On 9/27/23 10:38, kraxel at redhat.com (Gerd Hoffmann) wrote: > Hi, > > I've noticed that setting chipers for TLS stopped working in ovmf, > most likely due to the openssl 3.0 update. > > Test case: try http boot from https server, set ciphers on the qemu > command line using: > -object tls-cipher-suites,id=tls-cipher0,priority=@SYSTEM > -fw_cfg name=etc/edk2/https/ciphers,gen_id=tls-cipher0 > > OvmfPkg/Library/TlsAuthConfigLib will read it from fwcfg and set > EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE. > > CryptoPkg/Library/TlsLib/TlsConfig.c will read the variable, map the > IDs to strings and call SSL_set_cipher_list() with the result. > > Later on the tls handshake fails. From the log: > > [ ... ] > TlsDxe:TlsSetCipherList: CipherString={ > > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GC > > M-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-A > ES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-DES-CBC3-SHA > } > [ ... ] > TlsDoHandshake SSL_HANDSHAKE_ERROR State=0x10 SSL_ERROR_SSL > TlsDoHandshake ERROR 0x308010C=L6:R8010C
Library 6 is "EVP" ("envelope"): # define ERR_LIB_EVP 6 Reason code is 0x8010C, in binary: 10000000000100001100 The least significant 18 bits (ERR_RFLAGS_OFFSET) are the actual reason code (000000000100001100), bits above it are the reason flags (10). The reason flag is therefore ERR_RFLAG_COMMON -- "the reason code is common to all libraries". Reason code (0x10c, 268) is ERR_R_UNSUPPORTED: # define ERR_R_UNSUPPORTED (268|ERR_RFLAG_COMMON) > TlsDoHandshake ERROR 0xA0C0103=L14:RC0103 Library: 0x14 # define ERR_LIB_SSL 20 Reason flags: ERR_RFLAG_FATAL (1) + ERR_RFLAG_COMMON (2). Reason code: 0x103 -- 259 # define ERR_R_FATAL (ERR_RFLAG_FATAL|ERR_RFLAG_COMMON) # define ERR_R_INTERNAL_ERROR (259|ERR_R_FATAL) For a successful handshake, we need the intersection of the following sets not to be empty: (1) the ciphers enabled in your system-wide crypto policy (likely DEFAULT) (2) TlsCipherMappingTable [CryptoPkg/Library/TlsLib/TlsConfig.c] (3) the ciphers supported by the openssl library linked into the firmware (4) the ciphers supported by the HTTPS server The OpenSSL3 update may have restricted set (3), causing the grand intersection to be empty. Can you perhaps relax your crypto policy -- i.e., widen set (1) -- to LEGACY with "update-crypto-policies", to see if that makes a difference? (Or else, on the QEMU command line, use a different priority from @SYSTEM; but I'm not sure how that works.) Laszlo -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#109143): https://edk2.groups.io/g/devel/message/109143 Mute This Topic: https://groups.io/mt/101613778/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/leave/9847357/21656/1706620634/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-