<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI Emoji";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Microsoft JhengHei";
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"\@Microsoft JhengHei";
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"MS PGothic";
panose-1:2 11 6 0 7 2 5 8 2 4;}
@font-face
{font-family:"\@MS PGothic";
panose-1:2 11 6 0 7 2 5 8 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:JA;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:JA;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:522791959;
mso-list-type:hybrid;
mso-list-template-ids:2041625632 -1089674526 -1133235310 -1280640572 1608780630 823718640 2095977246 -491853702 1173917738 590746170;}
@list l0:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1
{mso-list-id:675887736;
mso-list-template-ids:-2052193864;}
@list l2
{mso-list-id:776488549;
mso-list-template-ids:-1993080654;}
@list l3
{mso-list-id:1227640991;
mso-list-type:hybrid;
mso-list-template-ids:1284545288 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l3:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l3:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l3:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="text-justify-trim:punctuation">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">Hi all,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">I did some research about TLS v1.3 and here is my suggestion.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">I want to first collect information if we should continue to support TLS v1.1 or below.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">I personally suggest stopping support TLS v1.1 or below, for this is a trend.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">The first suggestion is about TLS version configuration.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">The supported TLS version should be a range not just a fixed value. For example, a TLS version from 1.2 to 1.3 are both accepted.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">However, there is not a direct UEFI API to set TLS version as a range.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">SetSessionData method in EFI_TLS_PROTOCOL will set the maximum and minimum TLS version as a same value.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">I have two solutions about this issue and want to collect feedback.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">Firstly, use a PCD to set the minimum TLS version in TlsDxe driver’s entry point. Like:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">TlsCtxNew (PCD_Minimum_version_major, PCD_ Minimum_version_minor);<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">Then the accepted TLS version will be from PCD_Minimum_version to 1.3<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">Secondly, use loop to try different TLS versions, which can be implemented in platform side. Like:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"> TLSVersionList = [1.3, 1.2, 1.1];<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"> for (int i=0; i<len(TLSVersionList); i++) {<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"> SetSessionData(EfiTlsVersion, TLSVersionList[i]);<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"> // then, try to connect, if it works, break
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"> }<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">The second comment is about how to set Cipher list.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">We can now change the gEdkiiHttpTlsCipherListGuid variable to change cipher list.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">The same variable and API is used from TLS v1.0 to TLS v1.2<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">However, TLS v1.3 has a different API and totally different cipher list parameters.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">Below is the comparison:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">SSL_set_cipher_list() sets the list of ciphers (TLSv1.2 and below)<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:.5in"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">The input cipher suite list must include
<span style="background:yellow;mso-highlight:yellow">at least one </span>available cipher suite for TLSv1.2 and below.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">SSL_set_ciphersuites() is used to configure the available TLSv1.3 ciphersuites<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:.5in"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">The input cipher suite list must
<span style="background:yellow;mso-highlight:yellow">only</span> include available cipher suite for TLSv1.3.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">I suggest introducing another table TlsV13CipherMappingTable to store the cipher list suit for TLS v1.3.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">Before calling SSL_set_ciphersuites(), use the mapping table to filter the cipher list, only remain the available ones.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">In this way, we can save all the cipher lists and cipher suites for TLS 1.3 and TLS v1.2 or below in one same variable.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">And before calling API to set cipher list, use the corresponding mapping table to filter.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">Also, for current TlsCipherMappingTable used for TLS v1.2 or below, I think the below cipher list are all insecure for they use MD5 and SHA.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">We should remove them.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">MAP ( 0x0001, "NULL-MD5" ),
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">MAP ( 0x0002, "NULL-SHA" ),
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">MAP ( 0x0004, "RC4-MD5" ),
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">MAP ( 0x0005, "RC4-SHA" ),
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">MAP ( 0x000A, "DES-CBC3-SHA" ),
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">MAP ( 0x0016, "DHE-RSA-DES-CBC3-SHA" ),
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">MAP ( 0x002F, "AES128-SHA" ),
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">MAP ( 0x0030, "DH-DSS-AES128-SHA" ),
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">MAP ( 0x0031, "DH-RSA-AES128-SHA" ),
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">MAP ( 0x0033, "DHE-RSA-AES128-SHA" ),
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">MAP ( 0x0035, "AES256-SHA" ),
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">MAP ( 0x0036, "DH-DSS-AES256-SHA" ),
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">MAP ( 0x0037, "DH-RSA-AES256-SHA" ),
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">MAP ( 0x0039, "DHE-RSA-AES256-SHA" ),
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">And for TLS v1.3, I suggest we enable the following cipher suite.<o:p></o:p></span></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoNormal" style="mso-list:l0 level1 lfo3"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">TLS_AES_256_GCM_SHA384<o:p></o:p></span></li><li class="MsoNormal" style="mso-list:l0 level1 lfo3"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">TLS_AES_128_GCM_SHA256<o:p></o:p></span></li><li class="MsoNormal" style="mso-list:l0 level1 lfo3"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">TLS_AES_128_CCM_SHA256<o:p></o:p></span></li><li class="MsoNormal" style="mso-list:l0 level1 lfo3"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">TLS_CHACHA20_POLY1305_SHA256<o:p></o:p></span></li></ol>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">Please correct me if I am wrong. Any comments are welcomed.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">Thanks<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">Zhiguang<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">From:</span></b><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"> Liu, Zhiguang
<br>
<b>Sent:</b> Friday, September 4, 2020 10:32 AM<br>
<b>To:</b> Huang, Matthew (HPS SW) <chao-jui.huang@hpe.com>; devel@edk2.groups.io<br>
<b>Cc:</b> Wei, Kent (HPS SW) <kent.wei@hpe.com>; Lin, Derek (HPS SW) <derek.lin2@hpe.com>; Wang, Nickle (HPS SW) <nickle.wang@hpe.com>; Wang, Sunny (HPS SW) <sunnywang@hpe.com>; vladimir.olovyannikov@broadcom.com<br>
<b>Subject:</b> RE: [edk2-devel] Propose on enabling TLSv1.3<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">Hi
</span><span style="font-size:11.0pt;mso-fareast-language:ZH-TW">Matthew,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-TW">Thanks for your patience. I have established a test environment these days.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">With your tls 1.3 patch and
</span>Vladimir’s patch about http shell command, ovmf can download a html file from a https server that only allows tls 1.3.<o:p></o:p></p>
<p class="MsoNormal">This test proves that the basic functionality is good.<o:p></o:p></p>
<p class="MsoNormal">However, I still need time to investigate the impact to security, image size and other aspects.<o:p></o:p></p>
<p class="MsoNormal">I will let you know if any progress from my side.<o:p></o:p></p>
<p class="MsoNormal">Thanks for your contribution <span style="font-family:"Segoe UI Emoji",sans-serif">
😊</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks<o:p></o:p></p>
<p class="MsoNormal">Zhiguang <o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt">From:</span></b><span style="font-size:11.0pt"> Huang, Matthew (HPS SW) <</span><a href="mailto:chao-jui.huang@hpe.com"><span style="font-size:11.0pt">chao-jui.huang@hpe.com</span></a><span style="font-size:11.0pt">>
<br>
<b>Sent:</b> Thursday, August 20, 2020 7:16 AM<br>
<b>To:</b> </span><a href="mailto:devel@edk2.groups.io"><span style="font-size:11.0pt">devel@edk2.groups.io</span></a><span style="font-size:11.0pt">; Huang, Matthew (HPS SW) <</span><a href="mailto:chao-jui.huang@hpe.com"><span style="font-size:11.0pt">chao-jui.huang@hpe.com</span></a><span style="font-size:11.0pt">>;
Liu, Zhiguang <</span><a href="mailto:zhiguang.liu@intel.com"><span style="font-size:11.0pt">zhiguang.liu@intel.com</span></a><span style="font-size:11.0pt">><br>
<b>Cc:</b> Wei, Kent (HPS SW) <</span><a href="mailto:kent.wei@hpe.com"><span style="font-size:11.0pt">kent.wei@hpe.com</span></a><span style="font-size:11.0pt">>; Lin, Derek (HPS SW) <</span><a href="mailto:derek.lin2@hpe.com"><span style="font-size:11.0pt">derek.lin2@hpe.com</span></a><span style="font-size:11.0pt">>;
Wang, Nickle (HPS SW) <</span><a href="mailto:nickle.wang@hpe.com"><span style="font-size:11.0pt">nickle.wang@hpe.com</span></a><span style="font-size:11.0pt">>; Wang, Sunny (HPS SW) <</span><a href="mailto:sunnywang@hpe.com"><span style="font-size:11.0pt">sunnywang@hpe.com</span></a><span style="font-size:11.0pt">><br>
<b>Subject:</b> </span><span lang="JA" style="font-size:11.0pt;font-family:"MS PGothic",sans-serif">回覆</span><span style="font-size:11.0pt">: [edk2-devel] Propose on enabling TLSv1.3<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-TW">Hi Zhiguang:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-TW"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-TW">Any comments on these patches?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-TW"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-TW">Matthew.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-TW"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span lang="ZH-TW" style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif;mso-fareast-language:ZH-TW">寄件者</span></b><b><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif;mso-fareast-language:ZH-TW">:</span></b><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif;mso-fareast-language:ZH-TW">
</span><a href="mailto:devel@edk2.groups.io"><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif;mso-fareast-language:ZH-TW">devel@edk2.groups.io</span></a><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif;mso-fareast-language:ZH-TW">
<</span><a href="mailto:devel@edk2.groups.io"><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif;mso-fareast-language:ZH-TW">devel@edk2.groups.io</span></a><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif;mso-fareast-language:ZH-TW">>
<b><span lang="ZH-TW">代理</span></b> Huang, Matthew (HPS SW)<br>
<b><span lang="ZH-TW">寄件日期</span>:</b> Wednesday, August 12, 2020 7:13 PM<br>
<b><span lang="ZH-TW">收件者</span>:</b> </span><a href="mailto:devel@edk2.groups.io"><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif;mso-fareast-language:ZH-TW">devel@edk2.groups.io</span></a><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif;mso-fareast-language:ZH-TW">;
Huang, Matthew (HPS SW) <</span><a href="mailto:chao-jui.huang@hpe.com"><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif;mso-fareast-language:ZH-TW">chao-jui.huang@hpe.com</span></a><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif;mso-fareast-language:ZH-TW">>;
</span><a href="mailto:zhiguang.liu@intel.com"><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif;mso-fareast-language:ZH-TW">zhiguang.liu@intel.com</span></a><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif;mso-fareast-language:ZH-TW"><br>
<b><span lang="ZH-TW">副本</span>:</b> Wei, Kent (HPS SW) <</span><a href="mailto:kent.wei@hpe.com"><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif;mso-fareast-language:ZH-TW">kent.wei@hpe.com</span></a><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif;mso-fareast-language:ZH-TW">>;
Lin, Derek (HPS SW) <</span><a href="mailto:derek.lin2@hpe.com"><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif;mso-fareast-language:ZH-TW">derek.lin2@hpe.com</span></a><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif;mso-fareast-language:ZH-TW">>;
Wang, Nickle (HPS SW) <</span><a href="mailto:nickle.wang@hpe.com"><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif;mso-fareast-language:ZH-TW">nickle.wang@hpe.com</span></a><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif;mso-fareast-language:ZH-TW">>;
Wang, Sunny (HPS SW) <</span><a href="mailto:sunnywang@hpe.com"><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif;mso-fareast-language:ZH-TW">sunnywang@hpe.com</span></a><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif;mso-fareast-language:ZH-TW">><br>
<b><span lang="ZH-TW">主旨</span>:</b> <span lang="ZH-TW">回覆</span>: [edk2-devel] Propose on enabling TLSv1.3<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Hi Zhiguang:</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Please refer to the attached ‘tlsv13.patch’ based on tianocore/edk2@be01087e07.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">As I mentioned, ‘process_files.pl’ is processed with ActivePerl 5.28 Build 0000 (64-bit) and MSYS2 MinGW 64-bit, log is attached as ‘process_openssl.txt’.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">The problems are still the same, current OpenSSL has two problems:</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level1 lfo6"><span style="font-size:11.0pt">It will not ignore disabled TLSv1.3 cipher suites, which results in all the TLSv1.3 cipher suites defined in TlsCipherMappingTable will be published
no matter what the actual value is in gEdkiiHttpTlsCipherListGuid.HttpTlsCipherList.</span><o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l3 level1 lfo6"><span style="font-size:11.0pt">SSL_set_ciphersuites cannot handle non-TLSv1.3 ciphers, which results in the function fails to set any ciphersuite if there are TLSv1.2 ciphers in the
‘CipherString’ argument.</span><o:p></o:p></li></ol>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">They are minor ones, but would’ve caused the whole flow acts weird. Those two problems are more or less solved or discussed in the OpenSSL scene, but not included in EDK2 yet. If anyone wants to test TLSv1.3,
attachment ‘openssl.patch’ is suggested to be applied for a more reasonable outcome.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Regards,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Matthew.</span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span lang="ZH-TW" style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif;mso-fareast-language:ZH-TW">寄件者</span></b><b><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif">:</span></b><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif">
</span><a href="mailto:devel@edk2.groups.io"><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif">devel@edk2.groups.io</span></a><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif"> <</span><a href="mailto:devel@edk2.groups.io"><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif">devel@edk2.groups.io</span></a><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif">>
</span><b><span lang="ZH-TW" style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif;mso-fareast-language:ZH-TW">代理</span></b><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif"> Huang, Matthew (HPS SW)<br>
</span><b><span lang="ZH-TW" style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif;mso-fareast-language:ZH-TW">寄件日期</span></b><b><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif">:</span></b><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif">
Monday, August 10, 2020 12:26 PM<br>
</span><b><span lang="ZH-TW" style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif;mso-fareast-language:ZH-TW">收件者</span></b><b><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif">:</span></b><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif">
</span><a href="mailto:devel@edk2.groups.io"><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif">devel@edk2.groups.io</span></a><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif">;
</span><a href="mailto:zhiguang.liu@intel.com"><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif">zhiguang.liu@intel.com</span></a><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif"><br>
</span><b><span lang="ZH-TW" style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif;mso-fareast-language:ZH-TW">副本</span></b><b><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif">:</span></b><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif">
Wei, Kent (HPS SW) <</span><a href="mailto:kent.wei@hpe.com"><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif">kent.wei@hpe.com</span></a><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif">>; Lin, Derek (HPS
SW) <</span><a href="mailto:derek.lin2@hpe.com"><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif">derek.lin2@hpe.com</span></a><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif">>; Wang, Nickle (HPS SW) <</span><a href="mailto:nickle.wang@hpe.com"><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif">nickle.wang@hpe.com</span></a><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif">>;
Wang, Sunny (HPS SW) <</span><a href="mailto:sunnywang@hpe.com"><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif">sunnywang@hpe.com</span></a><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif">><br>
</span><b><span lang="ZH-TW" style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif;mso-fareast-language:ZH-TW">主旨</span></b><b><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif">:</span></b><span style="font-size:11.0pt;font-family:"Microsoft JhengHei",sans-serif">
Re: [edk2-devel] Propose on enabling TLSv1.3</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Hi Zhiguang:<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Sure, I love to. But I’m new to the scene, please give me some time to figure out how to share the snippet properly, thanks.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Regards,<o:p></o:p></p>
<p class="MsoNormal">Matthew.<o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt">From:</span></b><span style="font-size:11.0pt">
</span><a href="mailto:devel@edk2.groups.io"><span style="font-size:11.0pt">devel@edk2.groups.io</span></a><span style="font-size:11.0pt"> <</span><a href="mailto:devel@edk2.groups.io"><span style="font-size:11.0pt">devel@edk2.groups.io</span></a><span style="font-size:11.0pt">>
<b>On Behalf Of </b>Zhiguang Liu<br>
<b>Sent:</b> Monday, August 10, 2020 11:00 AM<br>
<b>To:</b> </span><a href="mailto:devel@edk2.groups.io"><span style="font-size:11.0pt">devel@edk2.groups.io</span></a><span style="font-size:11.0pt">; Huang, Matthew (HPS SW) <</span><a href="mailto:chao-jui.huang@hpe.com"><span style="font-size:11.0pt">chao-jui.huang@hpe.com</span></a><span style="font-size:11.0pt">><br>
<b>Cc:</b> Wei, Kent (HPS SW) <</span><a href="mailto:kent.wei@hpe.com"><span style="font-size:11.0pt">kent.wei@hpe.com</span></a><span style="font-size:11.0pt">>; Lin, Derek (HPS SW) <</span><a href="mailto:derek.lin2@hpe.com"><span style="font-size:11.0pt">derek.lin2@hpe.com</span></a><span style="font-size:11.0pt">>;
Wang, Nickle (HPS SW) <</span><a href="mailto:nickle.wang@hpe.com"><span style="font-size:11.0pt">nickle.wang@hpe.com</span></a><span style="font-size:11.0pt">>; Wang, Sunny (HPS SW) <</span><a href="mailto:sunnywang@hpe.com"><span style="font-size:11.0pt">sunnywang@hpe.com</span></a><span style="font-size:11.0pt">><br>
<b>Subject:</b> Re: [edk2-devel] Propose on enabling TLSv1.3</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Hi Matthew,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Can you share the code about implementing tls 1.3 to the community?</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">We can discuss the problems according to the code.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Thanks</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Zhiguang</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt">From:</span></b><span style="font-size:11.0pt">
</span><a href="mailto:devel@edk2.groups.io"><span style="font-size:11.0pt">devel@edk2.groups.io</span></a><span style="font-size:11.0pt"> <</span><a href="mailto:devel@edk2.groups.io"><span style="font-size:11.0pt">devel@edk2.groups.io</span></a><span style="font-size:11.0pt">>
<b>On Behalf Of </b>Huang, Matthew (HPS SW)<br>
<b>Sent:</b> Monday, August 3, 2020 1:55 PM<br>
<b>To:</b> </span><a href="mailto:devel@edk2.groups.io"><span style="font-size:11.0pt">devel@edk2.groups.io</span></a><span style="font-size:11.0pt"><br>
<b>Cc:</b> Wei, Kent (HPS SW) <</span><a href="mailto:kent.wei@hpe.com"><span style="font-size:11.0pt">kent.wei@hpe.com</span></a><span style="font-size:11.0pt">>; Lin, Derek (HPS SW) <</span><a href="mailto:derek.lin2@hpe.com"><span style="font-size:11.0pt">derek.lin2@hpe.com</span></a><span style="font-size:11.0pt">>;
Wang, Nickle (HPS SW) <</span><a href="mailto:nickle.wang@hpe.com"><span style="font-size:11.0pt">nickle.wang@hpe.com</span></a><span style="font-size:11.0pt">>; Wang, Sunny (HPS SW) <</span><a href="mailto:sunnywang@hpe.com"><span style="font-size:11.0pt">sunnywang@hpe.com</span></a><span style="font-size:11.0pt">><br>
<b>Subject:</b> [edk2-devel] Propose on enabling TLSv1.3</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Hi:<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">It’s Matthew from HPE UEFI team. There is no TLSv1.3 support under current EDK2 releases, and I’m working on enabling TLSv1.3 under UEFI and the result looks promising. OpenSSL have already made RFC8446 happens in late 2018, the submodule
we’re having on the master branch is more than enough to make the whole thing work.
<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">There are several problems needed to be addressed:'<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">1. OpenSslLib needs a reconfiguration with “no-ec” option on in process_files.pl, and no off the shelf Perl built with native Windows command prompt could’ve processed the file correctly. But I’ve managed to remove the blockage using Perl
MSYS2 build under Windows without any error. Since this is only a one-timer, I don’t think that would’ve caused too much of a trouble. The produced opensslconf.h seems correct, and this is all we need.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">2. There are some policies issues caused by OpenSSL, OpenSSL explicitly describes that SSL_set_cipher_list is for TLS version 1.2 and lower, SSL_set_ciphersuites is for TLSv1.3, but these function are tangled to each other and the behavior
is not equally fair. In current revision EDK2 included in the OpenSSL submodule, SSL_set_cipher_list can parse v1.3 cipher suites but will not apply them, meanwhile SSL_set_ciphersuites cannot support any cipher lower than v1.3. This will cause a problem that
when user applies auto versioning, TLSv1.3 will not be applied even if v1.3 is enabled except setting an empty list using SSL_set_cipher_list.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">3. Apart from point 2., SSL_set_ciphersuites in current revision EDK2 included in the OpenSSL submodule, cannot exclude ciphersuites that user disabled, so every cipher suites will be in the list for server to
<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">But I browsed all OpenSSL github PRs or merge-pending patches, both point 2 and 3 have somewhat one or more solutions going on, I’ve applied them for testing and the result is fairly satisfying.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">If there’s a chance we discuss this in code? It will be easier this way, I have a working patch we can start with, thanks.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Regards,<o:p></o:p></p>
<p class="MsoNormal">Matthew<o:p></o:p></p>
<div>
<p class="MsoNormal"></o:p></span></p>
</div>
</div>
</div>
</div>
</body>
</html>
<div width="1" style="color:white;clear:both">_._,_._,_</div> <hr> Groups.io Links:<p> You receive all messages sent to this group. <p> <a target="_blank" href="https://edk2.groups.io/g/devel/message/67684">View/Reply Online (#67684)</a> | | <a target="_blank" href="https://groups.io/mt/76622099/1813853">Mute This Topic</a> | <a href="https://edk2.groups.io/g/devel/post">New Topic</a><br> <a href="https://edk2.groups.io/g/devel/editsub/1813853">Your Subscription</a> | <a href="mailto:devel+owner@edk2.groups.io">Contact Group Owner</a> | <a href="https://edk2.groups.io/g/devel/unsub">Unsubscribe</a> [edk2-devel-archive@redhat.com]<br> <div width="1" style="color:white;clear:both">_._,_._,_</div>