[edk2-devel] setting TLS ciphers is broken (openssl 3?)
Gerd Hoffmann
kraxel at redhat.com
Fri Sep 29 08:52:01 UTC 2023
On Fri, Sep 29, 2023 at 10:42:19AM +0200, Gerd Hoffmann wrote:
> Hi,
>
> > > According to the mailing list discussion linked in
> > > <https://bugzilla.tianocore.org/show_bug.cgi?id=915#c8>,
> > > "TlsCipherMappingTable" should never offer *more* cipher suites than
> > > actually supported by OpensslLib (because then the TLS client might
> > > negotiate a cipher suite with the server that the client ultimately
> > > won't be able to support).
>
> Hmm, maybe *that* is the problem. edk2 has its own crypto algo provider
> (CryptoPkg/Library/OpensslLib/OpensslStub/uefiprov.c) offering a limited
> set of ciphers to reduce the size of OpensslLib. This was added with
> the switch to openssl-3.
Hmm, the man-page says otherwise, ciphers not compiled in are supposed
to get ignored:
<quote>
The control string str for SSL_CTX_set_cipher_list(),
SSL_set_cipher_list(), SSL_CTX_set_ciphersuites() and
SSL_set_ciphersuites() should be universally usable and not depend on
details of the library configuration (ciphers compiled in). Thus no
syntax checking takes place. Items that are not recognized, because the
corresponding ciphers are not compiled in or because they are mistyped,
are simply ignored. Failure is only flagged if no ciphers could be
collected at all.
</quote>
take care,
Gerd
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#109188): https://edk2.groups.io/g/devel/message/109188
Mute This Topic: https://groups.io/mt/101613778/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list