Re: [staging/HTTPS-TLS][PATCH 0/4] Replace the TLS definitions with the standardized one

Long, Qin <qin.long@...>

I personally prefer to keep the current supported cipher suite for our UEFI-TLS enabling. We can have the full RFC definitions, and platform specific cipher sets for validation now. It's better to maintain one minimal scope in this phase.

"enable-weak-ssl-ciphers" looks odd. Disabling weak ciphers is the recommendation for hardening SSL communications.
For other ciphers (idea, dsa, etc), we can enable them step-by-step depending on the real requirements.

Best Regards & Thanks,

-----Original Message-----
From: Wu, Jiaxin
Sent: Monday, August 01, 2016 9:23 AM
To: Palmer, Thomas; Long, Qin;
Cc: Ye, Ting; Fu, Siyuan; Gao, Liming
Subject: RE: [staging/HTTPS-TLS][PATCH 0/4] Replace the TLS definitions with
the standardized one

I agree some of them are not supported due to the UEFI OpenSSL
configuration, but it doesn't affect those mapping relationship added in the
patch. So, I have no strong opinion whether to support it by modifying the
current OpenSSL configuration. Since Qin is the OpenSSL expert, I'd like to
hear his views.

What's your opinion?


-----Original Message-----
From: edk2-devel [] On Behalf Of
Palmer, Thomas
Sent: Saturday, July 30, 2016 6:03 AM
To: Wu, Jiaxin <>;
Cc: Ye, Ting <>; Fu, Siyuan <>;
Gao, Liming <>; Long, Qin <>
Subject: Re: [edk2] [staging/HTTPS-TLS][PATCH 0/4] Replace the TLS
definitions with the standardized one


UEFI's OpenSSL library does not support all the ciphers that were
added in your patch due to the UEFI configuration. We need to remove
"no- idea" and "no-dsa" from the and add
"enable-weak-ssl- ciphers"

While we are modifying, we can remove "no-
from so that OpensslLib.inf is in sync.

I can send out a patch to do so if you wish.


-----Original Message-----
From: Jiaxin Wu []
Sent: Thursday, July 14, 2016 12:51 AM
Cc: Liming Gao <>; Palmer, Thomas
<>; Long Qin <>; Ye Ting
<>; Fu Siyuan <>; Wu Jiaxin
Subject: [staging/HTTPS-TLS][PATCH 0/4] Replace the TLS definitions
with the standardized one

The series patches are used to replace the TLS definitions with the
standardized one. In addition, more TLS cipher suite mapping between
Cipher Suite definitions and OpenSSL-used Cipher Suite name are added.

Cc: Liming Gao <>
Cc: Palmer Thomas <>
Cc: Long Qin <>
Cc: Ye Ting <>
Cc: Fu Siyuan <>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <>
Signed-off-by: Jiaxin Wu <>

Jiaxin Wu (4):
MdePkg: Add a header to standardize TLS definitions
CryptoPkg: Add more TLS cipher suite mapping
NetworkPkg/TlsDxe: Replace the definitions with the standardized one
NetworkPkg/HttpDxe: Replace the definitions with the standardized

CryptoPkg/Library/TlsLib/TlsLib.c | 3585 ++++++++++++++++--------------
MdePkg/Include/IndustryStandard/Tls1.h | 93 +
NetworkPkg/HttpDxe/HttpDriver.h | 2 +
NetworkPkg/HttpDxe/HttpProto.c | 12 +-
NetworkPkg/HttpDxe/HttpsSupport.c | 22 +-
NetworkPkg/HttpDxe/HttpsSupport.h | 44 -
NetworkPkg/TlsDxe/TlsImpl.c | 56 +-
NetworkPkg/TlsDxe/TlsImpl.h | 30 +-
NetworkPkg/TlsDxe/TlsProtocol.c | 2 +-
9 files changed, 1945 insertions(+), 1901 deletions(-) create mode
100644 MdePkg/Include/IndustryStandard/Tls1.h


edk2-devel mailing list

Join to automatically receive all group messages.