From: "Maciej Rabeda" <maciej.rabeda@linux.intel.com>
To: devel@edk2.groups.io, vineel.kovvuri@gmail.com,
maciej.rabeda@intel.com, jiewen.yao@intel.com,
jpere@microsoft.com, Michael.Turner@microsoft.com,
sean.brogan@microsoft.com, bret.barkelew@microsoft.com
Cc: Vineel Kovvuri <vineelko@microsoft.com>
Subject: Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
Date: Fri, 22 Oct 2021 12:32:26 +0200 [thread overview]
Message-ID: <06fe2168-07d2-ffcc-cc59-026a4ca96f7c@linux.intel.com> (raw)
In-Reply-To: <3419a1fbe89d52b15f1b667b00d102500179a85f.1634236144.git.vineelko@microsoft.com>
Hi Vineel,
I do not have any problems with this patch. Before I merge, I would like
Jiaxin to look at it, since he has submitted that code.
Thanks,
Maciej
On 15-Oct-21 02:54, Vineel Kovvuri wrote:
> The current UEFI implementation of HTTPS during its TLS configuration uses
> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per the spec
> this flag does is "to disable the match of any wildcards in the host name". So,
> certificates which are issued with wildcards(*.dm.corp.net etc) in it will fail
> the TLS host name matching. On the other hand,
> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for hostname
> validation. Wildcards are supported and they match only in the left-most label."
> this behavior/definition is coming from openssl's X509_check_host() api
> https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html
>
> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates issued
> with wildcards in them would fail to match while trying to communicate with
> HTTPS endpoint.
>
> BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3691
>
> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
> ---
> NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c
> index 7e0bf85c3c..0f28ae9447 100644
> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
> @@ -625,7 +625,7 @@ TlsConfigureSession (
> //
> HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
> HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;
> - HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
> + HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NONE;
> HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost;
> HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;
>
next prev parent reply other threads:[~2021-10-22 10:32 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-15 0:54 [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation Vineel Kovvuri
2021-10-15 1:11 ` Yao, Jiewen
2021-10-22 10:32 ` Maciej Rabeda [this message]
2021-11-02 1:15 ` [edk2-devel] " Wu, Jiaxin
2021-11-02 18:57 ` Vineel Kovvuri
2021-11-02 19:54 ` Maciej Rabeda
[not found] ` <16B3D2D0C1325DDF.24252@groups.io>
2021-11-03 21:29 ` Maciej Rabeda
2021-11-03 21:38 ` Vineel Kovvuri
-- strict thread matches above, loose matches on Subject: below --
2021-11-02 20:19 Vineel Kovvuri
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=06fe2168-07d2-ffcc-cc59-026a4ca96f7c@linux.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox