From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id D58FC941797 for ; Thu, 28 Sep 2023 14:26:11 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=0fJWDj2GhERy6AKE0xCIgeXBzEdr4Bd/fVzLJ/j0ChU=; c=relaxed/simple; d=groups.io; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:In-Reply-To:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type:Content-Disposition; s=20140610; t=1695911170; v=1; b=BXXTVgzGURmkbu8GmYESeC+QgkFTI30IYEe6r4vRldkVDpYsrqkGql9WKJjgCyIyNJ13xGiu PIeYQgVXMeXMSLI5Y6NLuRg0U21GaW79mcXrlg6c/m9k8KVaFR11sdNNV4+ioUYxGL9eGKuAWIT YHvtW236VTVWRK5m4CeRNVvA= X-Received: by 127.0.0.2 with SMTP id YUhZYY7687511xAVadJHQa6X; Thu, 28 Sep 2023 07:26:10 -0700 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.groups.io with SMTP id smtpd.web11.14630.1695911169681256071 for ; Thu, 28 Sep 2023 07:26:09 -0700 X-Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-93-rF-s2NkmMba0yMZFmABeEw-1; Thu, 28 Sep 2023 10:26:07 -0400 X-MC-Unique: rF-s2NkmMba0yMZFmABeEw-1 X-Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 1E574811E7D; Thu, 28 Sep 2023 14:26:06 +0000 (UTC) X-Received: from sirius.home.kraxel.org (unknown [10.39.193.95]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9CB4C170E9; Thu, 28 Sep 2023 14:26:05 +0000 (UTC) X-Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id 8E9751801491; Thu, 28 Sep 2023 16:25:58 +0200 (CEST) Date: Thu, 28 Sep 2023 16:25:58 +0200 From: "Gerd Hoffmann" To: Laszlo Ersek Cc: edk2-devel-groups-io , "Li, Yi" , Jiewen Yao Subject: Re: [edk2-devel] setting TLS ciphers is broken (openssl 3?) Message-ID: References: <27kjaqdrgubri6i3vvickznsmdqnuo6h3tbxfmb3hr76n75gjf@cah3opindcnc> <273c853d-e70b-ddda-4387-35b825fdfebc@redhat.com> MIME-Version: 1.0 In-Reply-To: <273c853d-e70b-ddda-4387-35b825fdfebc@redhat.com> X-Scanned-By: MIMEDefang 3.1 on 10.11.54.5 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,kraxel@redhat.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: 8UyWjt0PDTLQP8fUSz3kFT68x7686176AA= Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=BXXTVgzG; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=redhat.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io Hi, > > Test case: try http boot from https server, set ciphers on the qemu > > command line using: > > -object tls-cipher-suites,id=tls-cipher0,priority=@SYSTEM > > -fw_cfg name=etc/edk2/https/ciphers,gen_id=tls-cipher0 > For a successful handshake, we need the intersection of the following > sets not to be empty: > > (1) the ciphers enabled in your system-wide crypto policy (likely > DEFAULT) > > (2) TlsCipherMappingTable [CryptoPkg/Library/TlsLib/TlsConfig.c] > > (3) the ciphers supported by the openssl library linked into the > firmware > > (4) the ciphers supported by the HTTPS server (1) + (4) should be the same (default system configuration). The https server is standard python http module with ssl module (see below). > The OpenSSL3 update may have restricted set (3), causing the grand > intersection to be empty. That seems to be the case. Maybe (2) needs an update to enable newer ciphers, when logging the mappings I see there are quite a few IDs which don't get mapped: TlsDxe:TlsSetCipherList: skipping CipherId=0x1302 TlsDxe:TlsSetCipherList: skipping CipherId=0x1303 TlsDxe:TlsSetCipherList: skipping CipherId=0x1301 TlsDxe:TlsSetCipherList: skipping CipherId=0x1304 TlsDxe:TlsSetCipherList: CipherId=0xC030 -> ECDHE-RSA-AES256-GCM-SHA384 TlsDxe:TlsSetCipherList: skipping CipherId=0xCCA8 TlsDxe:TlsSetCipherList: skipping CipherId=0xC014 TlsDxe:TlsSetCipherList: skipping CipherId=0xC02F TlsDxe:TlsSetCipherList: skipping CipherId=0xC013 TlsDxe:TlsSetCipherList: skipping CipherId=0xC012 TlsDxe:TlsSetCipherList: CipherId=0xC02C -> ECDHE-ECDSA-AES256-GCM-SHA384 TlsDxe:TlsSetCipherList: skipping CipherId=0xC0AD TlsDxe:TlsSetCipherList: skipping CipherId=0xCCA9 TlsDxe:TlsSetCipherList: skipping CipherId=0xC00A TlsDxe:TlsSetCipherList: CipherId=0xC02B -> ECDHE-ECDSA-AES128-GCM-SHA256 TlsDxe:TlsSetCipherList: skipping CipherId=0xC0AC TlsDxe:TlsSetCipherList: skipping CipherId=0xC009 TlsDxe:TlsSetCipherList: skipping CipherId=0xC008 TlsDxe:TlsSetCipherList: skipping CipherId=0x009D TlsDxe:TlsSetCipherList: skipping CipherId=0xC09D TlsDxe:TlsSetCipherList: CipherId=0x0035 -> AES256-SHA TlsDxe:TlsSetCipherList: skipping CipherId=0x009C TlsDxe:TlsSetCipherList: skipping CipherId=0xC09C TlsDxe:TlsSetCipherList: CipherId=0x002F -> AES128-SHA TlsDxe:TlsSetCipherList: CipherId=0x000A -> DES-CBC3-SHA TlsDxe:TlsSetCipherList: CipherId=0x009F -> DHE-RSA-AES256-GCM-SHA384 TlsDxe:TlsSetCipherList: skipping CipherId=0xC09F TlsDxe:TlsSetCipherList: skipping CipherId=0xCCAA TlsDxe:TlsSetCipherList: CipherId=0x0039 -> DHE-RSA-AES256-SHA TlsDxe:TlsSetCipherList: skipping CipherId=0x009E TlsDxe:TlsSetCipherList: skipping CipherId=0xC09E TlsDxe:TlsSetCipherList: CipherId=0x0033 -> DHE-RSA-AES128-SHA TlsDxe:TlsSetCipherList: CipherId=0x0016 -> DHE-RSA-DES-CBC3-SHA TlsDxe:TlsSetCipherList: skipping CipherId=0x00A3 TlsDxe:TlsSetCipherList: skipping CipherId=0x0038 TlsDxe:TlsSetCipherList: skipping CipherId=0x00A2 TlsDxe:TlsSetCipherList: skipping CipherId=0x0032 TlsDxe:TlsSetCipherList: skipping CipherId=0x0013 > Can you perhaps relax your crypto policy -- i.e., widen set (1) -- to > LEGACY with "update-crypto-policies", to see if that makes a difference? > > (Or else, on the QEMU command line, use a different priority from > @SYSTEM; but I'm not sure how that works.) https://gnutls.org/manual/html_node/Priority-Strings.html Tried @SYSTEM, DEFAULT and LEGACY, none of them work. Not setting ciphers works. take care, Gerd ----------------------------- cut here --------------------------- #!/usr/bin/python import os import ssl import socket import optparse from http.server import SimpleHTTPRequestHandler try: from http.server import ThreadingHTTPServer as HTTPServer except ImportError: from http.server import HTTPServer class HTTPServerV6(HTTPServer): address_family = socket.AF_INET6 parser = optparse.OptionParser() parser.add_option('-d', '--directory', dest = 'directory', type = 'string', default = '.', help = 'server files from DIR', metavar = 'DIR') parser.add_option('-p', '--port', dest = 'port', type = 'int', default = 8080, help = 'bind to tcp port PORT', metavar = 'PORT') parser.add_option('-b', '--bind', dest = 'bind', type = 'string', default ='', help = 'bind to tcp addr ADDR', metavar = 'ADDR') parser.add_option('--tls', dest = 'tls', action = 'store_true', default = False, help = 'enable https mode') parser.add_option('--cert', dest = 'certfile', help = 'use tls certificate file CERT', metavar = 'CERT') parser.add_option('--key', dest = 'keyfile', help = 'use tls certificate key file KEY', metavar = 'KEY') (options, args) = parser.parse_args() print(f'config: dir="{options.directory}", addr="{options.bind}", port={options.port}, tls={options.tls}') if options.tls: print(f'config: certfile="{options.certfile}", keyfile="{options.keyfile}"') handler = SimpleHTTPRequestHandler handler.protocol_version = "HTTP/1.1" server = None if ':' in options.bind: server = HTTPServerV6((options.bind, options.port), handler) else: server = HTTPServer((options.bind, options.port), handler) if options.tls: context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) context.load_cert_chain(options.certfile, options.keyfile) server.socket = context.wrap_socket(server.socket, server_side = True) os.chdir(options.directory) server.serve_forever() -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#109147): https://edk2.groups.io/g/devel/message/109147 Mute This Topic: https://groups.io/mt/101613778/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-