From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0b-002e3701.pphosted.com (mx0b-002e3701.pphosted.com [148.163.143.35]) by mx.groups.io with SMTP id smtpd.web10.38617.1597033579620270222 for ; Sun, 09 Aug 2020 21:26:20 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: hpe.com, ip: 148.163.143.35, mailfrom: prvs=0491ad54d3=chao-jui.huang@hpe.com) Received: from pps.filterd (m0134424.ppops.net [127.0.0.1]) by mx0b-002e3701.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 07A4QGrf003699 for ; Mon, 10 Aug 2020 04:26:19 GMT Received: from g9t5008.houston.hpe.com (g9t5008.houston.hpe.com [15.241.48.72]) by mx0b-002e3701.pphosted.com with ESMTP id 32src20ew9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 10 Aug 2020 04:26:18 +0000 Received: from G1W8106.americas.hpqcorp.net (g1w8106.austin.hp.com [16.193.72.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by g9t5008.houston.hpe.com (Postfix) with ESMTPS id 23D1D64 for ; Mon, 10 Aug 2020 04:26:18 +0000 (UTC) Received: from G9W8671.americas.hpqcorp.net (16.220.49.30) by G1W8106.americas.hpqcorp.net (16.193.72.61) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 10 Aug 2020 04:26:17 +0000 Received: from G2W6311.americas.hpqcorp.net (16.197.64.53) by G9W8671.americas.hpqcorp.net (16.220.49.30) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 10 Aug 2020 04:26:17 +0000 Received: from NAM10-BN7-obe.outbound.protection.outlook.com (15.241.52.11) by G2W6311.americas.hpqcorp.net (16.197.64.53) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 10 Aug 2020 04:26:17 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=l4byTo1DGfkvZJwDhq31mntru2KShXYAtakhfqr+5c64gH7eMU/OUGID5z3vPQbVyrkEYVI+8Wnxwl4b8RUJMlClws4n7d6xAqVawYj+zJLHZIZaGsCzkgk4zcF94DeTopH80xoH4Gs58Xxlfn7gDmnOacsYaHIEXmi1zbZSLxnq2xN9/0HAJvANTz6I2VTsaQmGSjNUf4hLVTRLTWO6pQJ/dVe7UhMUPcjKY/H8PLHHpHZKnRpAD2kp6cevjbvqktOJtrVHbqm1ZOtnoupBM8YnopglJ1cfBq247pYZIFT8xQC9jVQNc/TD21aiArBI6cj54gu4h2Bccwxeqipdnw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SK5NVmkJseOYNhC9jhk7RhYM6qGjsD1CLIYZmsZAgvw=; b=FySHERg1iKHKNt/CaK/g6WPbmU/Bf1eqH/CW+rSzcQnk0auixv24tF1aMqUow4uDjSE3KURy4IU5suj92kpW1zoy+gkNsyibDDU7E+cD1ZeB6O1Ra0Iij5EM/85xpQjMe16dxMQ1Ql7Yq+XJDjzcJNxbVNaxHkqYZcTPQ3bUeYa+2nwPn/WyIIPBd3rsTEbV5uO1W25VfzgygXnYhAQ30OdX5Y4ntdkpR+5nkYpZoceQkE205slKi3ofFmquXT0WdI0ZwXzqqIttZOeosnNt6PqNnG6myuAcVGgLBZToxH1yiMST7SB/KvSYuEyTDaJXPzqlaXEFlPGHQq6E1Z1oGw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=hpe.com; dmarc=pass action=none header.from=hpe.com; dkim=pass header.d=hpe.com; arc=none Received: from DF4PR8401MB1067.NAMPRD84.PROD.OUTLOOK.COM (2a01:111:e400:7612::8) by DF4PR8401MB1273.NAMPRD84.PROD.OUTLOOK.COM (2a01:111:e400:760e::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3261.19; Mon, 10 Aug 2020 04:26:15 +0000 Received: from DF4PR8401MB1067.NAMPRD84.PROD.OUTLOOK.COM ([fe80::2d0f:f9a3:f94f:9f4d]) by DF4PR8401MB1067.NAMPRD84.PROD.OUTLOOK.COM ([fe80::2d0f:f9a3:f94f:9f4d%6]) with mapi id 15.20.3261.024; Mon, 10 Aug 2020 04:26:15 +0000 From: "Huang, Matthew (HPS SW)" To: "devel@edk2.groups.io" , "zhiguang.liu@intel.com" CC: "Wei, Kent (HPS SW)" , "Lin, Derek (HPS SW)" , "Wang, Nickle (HPS SW)" , "Wang, Sunny (HPS SW)" Subject: Re: [edk2-devel] Propose on enabling TLSv1.3 Thread-Topic: [edk2-devel] Propose on enabling TLSv1.3 Thread-Index: AdZpWmvoAXobJMOeQRG4knQWP/jTWwFZ5VYgAAMPThA= Date: Mon, 10 Aug 2020 04:26:15 +0000 Message-ID: References: In-Reply-To: Accept-Language: zh-TW, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=hpe.com; x-originating-ip: [2001:b011:2013:160b:64aa:15fd:486f:831d] x-ms-publictraffictype: Email x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: 267a1ad7-cc51-4d5d-930b-08d83ce5854b x-ms-traffictypediagnostic: DF4PR8401MB1273: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: ZQq8nFg7aMkYfYgTWb70w163k60VopexEtA3NImyidePtigk1b5CZRI0x00ENDRLIuc6rUew0qixeCj8LP26StFzvu+wbJQV4e7gbK7ZbJYl6U+lOt//WkSYzydqVgCIdEdl4wJ8vfSeeTxRe4avATVcda8oucUbImVj1ao6ZZUnFa7QAY3b6WL7yAzyomwGXxvpwE3fZ7VaERz2Jg54D1UX8Uo9RwRxwxZp/PpXO42w1HFcoHdWiNQ/jRH8kXwdrcT258Nkv9W2doxB5ncGhohFeQYFQTHP/87gCCqLty4RoLD3y4IWY6gfP38VQep0Yihfv3aEoKrK1yP+uw+0Sx8hQNG+Q4XPJo7Z3floO6/UZhBXpAbjG/Sti4VeuZEyxxWws1V5kyNe7DYthQ+eFQ== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DF4PR8401MB1067.NAMPRD84.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFTY:;SFS:(136003)(376002)(39860400002)(346002)(396003)(366004)(86362001)(66476007)(64756008)(66556008)(66446008)(76116006)(66946007)(52536014)(5660300002)(166002)(76236003)(83380400001)(2906002)(71200400001)(478600001)(54906003)(110136005)(186003)(33656002)(316002)(7696005)(55016002)(8676002)(9686003)(53546011)(8936002)(6506007)(4326008);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: mEOQ4fixrN/6mTGuBhswRVQ7GPJx1r01bCK4jRUD4/ADVvUAp3cM9iUBzwIHILB0r3wg8gWzP1t3Lr1X2hnS16kOtm2O2piHe+ejBC4vw7X2vbsTeumSKfJIvK/8Ejly1Lf4I59uo0O5jCk+MysWjNwOW7WXmY4A6LCvaBYPolfwdHoq6rtLJSJvkenyP724SovscUBHSLkYdCDv0vj/hIXGbTia5NViYZcnnFTGeAIYj2tYC0hURCpPw+TDMJ5WpjkrL3qp4XS0kDkL5qrsGoRuthOVAGsO8IbW3dUepLhF7mBHXA6J8eifzRYD1L223mSxfollRCjGwnNKhjVflRk/Z4j70E5urvMcbmX0PqNrFZwkrD2foJHHThkMkKpfF3Yf5ghIde3Qb5fKcEt7FPHGdtOET2dgaM1W8Sk8Sm+3Lvl4FkVzlyW0D/J7RBqV0QJtmvi/jTwKGtWlYmYOSSVsXrCoqusaAeKSA2aLj+iePdFrIYGx7XbfbOuUTL4biQzCwPpNtcac0qeCT1WULoeBzXeP/3ko9zc76O/kwvQ1S7b0Zo1I1XL/EnLRAQ7LkH7XzCIlK6tb8lPg7ErdVUa697OoThM3rQfvnHaGEL/QQUqCYRDMUMcMbJzajtGCCRYSVtBcSMtdBM4ezlFUqtV1AssTs/d/yojOt97FPh/eJJ2bW6+I6htRjCZslYPtRMY07Lm21z4qi+DAuJsxCA== X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DF4PR8401MB1067.NAMPRD84.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: 267a1ad7-cc51-4d5d-930b-08d83ce5854b X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Aug 2020 04:26:15.3435 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 105b2061-b669-4b31-92ac-24d304d195dc X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: j1aOPEQ1bckZBrYoV9ckdh+tndxYdgs8FO+Y+LzvxHDoWI5etR2TJHuiNQuTGz+V9A7HB8BKUCGIyjJIlm7/CA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DF4PR8401MB1273 X-OriginatorOrg: hpe.com X-Proofpoint-UnRewURL: 10 URL's were un-rewritten MIME-Version: 1.0 X-HPE-SCL: -1 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235,18.0.687 definitions=2020-08-10_01:2020-08-06,2020-08-10 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=999 mlxscore=0 adultscore=0 impostorscore=0 phishscore=0 spamscore=0 priorityscore=1501 suspectscore=0 malwarescore=0 lowpriorityscore=0 clxscore=1015 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2008100031 Content-Language: zh-TW Content-Type: multipart/alternative; boundary="_000_DF4PR8401MB1067F67AE0EA2C0ADB3D0558CD440DF4PR8401MB1067_" --_000_DF4PR8401MB1067F67AE0EA2C0ADB3D0558CD440DF4PR8401MB1067_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Zhiguang: Sure, I love to. But I'm new to the scene, please give me some time to fig= ure out how to share the snippet properly, thanks. Regards, Matthew. From: devel@edk2.groups.io On Behalf Of Zhiguang Li= u Sent: Monday, August 10, 2020 11:00 AM To: devel@edk2.groups.io; Huang, Matthew (HPS SW) Cc: Wei, Kent (HPS SW) ; Lin, Derek (HPS SW) ; Wang, Nickle (HPS SW) ; Wang, Sunny (HPS SW= ) Subject: Re: [edk2-devel] Propose on enabling TLSv1.3 Hi Matthew, Can you share the code about implementing tls 1.3 to the community? We can discuss the problems according to the code. Thanks Zhiguang From: devel@edk2.groups.io > On Behalf Of Huang, Matthew (HPS SW) Sent: Monday, August 3, 2020 1:55 PM To: devel@edk2.groups.io Cc: Wei, Kent (HPS SW) >; Lin, D= erek (HPS SW) >; Wang, Nickle= (HPS SW) >; Wang, Sunny (H= PS SW) > Subject: [edk2-devel] Propose on enabling TLSv1.3 Hi: It's Matthew from HPE UEFI team. There is no TLSv1.3 support under current= EDK2 releases, and I'm working on enabling TLSv1.3 under UEFI and the resu= lt looks promising. OpenSSL have already made RFC8446 happens in late 2018,= the submodule we're having on the master branch is more than enough to mak= e the whole thing work. There are several problems needed to be addressed:' 1. OpenSslLib needs a reconfiguration with "no-ec" option on in process_fi= les.pl, and no off the shelf Perl built with native Windows command prompt = could've processed the file correctly. But I've managed to remove the block= age using Perl MSYS2 build under Windows without any error. Since this is o= nly a one-timer, I don't think that would've caused too much of a trouble. = The produced opensslconf.h seems correct, and this is all we need. 2. There are some policies issues caused by OpenSSL, OpenSSL explicitly de= scribes that SSL_set_cipher_list is for TLS version 1.2 and lower, SSL_set_= ciphersuites is for TLSv1.3, but these function are tangled to each other a= nd the behavior is not equally fair. In current revision EDK2 included in t= he OpenSSL submodule, SSL_set_cipher_list can parse v1.3 cipher suites but = will not apply them, meanwhile SSL_set_ciphersuites cannot support any ciph= er lower than v1.3. This will cause a problem that when user applies auto v= ersioning, TLSv1.3 will not be applied even if v1.3 is enabled except setti= ng an empty list using SSL_set_cipher_list. 3. Apart from point 2., SSL_set_ciphersuites in current revision EDK2 incl= uded in the OpenSSL submodule, cannot exclude ciphersuites that user disabl= ed, so every cipher suites will be in the list for server to But I browsed all OpenSSL github PRs or merge-pending patches, both point = 2 and 3 have somewhat one or more solutions going on, I've applied them for= testing and the result is fairly satisfying. If there's a chance we discuss this in code? It will be easier this way, I= have a working patch we can start with, thanks. Regards, Matthew --_000_DF4PR8401MB1067F67AE0EA2C0ADB3D0558CD440DF4PR8401MB1067_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi Zhiguang:=

 

Sure, I love to. But I’m= new to the scene, please give me some time to figure out how to share the = snippet properly, thanks.

 

Regards,

Matthew.

= From: devel@edk2= .groups.io <devel@edk2.groups.io> On Behalf Of Zhiguang Liu
Sent: Monday, August 10, 2020 11:00 AM
To: devel@edk2.groups.io; Huang, Matthew (HPS SW) <chao-jui.huan= g@hpe.com>
Cc: Wei, Kent (HPS SW) <kent.wei@hpe.com>; Lin, Derek (HPS SW= ) <derek.lin2@hpe.com>; Wang, Nickle (HPS SW) <nickle.wang@hpe.com= >; Wang, Sunny (HPS SW) <sunnywang@hpe.com>
Subject: Re: [edk2-devel] Propose on enabling TLSv1.3

 

Hi = Matthew,

Can= you share the code about implementing tls 1.3 to the community?=

We = can discuss the problems according to the code.

Tha= nks

Zhi= guang

 

= From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Huang, Matthew (HPS SW)
Sent: Monday, August 3, 2020 1:55 PM
To: devel@edk2.groups.io
Cc: Wei, Kent (HPS SW) <kent= .wei@hpe.com>; Lin, Derek (HPS SW) <derek.lin2@hpe.com>; Wang, Nickle (HPS SW) <nickle.wang@hpe.com>; Wang, Sunny (HPS SW) <sunnywang@hpe.com= >
Subject: [edk2-devel] Propose on enabling TLSv1.3=

 

Hi:

 

It’s Matthew from HPE UE= FI team. There is no TLSv1.3 support under current EDK2 releases, and IR= 17;m working on enabling TLSv1.3 under UEFI and the result looks promising.= OpenSSL have already made RFC8446 happens in late 2018, the submodule we’re having on the master branch is more than = enough to make the whole thing work.

 

There are several problems nee= ded to be addressed:'

 

1. OpenSslLib needs a reconfig= uration with “no-ec” option on in process_files.pl, and no off = the shelf Perl built with native Windows command prompt could’ve proc= essed the file correctly. But I’ve managed to remove the blockage using Perl MSYS2 build under Windows without any error. Since th= is is only a one-timer, I don’t think that would’ve caused too = much of a trouble. The produced opensslconf.h seems correct, and this is al= l we need.

 

2. There are some policies iss= ues caused by OpenSSL, OpenSSL explicitly describes that SSL_set_cipher_lis= t is for TLS version 1.2 and lower, SSL_set_ciphersuites is for TLSv1.3, bu= t these function are tangled to each other and the behavior is not equally fair. In current revision EDK2 incl= uded in the OpenSSL submodule, SSL_set_cipher_list can parse v1.3 cipher su= ites but will not apply them, meanwhile SSL_set_ciphersuites cannot support= any cipher lower than v1.3. This will cause a problem that when user applies auto versioning, TLSv1.3 will= not be applied even if v1.3 is enabled except setting an empty list using = SSL_set_cipher_list.

 

3. Apart from point 2., SSL_se= t_ciphersuites in current revision EDK2 included in the OpenSSL submodule, = cannot exclude ciphersuites that user disabled, so every cipher suites will= be in the list for server to

 

But I browsed all OpenSSL gith= ub PRs or merge-pending patches, both point 2 and 3 have somewhat one or mo= re solutions going on, I’ve applied them for testing and the result i= s fairly satisfying.

 

If there’s a chance we d= iscuss this in code? It will be easier this way, I have a working patch we = can start with, thanks.

 

Regards,

Matthew

--_000_DF4PR8401MB1067F67AE0EA2C0ADB3D0558CD440DF4PR8401MB1067_--