpenSSL submodule, SSL_set_cipher_list can parse v1.3 cipher sui= tes but will not apply them, meanwhile SSL_set_ciphersuites cannot support = any cipher lower than v1.3. This will cause a problem that when user applies auto versioning, TLSv1.3 will = not be applied even if v1.3 is enabled except setting an empty list using S= SL_set_cipher_list.

 

3. Apart from point 2., SSL_set= _ciphersuites in current revision EDK2 included in the OpenSSL submodule, c= annot exclude ciphersuites that user disabled, so every cipher suites will = be in the list for server to

 

But I browsed all OpenSSL githu= b PRs or merge-pending patches, both point 2 and 3 have somewhat one or mor= e solutions going on, I’ve applied them for testing and the result is= fairly satisfying.

 

If there’s a chance we di= scuss this in code? It will be easier this way, I have a working patch we c= an start with, thanks.

 

Regards,

Matthew

--_000_DF4PR8401MB1067E1659BBAA855D904A51CCD4D0DF4PR8401MB1067_--