Re: [edk2-devel] setting TLS ciphers is broken (openssl 3?)

Wed, 27 Sep 2023 10:30:52 -0700 

Hi Gerd
Thanks for the reporting. 

We will look into that. Is below text full reproduce steps? Which server you 
are using? Which TLS version is configured?
Please provide as detail as possible, if you could.


One more thing: We are going to have 1 week National Holiday since Tomorrow.
If we cannot nail down shortly, that would be next next week.

Thank you
Yao, Jiewen



> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Gerd
> Hoffmann
> Sent: Wednesday, September 27, 2023 4:39 PM
> To: devel@edk2.groups.io
> Subject: [edk2-devel] setting TLS ciphers is broken (openssl 3?)
> 
>   Hi,
> 
> I've noticed that setting chipers for TLS stopped working in ovmf, most
> likely due to the openssl 3.0 update.
> 
> Test case: try http boot from https server, set ciphers on the qemu
> command line using:
>     -object tls-cipher-suites,id=tls-cipher0,priority=@SYSTEM
>     -fw_cfg name=etc/edk2/https/ciphers,gen_id=tls-cipher0
> 
> OvmfPkg/Library/TlsAuthConfigLib will read it from fwcfg and set
> EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE.
> 
> CryptoPkg/Library/TlsLib/TlsConfig.c will read the variable, map the IDs
> to strings and call SSL_set_cipher_list() with the result.
> 
> Later on the tls handshake fails.  From the log:
> 
> [ ... ]
> TlsDxe:TlsSetCipherList: CipherString={
>   ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-
> SHA384:ECDHE-ECDSA-AES128-GC
>   M-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-GCM-
> SHA384:DHE-RSA-A
>   ES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-DES-CBC3-SHA
>   }
> [ ... ]
> TlsDoHandshake SSL_HANDSHAKE_ERROR State=0x10 SSL_ERROR_SSL
> TlsDoHandshake ERROR 0x308010C=L6:R8010C
> TlsDoHandshake ERROR 0xA0C0103=L14:RC0103
> [ ... ]
> 
> take care,
>   Gerd
> 
> 
> 
> 
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#109128): https://edk2.groups.io/g/devel/message/109128
Mute This Topic: https://groups.io/mt/101613778/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to