Greetings! I have been investigating a TLS_HANDSHAKE_ERROR in QEMU running Ovmf caused by an HTTPS call which, upon closer inspection with WireShark, has been tracked down to the cipher suite negotiated being too restrictive. Enabling additional debugging messages shows them being skipped in TlsConfig.c, only 13 being accepted:
TlsDxe:TlsSetCipherList: skipping CipherId=0x1303 TlsDxe:TlsSetCipherList: skipping CipherId=0xC02C TlsDxe:TlsSetCipherList: skipping CipherId=0xC030 TlsDxe:TlsSetCipherList: skipping CipherId=0xCCA9 TlsDxe:TlsSetCipherList: skipping CipherId=0xCCA8 TlsDxe:TlsSetCipherList: skipping CipherId=0xCCAA TlsDxe:TlsSetCipherList: skipping CipherId=0xC02B TlsDxe:TlsSetCipherList: skipping CipherId=0xC02F TlsDxe:TlsSetCipherList: skipping CipherId=0xC024 TlsDxe:TlsSetCipherList: skipping CipherId=0xC028 TlsDxe:TlsSetCipherList: skipping CipherId=0xC023 TlsDxe:TlsSetCipherList: skipping CipherId=0xC027 TlsDxe:TlsSetCipherList: skipping CipherId=0xC00A TlsDxe:TlsSetCipherList: skipping CipherId=0xC014 TlsDxe:TlsSetCipherList: skipping CipherId=0xC009 TlsDxe:TlsSetCipherList: skipping CipherId=0xC013 TlsDxe:TlsSetCipherList: skipping CipherId=0x00AD TlsDxe:TlsSetCipherList: skipping CipherId=0x00AB TlsDxe:TlsSetCipherList: skipping CipherId=0xCCAE TlsDxe:TlsSetCipherList: skipping CipherId=0xCCAD TlsDxe:TlsSetCipherList: skipping CipherId=0xCCAC TlsDxe:TlsSetCipherList: skipping CipherId=0x00A9 TlsDxe:TlsSetCipherList: skipping CipherId=0xCCAB TlsDxe:TlsSetCipherList: skipping CipherId=0x00AC TlsDxe:TlsSetCipherList: skipping CipherId=0x00AA TlsDxe:TlsSetCipherList: skipping CipherId=0x00A8 TlsDxe:TlsSetCipherList: skipping CipherId=0xC038 TlsDxe:TlsSetCipherList: skipping CipherId=0xC036 TlsDxe:TlsSetCipherList: skipping CipherId=0xC021 TlsDxe:TlsSetCipherList: skipping CipherId=0xC020 TlsDxe:TlsSetCipherList: skipping CipherId=0x00B7 TlsDxe:TlsSetCipherList: skipping CipherId=0x00B3 TlsDxe:TlsSetCipherList: skipping CipherId=0x0095 TlsDxe:TlsSetCipherList: skipping CipherId=0x0091 TlsDxe:TlsSetCipherList: skipping CipherId=0x00AF TlsDxe:TlsSetCipherList: skipping CipherId=0x008D TlsDxe:TlsSetCipherList: skipping CipherId=0xC037 TlsDxe:TlsSetCipherList: skipping CipherId=0xC035 TlsDxe:TlsSetCipherList: skipping CipherId=0xC01E TlsDxe:TlsSetCipherList: skipping CipherId=0xC01D TlsDxe:TlsSetCipherList: skipping CipherId=0x00B6 TlsDxe:TlsSetCipherList: skipping CipherId=0x00B2 TlsDxe:TlsSetCipherList: skipping CipherId=0x0094 TlsDxe:TlsSetCipherList: skipping CipherId=0x0090 TlsDxe:TlsSetCipherList: skipping CipherId=0x00AE TlsDxe:TlsSetCipherList: skipping CipherId=0x008C TlsDxe:TlsSetCipherList: CipherString={ TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA -AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-S HA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128- SHA256:AES256-SHA:AES128-SHA Following OvmfPkg's README, I have tried to no avail feeding my host's ciphersuite to QEMU with the command: export LC_ALL=C openssl ciphers -V \ | sed -r -n \ -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \ | xargs -r -- printf -- '%b' > ciphers.bin In TlsSetCipherList I can see them being filtered based on the OpensslCipherStack variable. I have tried diving down into the source code to learn where this variable is being initialized but it's not yet obvious to me. Is this related to our OpenSSL port? Any idea on how I can proceed with a fix? Example website that accepts the connection: - https://httpbin.org/get Example website that fails to connect: - https://www.toptal.com/developers/postbin/ Grateful for your attention, C.C. -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#112640): https://edk2.groups.io/g/devel/message/112640 Mute This Topic: https://groups.io/mt/103240785/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-