From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by mx.groups.io with SMTP id smtpd.web09.6475.1634898752509327262 for ; Fri, 22 Oct 2021 03:32:32 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=none, err=permanent DNS error (domain: linux.intel.com, ip: 192.55.52.93, mailfrom: maciej.rabeda@linux.intel.com) X-IronPort-AV: E=McAfee;i="6200,9189,10144"; a="226731435" X-IronPort-AV: E=Sophos;i="5.87,172,1631602800"; d="scan'208";a="226731435" Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Oct 2021 03:32:31 -0700 X-IronPort-AV: E=Sophos;i="5.87,172,1631602800"; d="scan'208";a="463999148" Received: from mrabeda-mobl.ger.corp.intel.com (HELO [10.249.150.253]) ([10.249.150.253]) by orsmga002-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Oct 2021 03:32:28 -0700 Subject: Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation To: devel@edk2.groups.io, vineel.kovvuri@gmail.com, maciej.rabeda@intel.com, jiewen.yao@intel.com, jpere@microsoft.com, Michael.Turner@microsoft.com, sean.brogan@microsoft.com, bret.barkelew@microsoft.com Cc: Vineel Kovvuri References: <3419a1fbe89d52b15f1b667b00d102500179a85f.1634236144.git.vineelko@microsoft.com> From: "Maciej Rabeda" Message-ID: <06fe2168-07d2-ffcc-cc59-026a4ca96f7c@linux.intel.com> Date: Fri, 22 Oct 2021 12:32:26 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 MIME-Version: 1.0 In-Reply-To: <3419a1fbe89d52b15f1b667b00d102500179a85f.1634236144.git.vineelko@microsoft.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: pl Hi Vineel, I do not have any problems with this patch. Before I merge, I would like Jiaxin to look at it, since he has submitted that code. Thanks, Maciej On 15-Oct-21 02:54, Vineel Kovvuri wrote: > The current UEFI implementation of HTTPS during its TLS configuration uses > EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per the spec > this flag does is "to disable the match of any wildcards in the host name". So, > certificates which are issued with wildcards(*.dm.corp.net etc) in it will fail > the TLS host name matching. On the other hand, > EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for hostname > validation. Wildcards are supported and they match only in the left-most label." > this behavior/definition is coming from openssl's X509_check_host() api > https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html > > Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates issued > with wildcards in them would fail to match while trying to communicate with > HTTPS endpoint. > > BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3691 > > Signed-off-by: Vineel Kovvuri > --- > NetworkPkg/HttpDxe/HttpsSupport.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c > index 7e0bf85c3c..0f28ae9447 100644 > --- a/NetworkPkg/HttpDxe/HttpsSupport.c > +++ b/NetworkPkg/HttpDxe/HttpsSupport.c > @@ -625,7 +625,7 @@ TlsConfigureSession ( > // > HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient; > HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER; > - HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NO_WILDCARDS; > + HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NONE; > HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost; > HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted; >