From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 9C4CB78003C for ; Wed, 27 Sep 2023 17:30:51 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=dJzGtwM1CsdJOvKhY5fxAdf6gVo0lRHQ6AcKet0oaxw=; c=relaxed/simple; d=groups.io; h=ARC-Seal:ARC-Message-Signature:ARC-Authentication-Results:From:To:Subject:Thread-Topic:Thread-Index:Date:Message-ID:References:In-Reply-To:Accept-Language:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20140610; t=1695835850; v=1; b=Br1YHeT+V9OXjd3qI2hmcss03cwVpGpwQm0oD1NuQPnPJ04FDKLMzq1AWS5oZawuzgnv0Hqu HKL/QgTxl05Ocb3pd3Rv4rdozRZLO1iqomqGBUGmA7v5VWNtbX7iX1L72V8t/bcSmnP9Jt/koHd fKWyGn0AaBrSm+bf0AUL+Lho= X-Received: by 127.0.0.2 with SMTP id wJdOYY7687511xI3ULzkzH52; Wed, 27 Sep 2023 10:30:50 -0700 X-Received: from mgamail.intel.com (mgamail.intel.com [192.55.52.120]) by mx.groups.io with SMTP id smtpd.web10.23324.1695835849173454684 for ; Wed, 27 Sep 2023 10:30:49 -0700 X-IronPort-AV: E=McAfee;i="6600,9927,10846"; a="380767812" X-IronPort-AV: E=Sophos;i="6.03,181,1694761200"; d="scan'208";a="380767812" X-Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Sep 2023 10:30:48 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10846"; a="922872293" X-IronPort-AV: E=Sophos;i="6.03,181,1694761200"; d="scan'208";a="922872293" X-Received: from orsmsx603.amr.corp.intel.com ([10.22.229.16]) by orsmga005.jf.intel.com with ESMTP/TLS/AES256-GCM-SHA384; 27 Sep 2023 10:30:47 -0700 X-Received: from orsmsx601.amr.corp.intel.com (10.22.229.14) by ORSMSX603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.32; Wed, 27 Sep 2023 10:30:47 -0700 X-Received: from ORSEDG602.ED.cps.intel.com (10.7.248.7) by orsmsx601.amr.corp.intel.com (10.22.229.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.32 via Frontend Transport; Wed, 27 Sep 2023 10:30:47 -0700 X-Received: from NAM10-MW2-obe.outbound.protection.outlook.com (104.47.55.101) by edgegateway.intel.com (134.134.137.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.32; Wed, 27 Sep 2023 10:30:45 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dPA/f7xavJmflpe0CwEX0cLHfiwIf9v4o29QckJi8YeiNQ1pngwRMbLHw9GY51D3j9H+tkHF/8zNaa6+819xMnhzmTE6Z9emtPyq2lymUCqGTf3xadmOKWa7B4UzGnN/SjghtA5ofRoP6MT1l80W8pe7PTKUaFtsP0Zx7kMvP8aJ0IPAz3tcKK6aaTNWPdsuiDsPf7zo8gwfHm4j4l3LbYKka0fbEIgPs1HdxYZmY7UbeLNnn8HDQbq2EgEiVUpGK0HIHw5ivWzPEXhwWih0PZxq+AJMd+TikjgxL4mVtF4yaKPMIJGFJYbYiYArwWOFDRqKPrHLmglZ0IVBdI+ySQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=P0B6givZz94PXxr1K/tSNVddO71JqZv97mkgiRecMCw=; b=ZPqpIGDvWGrK85Bp13LhAlVUin6FDPGuPt7HCthtDzQqR+O8Kw1jG8sLwsGPjzFwIhOUTT/Cz9gJD0nddTGRVvhkj/80ySy+i2bLTFOnQWy5KG9Sij7ZTAjl2KTbdC1CTkjNeJvecfmHIDVOcIO9UlmysnPBtU2kU9XKAalu9Kk/U94IlQwiQ3zDMzWdE2MmjHDv8KDEJi5xfrPDUOL2Hn+Yoe8kUFTgxs4dlIU4vgfCGyZKO76wPTNRrvfPo3j+Glfw7MbeHgDs/4Rn78WlwmkjhZ0HvHvyU/gVjZmm4mS/G3dZ9/AVLCQgXM6eGtsAflalbwX+6YUTNZ8WuRvbpA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none X-Received: from MW4PR11MB5872.namprd11.prod.outlook.com (2603:10b6:303:169::14) by DM4PR11MB5504.namprd11.prod.outlook.com (2603:10b6:5:39d::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6813.28; Wed, 27 Sep 2023 17:30:44 +0000 X-Received: from MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::fdf8:dc0e:db69:f35b]) by MW4PR11MB5872.namprd11.prod.outlook.com ([fe80::fdf8:dc0e:db69:f35b%4]) with mapi id 15.20.6813.017; Wed, 27 Sep 2023 17:30:44 +0000 From: "Yao, Jiewen" To: "devel@edk2.groups.io" , "kraxel@redhat.com" Subject: Re: [edk2-devel] setting TLS ciphers is broken (openssl 3?) Thread-Topic: [edk2-devel] setting TLS ciphers is broken (openssl 3?) Thread-Index: AQHZ8Uu++hcWyn56m062yUoJBA2UurAu7Hqg Date: Wed, 27 Sep 2023 17:30:44 +0000 Message-ID: References: <27kjaqdrgubri6i3vvickznsmdqnuo6h3tbxfmb3hr76n75gjf@cah3opindcnc> In-Reply-To: <27kjaqdrgubri6i3vvickznsmdqnuo6h3tbxfmb3hr76n75gjf@cah3opindcnc> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: MW4PR11MB5872:EE_|DM4PR11MB5504:EE_ x-ms-office365-filtering-correlation-id: 1e15d503-569e-4cef-1006-08dbbf7f7aab x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam-message-info: liUdZJx8xIK0fFpGJgjnIM+gAq5qINYIi1DoFl9Cq52tvo1XwZMWGm12464YQBXSk1EJKU65fgzfHjjk9IBT5zYaaRoyS7BAU7kioYKoslJoCpn5+qOP0oHqX2+xjT5CjMsSjSs0wGDeRpzL0ukfWUNGI0DbpeunvxBElKe/7hHlAs47Fc0sbINVTf4JMYhYMifXNpj0nCN6jyOFVQtege4nnk8aPNap503L7ivQqQaYnbgQG0f1N8JMIzbWFi+jtr/mT1wtrkmise2lR6bttt+11fGj+v/Kp+Y9tb8DOiNbUfAithrvWxSaBdT2YG3cWB7UAIIwJ4i4JoS374LVZDPJhLjw2wpNSMgZ3FD3bLvErC1AEbxLlxuyfX3ycr7rmU8l6WWTwvEalkLQznCgcQO6HV4PkbvwaVQYlb1BHhJJnkNH8V/MDWIVDfhqT8ttWhCUK6QPvxRAuOCdHx17orhHbfACeRcQnNHC1ydL7HqeYqLAN2pvEPt+awJAio8sa3cu/g0+/ub12JjDM1C3s95EsIHTQGndfl5RcRU+sjlzoRjsvPyn+UWVBVL7JN8FErk36pCCNTyK/yf+FNPlv70J1viEB8oZFZp0J0wUAyOs1UsNW9u2upJkbyRWe+lHWN7nvvOlT2BIipNxOXJ4QQ== x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?AkrYpONierRPn9nX107W0ol/CKdNEMGZpghZMqSVOn5ETDizqrGYAlc7Z0aG?= =?us-ascii?Q?JmtEYbSUaGECCX/Cq1FozLvgk8DAXFF/i2L1GcPmwGjPlEOtl6PZLEwLucgd?= =?us-ascii?Q?QoAEch1Im75IWpp34c6dcg44uDONllRIwrE8roPPLAJ1c4QdiF/ujvu93qDj?= =?us-ascii?Q?1KsLiUCd/UScNwAAbpS9/uPn3YTtpoQo53NNkrcbz73ihZ6rUQ/EUcSnEeVF?= =?us-ascii?Q?maMCYuNqlFew2f/kBZn0ewPu8Nj2V8tkorTut2vlfuv0z2TnF7QzJYlcBBEi?= =?us-ascii?Q?fyd6NohE9BrnOeDQDqo26iAl8CsgGDTN/sb2RiEv455pTI71yc7Avwhcb52G?= =?us-ascii?Q?JDXywTVLNkqVL7+O8gCtQ2WoYFEZsflVJ5GUSxcuvd5HsP1VL3iB+hwuqozk?= =?us-ascii?Q?JZx8KsfXLWFLIh03T/hsCs3S1sjOeNvUCVrA+3EQOPPuAoxUT0Kf6G+Nxxdy?= =?us-ascii?Q?kdeeYUk4SBg+uKS04sft4hn4aJY8Psy2Ng9sDWTKadM3z3l2Awiohj7ANF5i?= =?us-ascii?Q?4tCxhmpHmxvXdr0oQ7LI09sRO0IRn72HBIMNfehd6x9PlGPceinQLPyjbZnP?= =?us-ascii?Q?PGQFRjzVWDRy8t35v8EkuXim3KANP5lMYjGzYSjD3eTyErLczpFFoEA47yvb?= =?us-ascii?Q?uMA/r+rhH8nEkVijEIyNENthP3GPYR5GdKnbcUkZ9lvkXg/8Up+QfhaU2aHU?= =?us-ascii?Q?40hcivRN49UTnNwI3OcvDWgsk3DKqtOhpuR9NH7mU5cxIpL7srCLDcfESID7?= =?us-ascii?Q?bttPO0eCB6HnNoGxiM4qBKtIABqzn1hzuAlv22jNdQulymTCnliOMKtE0QHA?= =?us-ascii?Q?zZaGMF9HrZ1W2G7EDkmAFexKTlI94z1QxV+ieRWpR6R9cbsD92p7JNrrueXW?= =?us-ascii?Q?3Vb1EPE6VSQ/jdvD+i08N38eBdKLRpFJJXzMP9PlXUJ5D4ACqBKyWKk7c25d?= =?us-ascii?Q?n9STx8GtwXtkVtsuiIrf0l6E+8+rWpMj+QWdbRy+EaNZV4gGGugb6C+UawyC?= =?us-ascii?Q?mkqJiUWr2vgUVhExnr+rHsJN0G9VA+xx98suENBf5B1/ix8X+wVo0xCvKLVQ?= =?us-ascii?Q?bCBU9AED+6bklBe90XP2Ld3+FVkx5Kf0njuda/kBmUdleZIp1z22RTbJDxMU?= =?us-ascii?Q?DCDCnaMbinxj4GnPFsc9+kWlNeALWC0UlO/CdpRJWyTHyovlW4imo+ViXpQw?= =?us-ascii?Q?+eS9LjhO0hz76hfbUGOWDctI6bX6mQ3FLm6ReFz1YTuIYrHEEFg737qTvf6l?= =?us-ascii?Q?OHFLFk6qoIr8BkeGfgP3BP8jwoBWK/0mcGpu4ovdChlG5LufJmaYqH2RdbzF?= =?us-ascii?Q?95coZEpGablILtZSSA5r8UpT1iDYdSloTrcQjqqCAxAVLqS3Wp+j+ySPyboe?= =?us-ascii?Q?FZ7iYe4A1ZGnHc4n89/DnqFGeFPz7zSps70e4S1WEGFyT6uh2ERL1qPqiUUY?= =?us-ascii?Q?VjfaIr9vL0JMIyRckFaWQEC5k+Tkivd9zR+hrG1MvOS6owTE+9gmw5UuAYl8?= =?us-ascii?Q?/pyfhttXYBVL8yv9PQ/DSC/gaoHgBreQYelEO6lcpAV+5b+fUdgI6q5qm49e?= =?us-ascii?Q?PyJDt/Yswg9Ce/MmoVEJOBrfSZzUOOYNpq/YU/FR?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW4PR11MB5872.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 1e15d503-569e-4cef-1006-08dbbf7f7aab X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Sep 2023 17:30:44.2561 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: WJchzsdIvXjeQMgu4dpVxYyR05Lgh+oUo4SdrcOnO30gMlc4z4aq7Sq8ffeUyZXmH4mllPkaZoXCXUaSewcIHg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR11MB5504 X-OriginatorOrg: intel.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jiewen.yao@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: KzanmPmvqP3dlZP6p5NzROwox7686176AA= Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=Br1YHeT+; arc=reject ("signature check failed: fail, {[1] = sig:microsoft.com:reject}"); dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io Hi Gerd Thanks for the reporting.=20 We will look into that. Is below text full reproduce steps? Which server yo= u are using? Which TLS version is configured? Please provide as detail as possible, if you could. One more thing: We are going to have 1 week National Holiday since Tomorrow= . If we cannot nail down shortly, that would be next next week. Thank you Yao, Jiewen > -----Original Message----- > From: devel@edk2.groups.io On Behalf Of Gerd > Hoffmann > Sent: Wednesday, September 27, 2023 4:39 PM > To: devel@edk2.groups.io > Subject: [edk2-devel] setting TLS ciphers is broken (openssl 3?) >=20 > Hi, >=20 > I've noticed that setting chipers for TLS stopped working in ovmf, most > likely due to the openssl 3.0 update. >=20 > Test case: try http boot from https server, set ciphers on the qemu > command line using: > -object tls-cipher-suites,id=3Dtls-cipher0,priority=3D@SYSTEM > -fw_cfg name=3Detc/edk2/https/ciphers,gen_id=3Dtls-cipher0 >=20 > OvmfPkg/Library/TlsAuthConfigLib will read it from fwcfg and set > EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE. >=20 > CryptoPkg/Library/TlsLib/TlsConfig.c will read the variable, map the IDs > to strings and call SSL_set_cipher_list() with the result. >=20 > Later on the tls handshake fails. From the log: >=20 > [ ... ] > TlsDxe:TlsSetCipherList: CipherString=3D{ > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM- > SHA384:ECDHE-ECDSA-AES128-GC > M-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-GCM- > SHA384:DHE-RSA-A > ES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-DES-CBC3-SHA > } > [ ... ] > TlsDoHandshake SSL_HANDSHAKE_ERROR State=3D0x10 SSL_ERROR_SSL > TlsDoHandshake ERROR 0x308010C=3DL6:R8010C > TlsDoHandshake ERROR 0xA0C0103=3DL14:RC0103 > [ ... ] >=20 > take care, > Gerd >=20 >=20 >=20 >=20 >=20 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#109128): https://edk2.groups.io/g/devel/message/109128 Mute This Topic: https://groups.io/mt/101613778/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-