From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>,
"kraxel@redhat.com" <kraxel@redhat.com>
Subject: Re: [edk2-devel] setting TLS ciphers is broken (openssl 3?)
Date: Wed, 27 Sep 2023 17:30:44 +0000 [thread overview]
Message-ID: <MW4PR11MB587263BB08F1E3BC9EDE15968CC2A@MW4PR11MB5872.namprd11.prod.outlook.com> (raw)
In-Reply-To: <27kjaqdrgubri6i3vvickznsmdqnuo6h3tbxfmb3hr76n75gjf@cah3opindcnc>
Hi Gerd
Thanks for the reporting.
We will look into that. Is below text full reproduce steps? Which server you are using? Which TLS version is configured?
Please provide as detail as possible, if you could.
One more thing: We are going to have 1 week National Holiday since Tomorrow.
If we cannot nail down shortly, that would be next next week.
Thank you
Yao, Jiewen
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Gerd
> Hoffmann
> Sent: Wednesday, September 27, 2023 4:39 PM
> To: devel@edk2.groups.io
> Subject: [edk2-devel] setting TLS ciphers is broken (openssl 3?)
>
> Hi,
>
> I've noticed that setting chipers for TLS stopped working in ovmf, most
> likely due to the openssl 3.0 update.
>
> Test case: try http boot from https server, set ciphers on the qemu
> command line using:
> -object tls-cipher-suites,id=tls-cipher0,priority=@SYSTEM
> -fw_cfg name=etc/edk2/https/ciphers,gen_id=tls-cipher0
>
> OvmfPkg/Library/TlsAuthConfigLib will read it from fwcfg and set
> EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE.
>
> CryptoPkg/Library/TlsLib/TlsConfig.c will read the variable, map the IDs
> to strings and call SSL_set_cipher_list() with the result.
>
> Later on the tls handshake fails. From the log:
>
> [ ... ]
> TlsDxe:TlsSetCipherList: CipherString={
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-
> SHA384:ECDHE-ECDSA-AES128-GC
> M-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-GCM-
> SHA384:DHE-RSA-A
> ES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-DES-CBC3-SHA
> }
> [ ... ]
> TlsDoHandshake SSL_HANDSHAKE_ERROR State=0x10 SSL_ERROR_SSL
> TlsDoHandshake ERROR 0x308010C=L6:R8010C
> TlsDoHandshake ERROR 0xA0C0103=L14:RC0103
> [ ... ]
>
> take care,
> Gerd
>
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#109128): https://edk2.groups.io/g/devel/message/109128
Mute This Topic: https://groups.io/mt/101613778/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
next prev parent reply other threads:[~2023-09-27 17:30 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-27 8:38 [edk2-devel] setting TLS ciphers is broken (openssl 3?) Gerd Hoffmann
2023-09-27 17:30 ` Yao, Jiewen [this message]
2023-09-28 1:32 ` Li, Yi
2023-09-28 9:11 ` Laszlo Ersek
2023-09-28 14:25 ` Gerd Hoffmann
2023-09-29 7:59 ` Laszlo Ersek
2023-09-29 8:42 ` Gerd Hoffmann
2023-09-29 8:52 ` Gerd Hoffmann
2023-09-29 10:19 ` Gerd Hoffmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=MW4PR11MB587263BB08F1E3BC9EDE15968CC2A@MW4PR11MB5872.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox