From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 4893F9415D5 for ; Fri, 29 Sep 2023 08:52:12 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=+25xtmWdfvbH4sbntvrCBVUziPy+evqpppVHcjl7J5M=; c=relaxed/simple; d=groups.io; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:In-Reply-To:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type:Content-Disposition; s=20140610; t=1695977531; v=1; b=iF8FocyOWlXWmGp6wxZZ57jwq3l5S6O9xZOv/T32toucDtvWeycvXo/qmcmg3HwFNXUcuQcK Auv6o9KQ8pJrWD2xzj9ZLTUF8DDhnhh1EvGnAzUrVEFWrZiARBGWoQGWEh8lW6svSqk2GufRZ7A xdYG50d7rBr62sVk8/fbBnk0= X-Received: by 127.0.0.2 with SMTP id 2psxYY7687511xlqv6Gpfmc8; Fri, 29 Sep 2023 01:52:11 -0700 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.groups.io with SMTP id smtpd.web10.13203.1695977530099349219 for ; Fri, 29 Sep 2023 01:52:10 -0700 X-Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-474-G30MtiC9MuqqdBFy6PdaRA-1; Fri, 29 Sep 2023 04:52:03 -0400 X-MC-Unique: G30MtiC9MuqqdBFy6PdaRA-1 X-Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 3CCBE3C025BC; Fri, 29 Sep 2023 08:52:03 +0000 (UTC) X-Received: from sirius.home.kraxel.org (unknown [10.39.193.95]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0C59510005D2; Fri, 29 Sep 2023 08:52:03 +0000 (UTC) X-Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 900D71800638; Fri, 29 Sep 2023 10:52:01 +0200 (CEST) Date: Fri, 29 Sep 2023 10:52:01 +0200 From: "Gerd Hoffmann" To: Laszlo Ersek Cc: edk2-devel-groups-io , "Li, Yi" , Jiewen Yao Subject: Re: [edk2-devel] setting TLS ciphers is broken (openssl 3?) Message-ID: References: <27kjaqdrgubri6i3vvickznsmdqnuo6h3tbxfmb3hr76n75gjf@cah3opindcnc> <273c853d-e70b-ddda-4387-35b825fdfebc@redhat.com> MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 3.1 on 10.11.54.3 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,kraxel@redhat.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: cmONEYSxg364vIUMlGCIy1Hqx7686176AA= Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=iF8FocyO; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=redhat.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io On Fri, Sep 29, 2023 at 10:42:19AM +0200, Gerd Hoffmann wrote: > Hi, > > > > According to the mailing list discussion linked in > > > , > > > "TlsCipherMappingTable" should never offer *more* cipher suites than > > > actually supported by OpensslLib (because then the TLS client might > > > negotiate a cipher suite with the server that the client ultimately > > > won't be able to support). > > Hmm, maybe *that* is the problem. edk2 has its own crypto algo provider > (CryptoPkg/Library/OpensslLib/OpensslStub/uefiprov.c) offering a limited > set of ciphers to reduce the size of OpensslLib. This was added with > the switch to openssl-3. Hmm, the man-page says otherwise, ciphers not compiled in are supposed to get ignored: The control string str for SSL_CTX_set_cipher_list(), SSL_set_cipher_list(), SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites() should be universally usable and not depend on details of the library configuration (ciphers compiled in). Thus no syntax checking takes place. Items that are not recognized, because the corresponding ciphers are not compiled in or because they are mistyped, are simply ignored. Failure is only flagged if no ciphers could be collected at all. take care, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#109188): https://edk2.groups.io/g/devel/message/109188 Mute This Topic: https://groups.io/mt/101613778/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-