From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 30ACAD80808 for ; Mon, 18 Dec 2023 11:32:32 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=j6/2PMbVp+QSm75cAX2JWaVXmKLIDp6AkpBVQ4tCIko=; c=relaxed/simple; d=groups.io; h=Subject:To:From:User-Agent:MIME-Version:Date:Message-ID:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type; s=20140610; t=1702899150; v=1; b=Whw58pmnJJ3hs/rkgmBbklgdjCIOZTuhVsI3/lI2h9wOwQoCDNJWTnh8Akhex8anNO0przho NCxahNRrKQY2B5AgWodqBo+oMA8iegpdHjw5cKQ/uPnpLMg6Ffi9cklhD5gWvB4QWI4FD4R9Hla BzACgZ/bwhUp3ZSys3oUmn1M= X-Received: by 127.0.0.2 with SMTP id Ocy7YY7687511xasDdVrQY1u; Mon, 18 Dec 2023 03:32:30 -0800 Subject: [edk2-devel] TlsDxe skips most cipher suites, failing to negotiate a HTTPS connections To: devel@edk2.groups.io From: "CrossedCarpet" X-Originating-Location: PT (213.228.134.29) X-Originating-Platform: Linux Chrome 118 User-Agent: GROUPS.IO Web Poster MIME-Version: 1.0 Date: Mon, 18 Dec 2023 03:32:30 -0800 Message-ID: Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,crossedcarpet@hotmail.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: oMf4sx9fd4dR89sxgQJURiGdx7686176AA= Content-Type: multipart/alternative; boundary="Hd5uilRmHNxx83oes8xL" X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=Whw58pmn; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=hotmail.com (policy=none) --Hd5uilRmHNxx83oes8xL Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Greetings! I have been investigating a TLS_HANDSHAKE_ERROR in QEMU running Ovmf caused= by an HTTPS call which, upon closer inspection with WireShark, has been tr= acked down to the cipher suite negotiated being too restrictive. Enabling additional debugging messages shows them being skipped in TlsConfi= g.c, only 13 being accepted: TlsDxe:TlsSetCipherList: skipping CipherId=3D0x1303 TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC02C TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC030 TlsDxe:TlsSetCipherList: skipping CipherId=3D0xCCA9 TlsDxe:TlsSetCipherList: skipping CipherId=3D0xCCA8 TlsDxe:TlsSetCipherList: skipping CipherId=3D0xCCAA TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC02B TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC02F TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC024 TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC028 TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC023 TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC027 TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC00A TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC014 TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC009 TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC013 TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00AD TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00AB TlsDxe:TlsSetCipherList: skipping CipherId=3D0xCCAE TlsDxe:TlsSetCipherList: skipping CipherId=3D0xCCAD TlsDxe:TlsSetCipherList: skipping CipherId=3D0xCCAC TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00A9 TlsDxe:TlsSetCipherList: skipping CipherId=3D0xCCAB TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00AC TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00AA TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00A8 TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC038 TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC036 TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC021 TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC020 TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00B7 TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00B3 TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0095 TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0091 TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00AF TlsDxe:TlsSetCipherList: skipping CipherId=3D0x008D TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC037 TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC035 TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC01E TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC01D TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00B6 TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00B2 TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0094 TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0090 TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00AE TlsDxe:TlsSetCipherList: skipping CipherId=3D0x008C TlsDxe:TlsSetCipherList: CipherString=3D{ TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE= -RSA -AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES2= 56-S HA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES= 128- SHA256:AES256-SHA:AES128-SHA Following OvmfPkg's README, I have tried to no avail feeding my host's ciph= ersuite to QEMU with the command: export LC_ALL=3DC openssl ciphers -V \ | sed -r -n \ -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \ | xargs -r -- printf -- '%b' > ciphers.bin In TlsSetCipherList I can see them being filtered based on the OpensslCiphe= rStack variable. I have tried diving down into the source code to learn where this variable = is being initialized but it's not yet obvious to me. Is this related to our OpenSSL port? Any idea on how I can proceed with a fix? Example website that accepts the connection: - https://httpbin.org/get Example website that fails to connect: - https://www.toptal.com/developers/postbin/ Grateful for your attention, C.C. -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#112640): https://edk2.groups.io/g/devel/message/112640 Mute This Topic: https://groups.io/mt/103240785/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- --Hd5uilRmHNxx83oes8xL Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable Greetings!
I have been investigating a TLS_HANDSHAKE_ERROR in QEMU run= ning Ovmf caused by an HTTPS call which, upon closer inspection with WireSh= ark, has been tracked down to the cipher suite negotiated being too restric= tive.
Enabling additional debugging messages shows them being skipped = in TlsConfig.c, only 13 being accepted:

TlsDxe:TlsSetCipherList: skipping CipherId=3D0x1303
TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC02C
TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC030
TlsDxe:TlsSetCipherList: skipping CipherId=3D0xCCA9
TlsDxe:TlsSetCipherList: skipping CipherId=3D0xCCA8
TlsDxe:TlsSetCipherList: skipping CipherId=3D0xCCAA
TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC02B
TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC02F
TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC024
TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC028
TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC023
TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC027
TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC00A
TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC014
TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC009
TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC013
TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00AD
TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00AB
TlsDxe:TlsSetCipherList: skipping CipherId=3D0xCCAE
TlsDxe:TlsSetCipherList: skipping CipherId=3D0xCCAD
TlsDxe:TlsSetCipherList: skipping CipherId=3D0xCCAC
TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00A9
TlsDxe:TlsSetCipherList: skipping CipherId=3D0xCCAB
TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00AC
TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00AA
TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00A8
TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC038
TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC036
TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC021
TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC020
TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00B7
TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00B3
TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0095
TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0091
TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00AF
TlsDxe:TlsSetCipherList: skipping CipherId=3D0x008D
TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC037
TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC035
TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC01E
TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC01D
TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00B6
TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00B2
TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0094
TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0090
TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00AE
TlsDxe:TlsSetCipherList: skipping CipherId=3D0x008C
TlsDxe:TlsSetCipherList: CipherString=3D{
TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA38= 4:DHE-RSA
-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA= -AES256-S
HA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA25= 6:AES128-
SHA256:AES256-SHA:AES128-SHA

Following OvmfPkg's README, I have tried to no avail feeding my = host's ciphersuite to QEMU with the command:
  export LC_ALL=3DC
  openssl ciphers -V \
  | sed -r -n \
     -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\= \x\1 \\\\x\2/p' \
  | xargs -r -- printf -- '%b' > ciphers.bin

In TlsSetCipherList I can see them being filtered based on the Openss= lCipherStack variable. 
I have tried diving down into the source = code to learn where this variable is being initialized but it's not yet obv= ious to me.
Is this related to our OpenSSL port?
Any idea on how I can proceed wit= h a fix?

Example website that accepts the connection:
- https:/= /httpbin.org/get
Example website that fails to connect:
-&nbs= p;https://www.toptal.com/developers/postbin/

= Grateful for your attention,
C.C.
_._,_._,_
Groups.io Links:

=20 You receive all messages sent to this group. =20 =20

View/Reply Online (#112640) | =20 | Mute= This Topic | New Topic
Your Subscriptio= n | Contact Group Owner | Unsubscribe [rebecca@openfw.io]

_._,_._,_
--Hd5uilRmHNxx83oes8xL--