public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Gerd Hoffmann" <kraxel@redhat.com>
To: Laszlo Ersek <lersek@redhat.com>
Cc: edk2-devel-groups-io <devel@edk2.groups.io>,
	 "Li, Yi" <yi1.li@intel.com>, Jiewen Yao <jiewen.yao@intel.com>
Subject: Re: [edk2-devel] setting TLS ciphers is broken (openssl 3?)
Date: Thu, 28 Sep 2023 16:25:58 +0200	[thread overview]
Message-ID: <onpnc4wm6nktbt6wcyemwxu5m5h3zwk63p4oqiuqcp7rgolfy6@m7ouivyfbdvz> (raw)
In-Reply-To: <273c853d-e70b-ddda-4387-35b825fdfebc@redhat.com>

  Hi,

> > Test case: try http boot from https server, set ciphers on the qemu
> > command line using:
> >     -object tls-cipher-suites,id=tls-cipher0,priority=@SYSTEM
> >     -fw_cfg name=etc/edk2/https/ciphers,gen_id=tls-cipher0

> For a successful handshake, we need the intersection of the following
> sets not to be empty:
> 
> (1) the ciphers enabled in your system-wide crypto policy (likely
> DEFAULT)
> 
> (2) TlsCipherMappingTable [CryptoPkg/Library/TlsLib/TlsConfig.c]
> 
> (3) the ciphers supported by the openssl library linked into the
> firmware
> 
> (4) the ciphers supported by the HTTPS server

(1) + (4) should be the same (default system configuration).
The https server is standard python http module with ssl module
(see below).

> The OpenSSL3 update may have restricted set (3), causing the grand
> intersection to be empty.

That seems to be the case.  Maybe (2) needs an update to enable newer
ciphers, when logging the mappings I see there are quite a few IDs which
don't get mapped:

TlsDxe:TlsSetCipherList: skipping CipherId=0x1302
TlsDxe:TlsSetCipherList: skipping CipherId=0x1303
TlsDxe:TlsSetCipherList: skipping CipherId=0x1301
TlsDxe:TlsSetCipherList: skipping CipherId=0x1304
TlsDxe:TlsSetCipherList: CipherId=0xC030 -> ECDHE-RSA-AES256-GCM-SHA384
TlsDxe:TlsSetCipherList: skipping CipherId=0xCCA8
TlsDxe:TlsSetCipherList: skipping CipherId=0xC014
TlsDxe:TlsSetCipherList: skipping CipherId=0xC02F
TlsDxe:TlsSetCipherList: skipping CipherId=0xC013
TlsDxe:TlsSetCipherList: skipping CipherId=0xC012
TlsDxe:TlsSetCipherList: CipherId=0xC02C -> ECDHE-ECDSA-AES256-GCM-SHA384
TlsDxe:TlsSetCipherList: skipping CipherId=0xC0AD
TlsDxe:TlsSetCipherList: skipping CipherId=0xCCA9
TlsDxe:TlsSetCipherList: skipping CipherId=0xC00A
TlsDxe:TlsSetCipherList: CipherId=0xC02B -> ECDHE-ECDSA-AES128-GCM-SHA256
TlsDxe:TlsSetCipherList: skipping CipherId=0xC0AC
TlsDxe:TlsSetCipherList: skipping CipherId=0xC009
TlsDxe:TlsSetCipherList: skipping CipherId=0xC008
TlsDxe:TlsSetCipherList: skipping CipherId=0x009D
TlsDxe:TlsSetCipherList: skipping CipherId=0xC09D
TlsDxe:TlsSetCipherList: CipherId=0x0035 -> AES256-SHA
TlsDxe:TlsSetCipherList: skipping CipherId=0x009C
TlsDxe:TlsSetCipherList: skipping CipherId=0xC09C
TlsDxe:TlsSetCipherList: CipherId=0x002F -> AES128-SHA
TlsDxe:TlsSetCipherList: CipherId=0x000A -> DES-CBC3-SHA
TlsDxe:TlsSetCipherList: CipherId=0x009F -> DHE-RSA-AES256-GCM-SHA384
TlsDxe:TlsSetCipherList: skipping CipherId=0xC09F
TlsDxe:TlsSetCipherList: skipping CipherId=0xCCAA
TlsDxe:TlsSetCipherList: CipherId=0x0039 -> DHE-RSA-AES256-SHA
TlsDxe:TlsSetCipherList: skipping CipherId=0x009E
TlsDxe:TlsSetCipherList: skipping CipherId=0xC09E
TlsDxe:TlsSetCipherList: CipherId=0x0033 -> DHE-RSA-AES128-SHA
TlsDxe:TlsSetCipherList: CipherId=0x0016 -> DHE-RSA-DES-CBC3-SHA
TlsDxe:TlsSetCipherList: skipping CipherId=0x00A3
TlsDxe:TlsSetCipherList: skipping CipherId=0x0038
TlsDxe:TlsSetCipherList: skipping CipherId=0x00A2
TlsDxe:TlsSetCipherList: skipping CipherId=0x0032
TlsDxe:TlsSetCipherList: skipping CipherId=0x0013

> Can you perhaps relax your crypto policy -- i.e., widen set (1) -- to
> LEGACY with "update-crypto-policies", to see if that makes a difference?
> 
> (Or else, on the QEMU command line, use a different priority from
> @SYSTEM; but I'm not sure how that works.)

https://gnutls.org/manual/html_node/Priority-Strings.html

Tried @SYSTEM, DEFAULT and LEGACY, none of them work.

Not setting ciphers works.

take care,
  Gerd

----------------------------- cut here ---------------------------
#!/usr/bin/python
import os
import ssl
import socket
import optparse

from http.server import SimpleHTTPRequestHandler
try:
    from http.server import ThreadingHTTPServer as HTTPServer
except ImportError:
    from http.server import HTTPServer

class HTTPServerV6(HTTPServer):
    address_family = socket.AF_INET6

parser = optparse.OptionParser()
parser.add_option('-d', '--directory', dest = 'directory', type = 'string', default = '.',
                  help = 'server files from DIR', metavar = 'DIR')
parser.add_option('-p', '--port', dest = 'port', type = 'int', default = 8080,
                  help = 'bind to tcp port PORT', metavar = 'PORT')
parser.add_option('-b', '--bind', dest = 'bind', type = 'string', default ='',
                  help = 'bind to tcp addr ADDR', metavar = 'ADDR')
parser.add_option('--tls', dest = 'tls', action = 'store_true', default = False,
                  help = 'enable https mode')
parser.add_option('--cert', dest = 'certfile',
                  help = 'use tls certificate file CERT', metavar = 'CERT')
parser.add_option('--key', dest = 'keyfile',
                  help = 'use tls certificate key file KEY', metavar = 'KEY')
(options, args) = parser.parse_args()

print(f'config: dir="{options.directory}", addr="{options.bind}", port={options.port}, tls={options.tls}')
if options.tls:
    print(f'config: certfile="{options.certfile}", keyfile="{options.keyfile}"')

handler = SimpleHTTPRequestHandler
handler.protocol_version = "HTTP/1.1"
server = None
if ':' in options.bind:
    server = HTTPServerV6((options.bind, options.port), handler)
else:
    server = HTTPServer((options.bind, options.port), handler)
if options.tls:
    context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
    context.load_cert_chain(options.certfile, options.keyfile)
    server.socket = context.wrap_socket(server.socket,
                                        server_side = True)

os.chdir(options.directory)
server.serve_forever()



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#109147): https://edk2.groups.io/g/devel/message/109147
Mute This Topic: https://groups.io/mt/101613778/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



  reply	other threads:[~2023-09-28 14:26 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-09-27  8:38 [edk2-devel] setting TLS ciphers is broken (openssl 3?) Gerd Hoffmann
2023-09-27 17:30 ` Yao, Jiewen
2023-09-28  1:32   ` Li, Yi
2023-09-28  9:11 ` Laszlo Ersek
2023-09-28 14:25   ` Gerd Hoffmann [this message]
2023-09-29  7:59     ` Laszlo Ersek
2023-09-29  8:42       ` Gerd Hoffmann
2023-09-29  8:52         ` Gerd Hoffmann
2023-09-29 10:19     ` Gerd Hoffmann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=onpnc4wm6nktbt6wcyemwxu5m5h3zwk63p4oqiuqcp7rgolfy6@m7ouivyfbdvz \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox