public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* Propose on enabling TLSv1.3
@ 2020-08-03  5:54 Huang, Matthew (HPS SW)
  2020-08-03 22:06 ` Michael D Kinney
  2020-08-10  2:59 ` Zhiguang Liu
  0 siblings, 2 replies; 17+ messages in thread
From: Huang, Matthew (HPS SW) @ 2020-08-03  5:54 UTC (permalink / raw)
  To: devel@edk2.groups.io
  Cc: Wei, Kent (HPS SW), Lin, Derek (HPS SW), Wang, Nickle (HPS SW),
	Wang, Sunny (HPS SW)

[-- Attachment #1: Type: text/plain, Size: 2034 bytes --]

Hi:

It's Matthew from HPE UEFI team. There is no TLSv1.3 support under current EDK2 releases, and I'm working on enabling TLSv1.3 under UEFI and the result looks promising. OpenSSL have already made RFC8446 happens in late 2018, the submodule we're having on the master branch is more than enough to make the whole thing work.

There are several problems needed to be addressed:'

1. OpenSslLib needs a reconfiguration with "no-ec" option on in process_files.pl, and no off the shelf Perl built with native Windows command prompt could've processed the file correctly. But I've managed to remove the blockage using Perl MSYS2 build under Windows without any error. Since this is only a one-timer, I don't think that would've caused too much of a trouble. The produced opensslconf.h seems correct, and this is all we need.

2. There are some policies issues caused by OpenSSL, OpenSSL explicitly describes that SSL_set_cipher_list is for TLS version 1.2 and lower, SSL_set_ciphersuites is for TLSv1.3, but these function are tangled to each other and the behavior is not equally fair. In current revision EDK2 included in the OpenSSL submodule, SSL_set_cipher_list can parse v1.3 cipher suites but will not apply them, meanwhile SSL_set_ciphersuites cannot support any cipher lower than v1.3. This will cause a problem that when user applies auto versioning, TLSv1.3 will not be applied even if v1.3 is enabled except setting an empty list using SSL_set_cipher_list.

3. Apart from point 2., SSL_set_ciphersuites in current revision EDK2 included in the OpenSSL submodule, cannot exclude ciphersuites that user disabled, so every cipher suites will be in the list for server to

But I browsed all OpenSSL github PRs or merge-pending patches, both point 2 and 3 have somewhat one or more solutions going on, I've applied them for testing and the result is fairly satisfying.

If there's a chance we discuss this in code? It will be easier this way, I have a working patch we can start with, thanks.

Regards,
Matthew

[-- Attachment #2: Type: text/html, Size: 4892 bytes --]

^ permalink raw reply	[flat|nested] 17+ messages in thread

end of thread, other threads:[~2020-12-03  0:24 UTC | newest]

Thread overview: 17+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-08-03  5:54 Propose on enabling TLSv1.3 Huang, Matthew (HPS SW)
2020-08-03 22:06 ` Michael D Kinney
2020-08-10  2:59 ` Zhiguang Liu
2020-08-10  4:26   ` [edk2-devel] " Huang, Matthew (HPS SW)
2020-11-19 17:09     ` Matthew Carlson
     [not found]   ` <1629CD946C53C473.23035@groups.io>
2020-08-12 11:12     ` 回覆: " Huang, Matthew (HPS SW)
     [not found]     ` <162A80E91C03CB2F.12108@groups.io>
2020-08-19 23:16       ` Huang, Matthew (HPS SW)
2020-08-20  0:50         ` Zhiguang Liu
2020-09-04  2:32         ` Zhiguang Liu
2020-09-07  2:37           ` Zhiguang Liu
2020-09-07  5:29             ` Yao, Jiewen
2020-09-07  5:39               ` Huang, Matthew (HPS SW)
2020-11-19  2:07           ` Zhiguang Liu
2020-11-19  9:34             ` Laszlo Ersek
2020-11-25  5:12             ` Huang, Matthew (HPS SW)
2020-11-25  7:27               ` Zhiguang Liu
2020-12-03  0:24                 ` Huang, Matthew (HPS SW)

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox