Hi,
I've noticed that setting chipers for TLS stopped working in ovmf, most
likely due to the openssl 3.0 update.
Test case: try http boot from https server, set ciphers on the qemu
command line using:
-object tls-cipher-suites,id=tls-cipher0,priority=@SYSTEM
-fw_cfg name=etc/edk2/https/ciphers,gen_id=tls-cipher0
OvmfPkg/Library/TlsAuthConfigLib will read it from fwcfg and set
EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE.
CryptoPkg/Library/TlsLib/TlsConfig.c will read the variable, map the IDs
to strings and call SSL_set_cipher_list() with the result.
Later on the tls handshake fails. From the log:
[ ... ]
TlsDxe:TlsSetCipherList: CipherString={
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GC
M-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-A
ES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-DES-CBC3-SHA
}
[ ... ]
TlsDoHandshake SSL_HANDSHAKE_ERROR State=0x10 SSL_ERROR_SSL
TlsDoHandshake ERROR 0x308010C=L6:R8010C
TlsDoHandshake ERROR 0xA0C0103=L14:RC0103
[ ... ]
take care,
Gerd
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#109114): https://edk2.groups.io/g/devel/message/109114
Mute This Topic: https://groups.io/mt/101613778/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
