From: "Michael Brown" <mcb30@ipxe.org>
To: devel@edk2.groups.io, nicklew@nvidia.com,
Maciej Rabeda <maciej.rabeda@linux.intel.com>,
Siyuan Fu <siyuan.fu@intel.com>
Cc: Abner Chang <abner.chang@amd.com>,
Igor Kulchytskyy <igork@ami.com>,
Nick Ramirez <nramirez@nvidia.com>
Subject: Re: [edk2-devel] [PATCH 1/2] NetworkPkg/HttpDxe: provide function to disable TLS host verify
Date: Tue, 7 Mar 2023 10:19:05 +0000 [thread overview]
Message-ID: <01020186bb94ef66-3ef05d85-42ce-48e1-b75b-f7ec9420ab8d-000000@eu-west-1.amazonses.com> (raw)
In-Reply-To: <MW4PR12MB703188A4465755B934B95C8FD9B79@MW4PR12MB7031.namprd12.prod.outlook.com>
On 07/03/2023 08:21, Nickle Wang via groups.io wrote:
> I got an idea to handle this issue.
>
> EFI_HTTP_SERVICE_BINDING_PROTOCOL is defined in UEFI specification for
> caller to create HTTP protocol on child instance. How about I propose a
> new service binding protocol called
> EFI_HTTP_*NO_TLS_HOST_VERIFY*_SERVICE_BINDING_PROTOCOL, and the
> EFI_HTTP_PROTOCOL created by this service binding protocol will not do
> TLS host verify during HTTPS communication.
>
> When caller like to disable host verify on HTTPS communication, caller
> use this service binding protocol to create special HTTP instance. For
> other case, caller use regular EFI_HTTP_SERVICE_BINDING_PROTOCOL to get
> normal EFI_HTTP_PROTOCOL instance.
That seems very hacky, and does not help to address the general problem
of being able to more flexibly configure HTTP connections.
From a quick look through the UEFI spec, it looks as though
EFI_TLS_PROTOCOL.SetSessionData() should already allow you to set
EfiTlsVerifyMethod with a value of EFI_TLS_VERIFY_NONE.
The implementation of HttpDxe makes it very messy to gain access to the
EFI_TLS_PROTOCOL instance, since it will be created only when
EFI_HTTP_PROTOCOL.Request() is called. I think you may have to use
gBS->RegisterProtocolNotify() in order to intercept the point at which
EFI_TLS_PROTOCOL is installed. In your notification event callback, you
would then check to see if the handle is a child of the
EFI_HTTP_PROTOCOL handle and, if so, call
EFI_TLS_PROTOCOL.SetSessionData() to disable host verification.
You would need to be using a newly created EFI_HTTP_PROTOCOL instance,
so that you could be sure that there was no existing EFI_TLS_PROTOCOL
instance already in place.
I haven't tested any of the above, but it looks as though it should work
and allow you to disable host verification for a single
EFI_HTTP_PROTOCOL instance, without any specification changes.
Michael
prev parent reply other threads:[~2023-03-07 10:19 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-01 3:46 [PATCH 1/2] NetworkPkg/HttpDxe: provide function to disable TLS host verify Nickle Wang
2023-02-01 10:47 ` [edk2-devel] " Michael Brown
2023-02-01 11:06 ` Nickle Wang
2023-02-01 11:27 ` Michael Brown
2023-02-02 6:34 ` Nickle Wang
[not found] ` <173FEE62613A7ADA.16586@groups.io>
2023-03-07 8:21 ` Nickle Wang
2023-03-07 10:19 ` Michael Brown [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=01020186bb94ef66-3ef05d85-42ce-48e1-b75b-f7ec9420ab8d-000000@eu-west-1.amazonses.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox