From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id B7C04940A0F for ; Thu, 28 Sep 2023 01:32:23 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=ug49Md369XTLjL7iAjPGtL7+h/sk2NpZHMTF1AFjMG8=; c=relaxed/simple; d=groups.io; h=ARC-Seal:ARC-Message-Signature:ARC-Authentication-Results:From:To:Subject:Thread-Topic:Thread-Index:Date:Message-ID:References:In-Reply-To:Accept-Language:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20140610; t=1695864742; v=1; b=B/GI5sXfmzaV8mTU327pit4WpuWlmqFsSF9+C0AbEBhbTm5Gs/ijlsrmFMHmsKDRWIAmgSxq kMSkENz5cBewd/IQOFfiyoEVl1PKNzUZArSjId6gFfT176XKok6uO7SYonpw2XwCBP7IYMClZek YoH878ISrVySqti3gSIeZ4KU= X-Received: by 127.0.0.2 with SMTP id gMQqYY7687511xrvm2ViSS5M; Wed, 27 Sep 2023 18:32:22 -0700 X-Received: from mgamail.intel.com (mgamail.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web10.5127.1695864741364288893 for ; Wed, 27 Sep 2023 18:32:21 -0700 X-IronPort-AV: E=McAfee;i="6600,9927,10846"; a="361341710" X-IronPort-AV: E=Sophos;i="6.03,182,1694761200"; d="scan'208";a="361341710" X-Received: from orsmga007.jf.intel.com ([10.7.209.58]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Sep 2023 18:32:15 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10846"; a="742911133" X-IronPort-AV: E=Sophos;i="6.03,182,1694761200"; d="scan'208";a="742911133" X-Received: from orsmsx602.amr.corp.intel.com ([10.22.229.15]) by orsmga007.jf.intel.com with ESMTP/TLS/AES256-GCM-SHA384; 27 Sep 2023 18:32:15 -0700 X-Received: from orsmsx610.amr.corp.intel.com (10.22.229.23) by ORSMSX602.amr.corp.intel.com (10.22.229.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.32; Wed, 27 Sep 2023 18:32:14 -0700 X-Received: from ORSEDG602.ED.cps.intel.com (10.7.248.7) by orsmsx610.amr.corp.intel.com (10.22.229.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.32 via Frontend Transport; Wed, 27 Sep 2023 18:32:14 -0700 X-Received: from NAM11-DM6-obe.outbound.protection.outlook.com (104.47.57.169) by edgegateway.intel.com (134.134.137.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.32; Wed, 27 Sep 2023 18:32:13 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SqbT2GeBOq+1bHcAGFoHwdONHKNj2ZvXTMUNBb8hhMFebx1uj8a0S/faq2at+4gsLGQfZdekqQlzClLt8cxufXFRnssDFU0PHSsaWxRHaKUjFU7DHyisGyjEIw5Xb+g181vftHYOUSFBBJFobsQ29QvUGNVx619G1GdDzoSSVwQOG6MlqOmh+yU8tGnDHPldx0+KgQgI6Db/U8ICKFAYSBSOg1Qjk8ybwBl3A0ziE2WFRO6GvDcwak+5R38jkOnMEWuHR7NuyBebyHee12cn/7X8IXTEHipDhUZWaFjZ1+M9XrRzi0vPVgPUIOIrTXcDy6YtQAcxYuX0gTVweSnjlg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=texDNK3Cyk80KSsFREuJcRTTQuxFXMdj0uFQ3JMrIk4=; b=X057kJ+eT4iszm/JBrn/bYAjvAryT1Glads+VOksBcvgVoLLiUpESJJztWK77TaJ3KnVVHWy603/a1Hn0YHaZaaJLROabFrT5fsSTD7EjRnBRbyT0V+GHkSYh81AUBHtYmj2qJhJtvCoopD/y03LiRpuQ6xXPBa1gsk1vgkuTSg5cQ/Jbv3SHqMNvMEWBVomfn8kVYYc0BFdRxSi1R/X6vebswTUXmWTWiwKN/N0SCJIbgxWBtpWHT7PDj3chTtDn8J7o7j+wntwPo64DO1S4hsBx33xhh0HESUNi9229V5k2QFNdGcHShiF6hToXx8DkPDzfnXWvWgfusTTlgLM+w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none X-Received: from SJ1PR11MB6227.namprd11.prod.outlook.com (2603:10b6:a03:45a::10) by DS0PR11MB8084.namprd11.prod.outlook.com (2603:10b6:8:158::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6813.23; Thu, 28 Sep 2023 01:32:07 +0000 X-Received: from SJ1PR11MB6227.namprd11.prod.outlook.com ([fe80::ece6:2daa:9c47:4655]) by SJ1PR11MB6227.namprd11.prod.outlook.com ([fe80::ece6:2daa:9c47:4655%7]) with mapi id 15.20.6813.017; Thu, 28 Sep 2023 01:32:07 +0000 From: "Li, Yi" To: "devel@edk2.groups.io" , "Yao, Jiewen" , "kraxel@redhat.com" Subject: Re: [edk2-devel] setting TLS ciphers is broken (openssl 3?) Thread-Topic: [edk2-devel] setting TLS ciphers is broken (openssl 3?) Thread-Index: AQHZ8R4NP9Lt6gjUA0KQjxdz9ArPGLAu7nMAgACD6nA= Date: Thu, 28 Sep 2023 01:32:06 +0000 Message-ID: References: <27kjaqdrgubri6i3vvickznsmdqnuo6h3tbxfmb3hr76n75gjf@cah3opindcnc> In-Reply-To: Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: SJ1PR11MB6227:EE_|DS0PR11MB8084:EE_ x-ms-office365-filtering-correlation-id: 4d75437e-fa40-4c5d-6b9b-08dbbfc2b9fa x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam-message-info: GBsEoTocjoEw36VvIeeAh7Tvkpne6ttl9tzYLymI56NqF/mbDsplEmsJtPHESgGD+lRHaMwTBpMEDlW7lsJtPLZOpUy1+Zr3RAfN39kQDVyz9aq1wns7BZVa+y5cBBtJoK6grnMQwoROH7vAGd+77C0KxAf8zliI4vOVbxYwLSoSdt4bsej44nxk5+S8iDaXRlbMyn7Sd5XdHZq8Xzn2JJUOvsjkSnlo3DPfadAR3YoDKrX/sJ3t/FuG4DNShD1EIG4w+XdCJmGZvUK7wa2qyJB1w7KVsHXp3MgtZ3LxC08sWTdLYVsUlr2ma3u4mXoXKkuBBrWxg2hDFgEpuWGH63kUeT5RJ8RPMihyt2p0KmS1P9dSPp6SJyNobbcpZ/aNp1fnbHHc4iXGyju3J3q+pxuOlo9uTcYq+X8hmROYfxYjUdB6Q5cR8UGugPyxV7ThnS4U/e/DzZ3wynYhzAVho+5Zmie8G4eL+BjABE1nLaa7XXaSRz4WD+B7O/PSPVfJzO+WoDkA3PFLegILAVj4I5D0TY3l8BWnfdR/HuOjmGoZ/n4BYmeS/KWJEbDN9CtHUHBXx0c+RBbgX7uxYzBKjqRBF2Msk3lxhrew2TckwuWT9Y5C+LLuuZR3l+M/MODS1rNMkTLf7gL1m21tSvETVA== x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?llnyKT/7fefTgFP0PmQnn54Rery9vxg9mzE+D6G7rOwY2QnX44xgdVQWB3/U?= =?us-ascii?Q?BOmLruI8HvcKDXU0sGTYjdLyBB7BPkqSOkNxCYVuJO//7GodWc/qCNwm4Ksb?= =?us-ascii?Q?ittV1wBa1h3LlBxY0UJiqFRMvIWG1bXm3ElRk2pm3PEOQDNARWNK/T8nz0cl?= =?us-ascii?Q?yHVTtGBqdvcnclQ9r3wwnZ2yohequB6clvLM/2nTc48LCPpGOwr+lIIgRwn6?= =?us-ascii?Q?MHzdNzJnCNUPWsq9CxQaiUG8XKmGCb3lvhqIsNRIw7p87soPUSIXyR9H6lB+?= =?us-ascii?Q?6d0W3+oi0eB4KCwc3X2GOX10RyA1T4hTP3XD3hLwYfEmEg/VXrx0U8M8i9AA?= =?us-ascii?Q?53b24jh46O5+kXwbWnz/v6tJjKA0HUp5tFGeUTl75gf/wK3JPtn59dSnom/T?= =?us-ascii?Q?qspIPhW//gHCHKIXYuxsasLl4XMnxPFkY2yVOa+vKQ3/8nrh3X91dyqyE+cz?= =?us-ascii?Q?gP/NU7T6YVFmjOFdm22DiXQhKxOp8qfTfV0QbDMnAbNAYwdBeyhN2I1YSgN1?= =?us-ascii?Q?Xdz48wmUURbwdR4u9/VX43RtSKez0umtOFUwVDpyy8d5ogHBzMGP3DjZr/KA?= =?us-ascii?Q?Fl/rtxTEtEXBIxEN0hdhX+Tj54pH48iNq5ac0XlD79dkwj/MpYp9n41kwOav?= =?us-ascii?Q?LhiWIvEvZQ4HqsiW25vGZRePFtkHEyIzH/pfPJypldBqZTZSMwRhM4ijkPYX?= =?us-ascii?Q?qA6shcRREySHJnveSbjyLYlZNluNhkBGqf6G4a8pmJGKmrpLqHS1AWuOBy9i?= =?us-ascii?Q?7G0xy1FuXa+W8LJRRW282ugrZESfA+AWzcdxWIR0e/KBIhSN/s1WhUl6WCzP?= =?us-ascii?Q?LaYNKhXO0dg68a4VudP9uHrryD2m6hLUFTwtrclwkD0O9k9iyB06O26qdrw6?= =?us-ascii?Q?NU0XTHNUv57NM0XDO5w4IJzz0YjEh2ZV36wO3HY89PhiSwZPubprLskpRrVQ?= =?us-ascii?Q?RWQ6URoQNODgM6tmKg7Q+LedA86CtKsItRYv+kxQYM2TDfKHMtNTFTCtgRXI?= =?us-ascii?Q?fhFU6VEq2985H93GobDDmvFVkTM5I+azzghesypnCFRh7iaOzO+5amXRZOxD?= =?us-ascii?Q?wLspYiudIsLzxxiontc1CWxvAMcB8LqrYSHrta9MfbQBwikMAKYXaqo+muDI?= =?us-ascii?Q?APjQe4PiqHpjhr1hugdfhOOJG0MsCIi9iSh+N8GKOkK/VFX6ilqrlPDXxT0W?= =?us-ascii?Q?fbVTdB98ob8XDpiuMKwdWXjdgniHhW+C2EUwYxI9baLq7UIcPx2JVt16VvCm?= =?us-ascii?Q?iLgimqgahIzWnkdrTX3xcy6s1QTfUzldWWk98AwtmXnQp0QzswH0HfKcq9qw?= =?us-ascii?Q?iLvDAEYomwmhJXcWopvYjyFeOymBv921IAv3Shl8gA7eTmhgqxPuJX+7mXmt?= =?us-ascii?Q?u4Fqsb2+0SgHu9qNSA9q0X3ovFfGTKRaV2MCgR9CehRFEMUXU9Suor7CuVKQ?= =?us-ascii?Q?gLhg905cXn0WLf/cNlU5NWYA80vT4pI/lFEl2IN70I7QovWbvnShvdSlhRH3?= =?us-ascii?Q?2wWGI5oBabkP6vBvoNPqL6hpqo4nAE0qd6UIiVCM6bpiVEhCp4hrWEnAnegu?= =?us-ascii?Q?Z+CS/5mQJXJLOKUmJ9w=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SJ1PR11MB6227.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4d75437e-fa40-4c5d-6b9b-08dbbfc2b9fa X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Sep 2023 01:32:06.7468 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: pk4oMihJADICJncKXECdfo7ZU/ZGw4ZYOFkIPSkSCU8L5PqwyEA/g5Rw919vQHOve31LzgT1lo9sFajifHatfQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR11MB8084 X-OriginatorOrg: intel.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,yi1.li@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: WyTMgtXUIGoYcc7KjF6S9q0bx7686176AA= Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b="B/GI5sXf"; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io Hi Gerd, We have validated HTTPs boot and WIFI with EAP-TLS, where the code consumed= openssl3.0 TLS lib API. So we cannot reproduce this issue. Could you provide detail test steps to m= e, I will look into it. Thanks, Yi =20 -----Original Message----- From: devel@edk2.groups.io On Behalf Of Yao, Jiewen Sent: Thursday, September 28, 2023 1:31 AM To: devel@edk2.groups.io; kraxel@redhat.com Subject: Re: [edk2-devel] setting TLS ciphers is broken (openssl 3?) Hi Gerd Thanks for the reporting.=20 We will look into that. Is below text full reproduce steps? Which server yo= u are using? Which TLS version is configured? Please provide as detail as possible, if you could. One more thing: We are going to have 1 week National Holiday since Tomorrow= . If we cannot nail down shortly, that would be next next week. Thank you Yao, Jiewen > -----Original Message----- > From: devel@edk2.groups.io On Behalf Of Gerd=20 > Hoffmann > Sent: Wednesday, September 27, 2023 4:39 PM > To: devel@edk2.groups.io > Subject: [edk2-devel] setting TLS ciphers is broken (openssl 3?) >=20 > Hi, >=20 > I've noticed that setting chipers for TLS stopped working in ovmf,=20 > most likely due to the openssl 3.0 update. >=20 > Test case: try http boot from https server, set ciphers on the qemu=20 > command line using: > -object tls-cipher-suites,id=3Dtls-cipher0,priority=3D@SYSTEM > -fw_cfg name=3Detc/edk2/https/ciphers,gen_id=3Dtls-cipher0 >=20 > OvmfPkg/Library/TlsAuthConfigLib will read it from fwcfg and set=20 > EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE. >=20 > CryptoPkg/Library/TlsLib/TlsConfig.c will read the variable, map the=20 > IDs to strings and call SSL_set_cipher_list() with the result. >=20 > Later on the tls handshake fails. From the log: >=20 > [ ... ] > TlsDxe:TlsSetCipherList: CipherString=3D{ > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM- > SHA384:ECDHE-ECDSA-AES128-GC > M-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-GCM- > SHA384:DHE-RSA-A > ES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-DES-CBC3-SHA > } > [ ... ] > TlsDoHandshake SSL_HANDSHAKE_ERROR State=3D0x10 SSL_ERROR_SSL=20 > TlsDoHandshake ERROR 0x308010C=3DL6:R8010C TlsDoHandshake ERROR=20 > 0xA0C0103=3DL14:RC0103 [ ... ] >=20 > take care, > Gerd >=20 >=20 >=20 >=20 >=20 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#109131): https://edk2.groups.io/g/devel/message/109131 Mute This Topic: https://groups.io/mt/101613778/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-