Greetings!
I have been investigating a TLS_HANDSHAKE_ERROR in QEMU running Ovmf caused by
an HTTPS call which, upon closer inspection with WireShark, has been tracked
down to the cipher suite negotiated being too restrictive.
Enabling additional debugging messages shows them being skipped in TlsConfig.c,
only 13 being accepted:
TlsDxe:TlsSetCipherList: skipping CipherId=0x1303
TlsDxe:TlsSetCipherList: skipping CipherId=0xC02C
TlsDxe:TlsSetCipherList: skipping CipherId=0xC030
TlsDxe:TlsSetCipherList: skipping CipherId=0xCCA9
TlsDxe:TlsSetCipherList: skipping CipherId=0xCCA8
TlsDxe:TlsSetCipherList: skipping CipherId=0xCCAA
TlsDxe:TlsSetCipherList: skipping CipherId=0xC02B
TlsDxe:TlsSetCipherList: skipping CipherId=0xC02F
TlsDxe:TlsSetCipherList: skipping CipherId=0xC024
TlsDxe:TlsSetCipherList: skipping CipherId=0xC028
TlsDxe:TlsSetCipherList: skipping CipherId=0xC023
TlsDxe:TlsSetCipherList: skipping CipherId=0xC027
TlsDxe:TlsSetCipherList: skipping CipherId=0xC00A
TlsDxe:TlsSetCipherList: skipping CipherId=0xC014
TlsDxe:TlsSetCipherList: skipping CipherId=0xC009
TlsDxe:TlsSetCipherList: skipping CipherId=0xC013
TlsDxe:TlsSetCipherList: skipping CipherId=0x00AD
TlsDxe:TlsSetCipherList: skipping CipherId=0x00AB
TlsDxe:TlsSetCipherList: skipping CipherId=0xCCAE
TlsDxe:TlsSetCipherList: skipping CipherId=0xCCAD
TlsDxe:TlsSetCipherList: skipping CipherId=0xCCAC
TlsDxe:TlsSetCipherList: skipping CipherId=0x00A9
TlsDxe:TlsSetCipherList: skipping CipherId=0xCCAB
TlsDxe:TlsSetCipherList: skipping CipherId=0x00AC
TlsDxe:TlsSetCipherList: skipping CipherId=0x00AA
TlsDxe:TlsSetCipherList: skipping CipherId=0x00A8
TlsDxe:TlsSetCipherList: skipping CipherId=0xC038
TlsDxe:TlsSetCipherList: skipping CipherId=0xC036
TlsDxe:TlsSetCipherList: skipping CipherId=0xC021
TlsDxe:TlsSetCipherList: skipping CipherId=0xC020
TlsDxe:TlsSetCipherList: skipping CipherId=0x00B7
TlsDxe:TlsSetCipherList: skipping CipherId=0x00B3
TlsDxe:TlsSetCipherList: skipping CipherId=0x0095
TlsDxe:TlsSetCipherList: skipping CipherId=0x0091
TlsDxe:TlsSetCipherList: skipping CipherId=0x00AF
TlsDxe:TlsSetCipherList: skipping CipherId=0x008D
TlsDxe:TlsSetCipherList: skipping CipherId=0xC037
TlsDxe:TlsSetCipherList: skipping CipherId=0xC035
TlsDxe:TlsSetCipherList: skipping CipherId=0xC01E
TlsDxe:TlsSetCipherList: skipping CipherId=0xC01D
TlsDxe:TlsSetCipherList: skipping CipherId=0x00B6
TlsDxe:TlsSetCipherList: skipping CipherId=0x00B2
TlsDxe:TlsSetCipherList: skipping CipherId=0x0094
TlsDxe:TlsSetCipherList: skipping CipherId=0x0090
TlsDxe:TlsSetCipherList: skipping CipherId=0x00AE
TlsDxe:TlsSetCipherList: skipping CipherId=0x008C
TlsDxe:TlsSetCipherList: CipherString={
TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA
-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-S
HA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-
SHA256:AES256-SHA:AES128-SHA
Following OvmfPkg's README, I have tried to no avail feeding my host's
ciphersuite to QEMU with the command:
export LC_ALL=C
openssl ciphers -V \
| sed -r -n \
-e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \
| xargs -r -- printf -- '%b' > ciphers.bin
In TlsSetCipherList I can see them being filtered based on the
OpensslCipherStack variable.
I have tried diving down into the source code to learn where this variable is
being initialized but it's not yet obvious to me.
Is this related to our OpenSSL port?
Any idea on how I can proceed with a fix?
Example website that accepts the connection:
- https://httpbin.org/get
Example website that fails to connect:
- https://www.toptal.com/developers/postbin/
Grateful for your attention,
C.C.
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112640): https://edk2.groups.io/g/devel/message/112640
Mute This Topic: https://groups.io/mt/103240785/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
