From: "Gerd Hoffmann" <kraxel@redhat.com>
To: Laszlo Ersek <lersek@redhat.com>
Cc: edk2-devel-groups-io <devel@edk2.groups.io>,
"Li, Yi" <yi1.li@intel.com>, Jiewen Yao <jiewen.yao@intel.com>
Subject: Re: [edk2-devel] setting TLS ciphers is broken (openssl 3?)
Date: Fri, 29 Sep 2023 10:52:01 +0200 [thread overview]
Message-ID: <dr432gqdkktjfymocygo3durw7alvj5aspe725o5crubb4astt@eifvyvdy6dgl> (raw)
In-Reply-To: <x7eowssyon4id3m4qmjgiwakvfothqph4u4pevgogu2kdz5spa@u7d72lcusu7t>
On Fri, Sep 29, 2023 at 10:42:19AM +0200, Gerd Hoffmann wrote:
> Hi,
>
> > > According to the mailing list discussion linked in
> > > <https://bugzilla.tianocore.org/show_bug.cgi?id=915#c8>,
> > > "TlsCipherMappingTable" should never offer *more* cipher suites than
> > > actually supported by OpensslLib (because then the TLS client might
> > > negotiate a cipher suite with the server that the client ultimately
> > > won't be able to support).
>
> Hmm, maybe *that* is the problem. edk2 has its own crypto algo provider
> (CryptoPkg/Library/OpensslLib/OpensslStub/uefiprov.c) offering a limited
> set of ciphers to reduce the size of OpensslLib. This was added with
> the switch to openssl-3.
Hmm, the man-page says otherwise, ciphers not compiled in are supposed
to get ignored:
<quote>
The control string str for SSL_CTX_set_cipher_list(),
SSL_set_cipher_list(), SSL_CTX_set_ciphersuites() and
SSL_set_ciphersuites() should be universally usable and not depend on
details of the library configuration (ciphers compiled in). Thus no
syntax checking takes place. Items that are not recognized, because the
corresponding ciphers are not compiled in or because they are mistyped,
are simply ignored. Failure is only flagged if no ciphers could be
collected at all.
</quote>
take care,
Gerd
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#109188): https://edk2.groups.io/g/devel/message/109188
Mute This Topic: https://groups.io/mt/101613778/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
next prev parent reply other threads:[~2023-09-29 8:52 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-27 8:38 [edk2-devel] setting TLS ciphers is broken (openssl 3?) Gerd Hoffmann
2023-09-27 17:30 ` Yao, Jiewen
2023-09-28 1:32 ` Li, Yi
2023-09-28 9:11 ` Laszlo Ersek
2023-09-28 14:25 ` Gerd Hoffmann
2023-09-29 7:59 ` Laszlo Ersek
2023-09-29 8:42 ` Gerd Hoffmann
2023-09-29 8:52 ` Gerd Hoffmann [this message]
2023-09-29 10:19 ` Gerd Hoffmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dr432gqdkktjfymocygo3durw7alvj5aspe725o5crubb4astt@eifvyvdy6dgl \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox