Re: [edk2-devel] [RFC][PATCH 0/2] Introduce HTTPS Platform TLS policy

["Michael Brown" <mcb30@ipxe.org>]

On 28/12/2023 15:04, Chang, Abner via groups.io wrote:
>> With the TLS protocol installed onto the same handle, I don't think you
>> then even need to use RegisterProtocolNotify().  On return from
>> EFI_HTTP_PROTOCOL.Request() you can open the TLS protocol on the handle
>> and immediately call SetSessionData() to override VerifyMethod etc.
>>
> This part I am not sure, as TLS is initiated on the first HttpRequest. Reconfigure TLS session on return from HTTP Request function means we have to take one time error. I think I will still use RegisterProtocolNotify and LocateHandle with ByRegisterNotify to get the newly installed TLS handle, then check it with REST EX HTTP handle. Hook the TLS SetSessionData() function provided by REST EX, override the value then invoke the original SetSessionData(). Something like this.

As far as I am aware, EfiHttpRequest sets up all of the relevant data 
structures but functions as a non-blocking open.  If you reconfigure the 
TLS session immediately after return from EfiHttpRequest() then this 
reconfiguration should take effect before any network packets have been 
transmitted or received.  I have not tested this, though.

If the immediate reconfiguration does not work, then your suggestion of 
hooking SetSessionData() sounds like the easiest approach.

> Would you like to refactor HttpSupport.c or let me do that?

Nobody is paying me to work on EDK2, so I'll leave it to you.  :)

Thanks,

Michael



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112982): https://edk2.groups.io/g/devel/message/112982
Mute This Topic: https://groups.io/mt/103368438/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-