From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 6E577225FA045 for ; Tue, 10 Apr 2018 03:10:54 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A7343722E9; Tue, 10 Apr 2018 10:10:53 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-125.rdu2.redhat.com [10.10.120.125]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1A0166352D; Tue, 10 Apr 2018 10:10:51 +0000 (UTC) From: Laszlo Ersek To: "Long, Qin" Cc: "Wu, Jiaxin" , edk2-devel-01 , Ard Biesheuvel , Gary Ching-Pang Lin , "Justen, Jordan L" , "Gao, Liming" , "Kinney, Michael D" , "Fu, Siyuan" , "Ye, Ting" References: <20180403145149.8925-1-lersek@redhat.com> <895558F6EA4E3B41AC93A00D163B7274163B458F@SHSMSX103.ccr.corp.intel.com> <475313c2-8a3a-4be4-483c-b15b4d1cbfa6@redhat.com> Message-ID: Date: Tue, 10 Apr 2018 12:10:51 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <475313c2-8a3a-4be4-483c-b15b4d1cbfa6@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Tue, 10 Apr 2018 10:10:53 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Tue, 10 Apr 2018 10:10:53 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: Re: [PATCH 00/13] {Ovmf, Mde, Network, Crypto}Pkg: fixes+features for setting HTTPS cipher suites X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Apr 2018 10:10:54 -0000 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit On 04/10/18 12:02, Laszlo Ersek wrote: > On 04/10/18 09:40, Long, Qin wrote: >> #0005, #0006, #0007, #0012, #0013: >> These implementation looks good to me. >> But some of updates were based on the assumption of #0008-0009. I have no strong opinion >> if some original light implementation are good enough currently. I'd like to comment on this in more detail (namely that "some original light implementation are good enough currently"): - I now agree that "TlsCipherMappingTable" should match the ciphers built into OpensslLib exactly. However, that makes it only more important that we *not* return EFI_UNSUPPORTED immediately when we find a cipher suite in the platform's preference list that we don't support. Instead, we should filter the platform's list down to what we do support. - The stack allocation with 500 bytes for CipherString is questionable practice, in my opinion, given that we add a variable list of cipher suite names. It's just not deterministic. It can produce confusing results that don't match the caller's (the platform's) intent, and it will only become worse when you extend "TlsCipherMappingTable" to the full cipher list that we build into OpensslLib *right now*. (And that's not considering any future cipher enablements.) - "@STRENGTH" must be dropped. I have no doubt about that. :) So, I'd like to keep patch #13 as-is, perhaps squahed together with patch #12 if you all prefer that. Thanks! Laszlo