On 9/28/23 16:25, Gerd Hoffmann wrote: >> The OpenSSL3 update may have restricted set (3), causing the grand >> intersection to be empty. > > That seems to be the case. Maybe (2) needs an update to enable newer > ciphers, when logging the mappings I see there are quite a few IDs which > don't get mapped: > > TlsDxe:TlsSetCipherList: skipping CipherId=0x1302 > TlsDxe:TlsSetCipherList: skipping CipherId=0x1303 > TlsDxe:TlsSetCipherList: skipping CipherId=0x1301 > TlsDxe:TlsSetCipherList: skipping CipherId=0x1304 > TlsDxe:TlsSetCipherList: CipherId=0xC030 -> ECDHE-RSA-AES256-GCM-SHA384 > TlsDxe:TlsSetCipherList: skipping CipherId=0xCCA8 > TlsDxe:TlsSetCipherList: skipping CipherId=0xC014 > TlsDxe:TlsSetCipherList: skipping CipherId=0xC02F > TlsDxe:TlsSetCipherList: skipping CipherId=0xC013 > TlsDxe:TlsSetCipherList: skipping CipherId=0xC012 > TlsDxe:TlsSetCipherList: CipherId=0xC02C -> ECDHE-ECDSA-AES256-GCM-SHA384 > TlsDxe:TlsSetCipherList: skipping CipherId=0xC0AD > TlsDxe:TlsSetCipherList: skipping CipherId=0xCCA9 > TlsDxe:TlsSetCipherList: skipping CipherId=0xC00A > TlsDxe:TlsSetCipherList: CipherId=0xC02B -> ECDHE-ECDSA-AES128-GCM-SHA256 > TlsDxe:TlsSetCipherList: skipping CipherId=0xC0AC > TlsDxe:TlsSetCipherList: skipping CipherId=0xC009 > TlsDxe:TlsSetCipherList: skipping CipherId=0xC008 > TlsDxe:TlsSetCipherList: skipping CipherId=0x009D > TlsDxe:TlsSetCipherList: skipping CipherId=0xC09D > TlsDxe:TlsSetCipherList: CipherId=0x0035 -> AES256-SHA > TlsDxe:TlsSetCipherList: skipping CipherId=0x009C > TlsDxe:TlsSetCipherList: skipping CipherId=0xC09C > TlsDxe:TlsSetCipherList: CipherId=0x002F -> AES128-SHA > TlsDxe:TlsSetCipherList: CipherId=0x000A -> DES-CBC3-SHA > TlsDxe:TlsSetCipherList: CipherId=0x009F -> DHE-RSA-AES256-GCM-SHA384 > TlsDxe:TlsSetCipherList: skipping CipherId=0xC09F > TlsDxe:TlsSetCipherList: skipping CipherId=0xCCAA > TlsDxe:TlsSetCipherList: CipherId=0x0039 -> DHE-RSA-AES256-SHA > TlsDxe:TlsSetCipherList: skipping CipherId=0x009E > TlsDxe:TlsSetCipherList: skipping CipherId=0xC09E > TlsDxe:TlsSetCipherList: CipherId=0x0033 -> DHE-RSA-AES128-SHA > TlsDxe:TlsSetCipherList: CipherId=0x0016 -> DHE-RSA-DES-CBC3-SHA > TlsDxe:TlsSetCipherList: skipping CipherId=0x00A3 > TlsDxe:TlsSetCipherList: skipping CipherId=0x0038 > TlsDxe:TlsSetCipherList: skipping CipherId=0x00A2 > TlsDxe:TlsSetCipherList: skipping CipherId=0x0032 > TlsDxe:TlsSetCipherList: skipping CipherId=0x0013
> Not setting ciphers works. Right, so the default cipher list built into OpenSSL3 (3) is not the problem in itself, and (1) and (4) have not changed. I have raised before that TlsCipherMappingTable should be kept in sync with all the ciphers that we build in from OpenSSL: * https://bugzilla.tianocore.org/show_bug.cgi?id=915#c0 (dated 2018-03-30): > (3) While it is correct that an unrecognized EFI_TLS_CIPHER is rejected with > EFI_UNSUPPORTED, the table used by TlsGetCipherString(), namely > "TlsCipherMappingTable", is very lacking -- at commit 9c7d0d499296, it lists > 23 cipher suites, and even those include "NULL-MD5" and "NULL-SHA". > > On my laptop, "openssl ciphers -V ALL" lists 110 cipher suites. > > The "TlsCipherMappingTable" array should include all ciphers that are > supported by the OpenSSL release identified in > > CryptoPkg/Library/OpensslLib/OpenSSL-HOWTO.txt > > Whenever edk2 picks up a new OpenSSL release, the cipher table should be > actualized. * https://bugzilla.tianocore.org/show_bug.cgi?id=929 (reported on 2018-04-10; closed as WONTFIX by myself, approx. 5 years later, because nobody cared): > According to the mailing list discussion linked in > <https://bugzilla.tianocore.org/show_bug.cgi?id=915#c8>, > "TlsCipherMappingTable" should never offer *more* cipher suites than > actually supported by OpensslLib (because then the TLS client might > negotiate a cipher suite with the server that the client ultimately > won't be able to support). However, for best coverage of the ciphers > that *are* available, "TlsCipherMappingTable" should reasonably > approach the set of ciphers that we enable in "OpensslLib.inf". Please > review the latter set and merge the according cipher suite identifiers > into "TlsCipherMappingTable". Also reported by Microsoft separately: * https://bugzilla.tianocore.org/show_bug.cgi?id=2541 (reported on 2020-02-20; in CONFIRMED state currently) ... I wonder how TlsCipherMappingTable looks in Project Mu! Laszlo -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#109186): https://edk2.groups.io/g/devel/message/109186 Mute This Topic: https://groups.io/mt/101613778/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/leave/9847357/21656/1706620634/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
