From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bounce+27952+109188+7686176+12367111@groups.io>
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108])
	by spool.mail.gandi.net (Postfix) with ESMTPS id 4893F9415D5
	for <rebecca@openfw.io>; Fri, 29 Sep 2023 08:52:12 +0000 (UTC)
DKIM-Signature: a=rsa-sha256; bh=+25xtmWdfvbH4sbntvrCBVUziPy+evqpppVHcjl7J5M=;
 c=relaxed/simple; d=groups.io;
 h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:In-Reply-To:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type:Content-Disposition;
 s=20140610; t=1695977531; v=1;
 b=iF8FocyOWlXWmGp6wxZZ57jwq3l5S6O9xZOv/T32toucDtvWeycvXo/qmcmg3HwFNXUcuQcK
 Auv6o9KQ8pJrWD2xzj9ZLTUF8DDhnhh1EvGnAzUrVEFWrZiARBGWoQGWEh8lW6svSqk2GufRZ7A
 xdYG50d7rBr62sVk8/fbBnk0=
X-Received: by 127.0.0.2 with SMTP id 2psxYY7687511xlqv6Gpfmc8; Fri, 29 Sep 2023 01:52:11 -0700
X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by mx.groups.io with SMTP id smtpd.web10.13203.1695977530099349219
 for <devel@edk2.groups.io>;
 Fri, 29 Sep 2023 01:52:10 -0700
X-Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73])
 by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-474-G30MtiC9MuqqdBFy6PdaRA-1; Fri, 29 Sep 2023 04:52:03 -0400
X-MC-Unique: G30MtiC9MuqqdBFy6PdaRA-1
X-Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 3CCBE3C025BC;
	Fri, 29 Sep 2023 08:52:03 +0000 (UTC)
X-Received: from sirius.home.kraxel.org (unknown [10.39.193.95])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 0C59510005D2;
	Fri, 29 Sep 2023 08:52:03 +0000 (UTC)
X-Received: by sirius.home.kraxel.org (Postfix, from userid 1000)
	id 900D71800638; Fri, 29 Sep 2023 10:52:01 +0200 (CEST)
Date: Fri, 29 Sep 2023 10:52:01 +0200
From: "Gerd Hoffmann" <kraxel@redhat.com>
To: Laszlo Ersek <lersek@redhat.com>
Cc: edk2-devel-groups-io <devel@edk2.groups.io>, 
	"Li, Yi" <yi1.li@intel.com>, Jiewen Yao <jiewen.yao@intel.com>
Subject: Re: [edk2-devel] setting TLS ciphers is broken (openssl 3?)
Message-ID: <dr432gqdkktjfymocygo3durw7alvj5aspe725o5crubb4astt@eifvyvdy6dgl>
References: <27kjaqdrgubri6i3vvickznsmdqnuo6h3tbxfmb3hr76n75gjf@cah3opindcnc>
 <273c853d-e70b-ddda-4387-35b825fdfebc@redhat.com>
 <onpnc4wm6nktbt6wcyemwxu5m5h3zwk63p4oqiuqcp7rgolfy6@m7ouivyfbdvz>
 <c0498b7c-3b06-9934-3bc6-97d8740141a1@redhat.com>
 <x7eowssyon4id3m4qmjgiwakvfothqph4u4pevgogu2kdz5spa@u7d72lcusu7t>
MIME-Version: 1.0
In-Reply-To: <x7eowssyon4id3m4qmjgiwakvfothqph4u4pevgogu2kdz5spa@u7d72lcusu7t>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.3
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Precedence: Bulk
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,kraxel@redhat.com
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: <https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/plugh>
X-Gm-Message-State: cmONEYSxg364vIUMlGCIy1Hqx7686176AA=
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-GND-Status: LEGIT
Authentication-Results: spool.mail.gandi.net;
	dkim=pass header.d=groups.io header.s=20140610 header.b=iF8FocyO;
	dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=redhat.com (policy=none);
	spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io

On Fri, Sep 29, 2023 at 10:42:19AM +0200, Gerd Hoffmann wrote:
>   Hi,
> 
> > > According to the mailing list discussion linked in
> > > <https://bugzilla.tianocore.org/show_bug.cgi?id=915#c8>,
> > > "TlsCipherMappingTable" should never offer *more* cipher suites than
> > > actually supported by OpensslLib (because then the TLS client might
> > > negotiate a cipher suite with the server that the client ultimately
> > > won't be able to support).
> 
> Hmm, maybe *that* is the problem.  edk2 has its own crypto algo provider
> (CryptoPkg/Library/OpensslLib/OpensslStub/uefiprov.c) offering a limited
> set of ciphers to reduce the size of OpensslLib.  This was added with
> the switch to openssl-3.

Hmm, the man-page says otherwise, ciphers not compiled in are supposed
to get ignored:

<quote>
  The control string str for SSL_CTX_set_cipher_list(),
  SSL_set_cipher_list(), SSL_CTX_set_ciphersuites() and
  SSL_set_ciphersuites() should be universally usable and not depend on
  details of the library configuration (ciphers compiled in). Thus no
  syntax checking takes place. Items that are not recognized, because the
  corresponding ciphers are not compiled in or because they are mistyped,
  are simply ignored. Failure is only flagged if no ciphers could be
  collected at all.
</quote>

take care,
  Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#109188): https://edk2.groups.io/g/devel/message/109188
Mute This Topic: https://groups.io/mt/101613778/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-