[edk2-devel] setting TLS ciphers is broken (openssl 3?)

Li, Yi yi1.li at intel.com
Thu Sep 28 01:32:06 UTC 2023 

Hi Gerd,

We have validated HTTPs boot and WIFI with EAP-TLS, where the code consumed openssl3.0 TLS lib API.

So we cannot reproduce this issue. Could you provide detail test steps to me, I will look into it.

Thanks,
Yi  

-----Original Message-----
From: devel at edk2.groups.io <devel at edk2.groups.io> On Behalf Of Yao, Jiewen
Sent: Thursday, September 28, 2023 1:31 AM
To: devel at edk2.groups.io; kraxel at redhat.com
Subject: Re: [edk2-devel] setting TLS ciphers is broken (openssl 3?)

Hi Gerd
Thanks for the reporting. 

We will look into that. Is below text full reproduce steps? Which server you are using? Which TLS version is configured?
Please provide as detail as possible, if you could.


One more thing: We are going to have 1 week National Holiday since Tomorrow.
If we cannot nail down shortly, that would be next next week.

Thank you
Yao, Jiewen



> -----Original Message-----
> From: devel at edk2.groups.io <devel at edk2.groups.io> On Behalf Of Gerd 
> Hoffmann
> Sent: Wednesday, September 27, 2023 4:39 PM
> To: devel at edk2.groups.io
> Subject: [edk2-devel] setting TLS ciphers is broken (openssl 3?)
> 
>   Hi,
> 
> I've noticed that setting chipers for TLS stopped working in ovmf, 
> most likely due to the openssl 3.0 update.
> 
> Test case: try http boot from https server, set ciphers on the qemu 
> command line using:
>     -object tls-cipher-suites,id=tls-cipher0,priority=@SYSTEM
>     -fw_cfg name=etc/edk2/https/ciphers,gen_id=tls-cipher0
> 
> OvmfPkg/Library/TlsAuthConfigLib will read it from fwcfg and set 
> EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE.
> 
> CryptoPkg/Library/TlsLib/TlsConfig.c will read the variable, map the 
> IDs to strings and call SSL_set_cipher_list() with the result.
> 
> Later on the tls handshake fails.  From the log:
> 
> [ ... ]
> TlsDxe:TlsSetCipherList: CipherString={
>   ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-
> SHA384:ECDHE-ECDSA-AES128-GC
>   M-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-GCM-
> SHA384:DHE-RSA-A
>   ES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-DES-CBC3-SHA
>   }
> [ ... ]
> TlsDoHandshake SSL_HANDSHAKE_ERROR State=0x10 SSL_ERROR_SSL 
> TlsDoHandshake ERROR 0x308010C=L6:R8010C TlsDoHandshake ERROR 
> 0xA0C0103=L14:RC0103 [ ... ]
> 
> take care,
>   Gerd
> 
> 
> 
> 
> 








-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#109131): https://edk2.groups.io/g/devel/message/109131
Mute This Topic: https://groups.io/mt/101613778/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-

More information about the edk2-devel-archive mailing list