New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update/tls ciphers #206

Merged

Flickdm merged 4 commits into microsoft:main from Flickdm:update/tls_ciphers

Mar 30, 2024

Member

Flickdm commented Mar 29, 2024 •

edited

Loading

Preface

Description

This change limits the TLS Ciphers provided by the Docker Container to strictly the four TLSv1.2 Ciphers that Intune currently uses.

This will force firmware to OpenSSL TLSv1.2 and strictly the four algorithms currently supported

namely

    cipher_list = [b'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
                 b'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
                 b'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', 
                 b'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256']

For each item, place an "x" in between [ and ] if true. Example: [x].
(you can also check items in the GitHub UI)

[ ] Impacts functionality?
Impacts security?
- Yes this will force the firmware to use the above mentioned ciphers
  validation improvement, ...
Breaking change?
[] Includes tests?
[] Includes documentation?

How This Was Tested

This nmap script can confirm the ssl siphers are what are expected

nmap --script ssl-enum-ciphers -p 443 127.0.0.1

Integration Instructions

N/A

Flickdm added 3 commits

March 28, 2024 22:32


          Control TLS Cipher Suite

45e3d93


          Merge branch 'microsoft:main' into update/tls_ciphers

9cf0980


          add newline

06cde88

github-actions bot added language:python impact:non-functional impact:security impact:testing type:documentation labels


          changing the server preferene to server

91534ae

Flickdm marked this pull request as ready for review

March 29, 2024 22:08

Flickdm assigned Javagedes and Flickdm and unassigned Javagedes

Flickdm requested review from Javagedes and apop5

March 29, 2024 22:09

apop5 approved these changes

View reviewed changes

kenlautner approved these changes

View reviewed changes

Flickdm merged commit 844b288 into microsoft:main

14 checks passed

ProjectMuBot referenced this pull request in microsoft/mu_tiano_platforms


          Bumps Features/DFCI from 4.0.5 to 4.0.6

Introduces 18 new commits in [Features/DFCI](https://github.com/microsoft/mu_feature_dfci).

<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/microsoft/mu_feature_dfci/commit/a7245ea372c405731fbbee82198433ef88cd47b6">a7245e</a> pip: bump edk2-pytool-extensions from 0.27.2 to 0.27.3 (<a href="https://github.com/microsoft/mu_feature_dfci/pull/201">#201</a>)</li>
<li><a href="https://github.com/microsoft/mu_feature_dfci/commit/d2d1cb00860a93d15e17a894d5cd4eac5e9e2cdd">d2d1cb</a> pip: bump edk2-pytool-library from 0.21.3 to 0.21.4 (<a href="https://github.com/microsoft/mu_feature_dfci/pull/203">#203</a>)</li>
<li><a href="https://github.com/microsoft/mu_feature_dfci/commit/aba937ae978aabe600348863c988175f35ff7ea8">aba937</a> Repo File Sync: prevent `rustup` from self-updating (<a href="https://github.com/microsoft/mu_feature_dfci/pull/204">#204</a>)</li>
<li><a href="https://github.com/microsoft/mu_feature_dfci/commit/3c74bfa78750880f8eef8c2522adf95818494f67">3c74bf</a> Fixes the Deprecation Warning for return in Robot Framework (<a href="https://github.com/microsoft/mu_feature_dfci/pull/205">#205</a>)</li>
<li><a href="https://github.com/microsoft/mu_feature_dfci/commit/844b288979cb63089b7c8bc45fc01c20136825ce">844b28</a> Update/tls ciphers (<a href="https://github.com/microsoft/mu_feature_dfci/pull/206">#206</a>)</li>
<li><a href="https://github.com/microsoft/mu_feature_dfci/commit/c0c1326fadb16bba00f35c99a680227b1492be39">c0c132</a> pip: bump edk2-pytool-library from 0.21.4 to 0.21.5 (<a href="https://github.com/microsoft/mu_feature_dfci/pull/208">#208</a>)</li>
<li><a href="https://github.com/microsoft/mu_feature_dfci/commit/d99ab14f7f51d324f236bb1b041d42e8926ee58f">d99ab1</a> Repo File Sync: Update to Mu DevOps 9.1.9 (<a href="https://github.com/microsoft/mu_feature_dfci/pull/209">#209</a>)</li>
<li><a href="https://github.com/microsoft/mu_feature_dfci/commit/6294c21dc08b7e6fd7afeb009c903cf03534c87e">6294c2</a> Repo File Sync: Update to Ubuntu Container 0e124c1 (<a href="https://github.com/microsoft/mu_feature_dfci/pull/210">#210</a>)</li>
<li><a href="https://github.com/microsoft/mu_feature_dfci/commit/16c06469920d52b11dabd54ca45dcddc6e8a310c">16c064</a> GitHub Action: Bump robinraju/release-downloader from 1.9 to 1.10 (<a href="https://github.com/microsoft/mu_feature_dfci/pull/211">#211</a>)</li>
<li><a href="https://github.com/microsoft/mu_feature_dfci/commit/e1dffd566293aa94bf35cd045add4956bab2fa11">e1dffd</a> Repo File Sync: synced file(s) with microsoft/mu_devops (<a href="https://github.com/microsoft/mu_feature_dfci/pull/212">#212</a>)</li>
<li><a href="https://github.com/microsoft/mu_feature_dfci/commit/3f4a5dbf005716a3ee0edde2ea6fe7555064175d">3f4a5d</a> pip: bump regex from 2023.12.25 to 2024.4.16 (<a href="https://github.com/microsoft/mu_feature_dfci/pull/213">#213</a>)</li>
<li><a href="https://github.com/microsoft/mu_feature_dfci/commit/00c114413ca29aebcde6a4a0e04213fd62a89f57">00c114</a> GitHub Action: Bump robinraju/release-downloader from 1.9 to 1.10 (<a href="https://github.com/microsoft/mu_feature_dfci/pull/214">#214</a>)</li>
<li><a href="https://github.com/microsoft/mu_feature_dfci/commit/76b3a075554333e1a50361012b3d70d57186bf9f">76b3a0</a> Update DfciUpdate.c to avoid unsigned comparison checking greater than zero (<a href="https://github.com/microsoft/mu_feature_dfci/pull/215">#215</a>)</li>
<li><a href="https://github.com/microsoft/mu_feature_dfci/commit/e2e06a9aadb637f34ee2dac4e88ef68736678f9b">e2e06a</a> pip: bump regex from 2024.4.16 to 2024.4.28 (<a href="https://github.com/microsoft/mu_feature_dfci/pull/216">#216</a>)</li>
<li><a href="https://github.com/microsoft/mu_feature_dfci/commit/df423c88a0375deb70c63734c5da09e6b2f83f75">df423c</a> pip: bump edk2-pytool-extensions from 0.27.3 to 0.27.4 (<a href="https://github.com/microsoft/mu_feature_dfci/pull/217">#217</a>)</li>
<li><a href="https://github.com/microsoft/mu_feature_dfci/commit/29153822c79742eb58ffa78ba6b57236035ec41f">291538</a> Repo File Sync: .gitattributes: Prevent line ending conversion (<a href="https://github.com/microsoft/mu_feature_dfci/pull/218">#218</a>)</li>
<li><a href="https://github.com/microsoft/mu_feature_dfci/commit/a7dde4037e163ce3cb4373470e4fa859d558d0c2">a7dde4</a> pip: bump regex from 2024.4.28 to 2024.5.10 (<a href="https://github.com/microsoft/mu_feature_dfci/pull/220">#220</a>)</li>
<li><a href="https://github.com/microsoft/mu_feature_dfci/commit/ba354bcfceec3e75bc0cc4ef1f13f959fe4aca0f">ba354b</a> pip: bump pygount from 1.6.1 to 1.8.0 (<a href="https://github.com/microsoft/mu_feature_dfci/pull/219">#219</a>)</li>
</ul>
</details>

Signed-off-by: Project Mu Bot <[email protected]>

ProjectMuBot mentioned this pull request

Bump Features/DFCI from 4.0.5 to 4.0.6 microsoft/mu_tiano_platforms#953

Merged

Flickdm deleted the update/tls_ciphers branch

May 29, 2024 17:09

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

impact:non-functional impact:security impact:testing language:python type:documentation