From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.120]) by mx.groups.io with SMTP id smtpd.web11.30526.1583657709043367847 for ; Sun, 08 Mar 2020 00:55:09 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=RXKhlYDL; spf=pass (domain: redhat.com, ip: 207.211.31.120, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1583657708; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LoyXhSOMMCa+H9rDSmQt7WWKNyLSwqaaQgg0sesEafc=; b=RXKhlYDLwiUAZZ8DUd1/fbeqh480rpAlWH5G8L7Xgwy6Wd1PB7gGBFmcADJtt2zGNXFXY1 zjb+CiDSBm1uFK8ozDZNAkmhz5+HlZnIAhXjfIaHfT3lUkjXXXTj/9dibkMFOoURqbqj1l ZyST3npBdllNcjhVjHwycHINRmNP3aQ= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-339-H8bMR4XWNYK5v7jlgVIbKQ-1; Sun, 08 Mar 2020 04:54:59 -0400 X-MC-Unique: H8bMR4XWNYK5v7jlgVIbKQ-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B02651005509; Sun, 8 Mar 2020 08:54:57 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-62.ams2.redhat.com [10.36.116.62]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8E7375C545; Sun, 8 Mar 2020 08:54:56 +0000 (UTC) Subject: Re: [edk2-devel] reg: Host Name Validation with Wild Card Certificate To: sean.brogan@microsoft.com References: <10736.1583620850271595025@groups.io> Cc: devel@edk2.groups.io, Sivaraman Nainar , Jeremiah Cox From: "Laszlo Ersek" Message-ID: <1181cf99-0752-3114-1ea3-54dd462fd5be@redhat.com> Date: Sun, 8 Mar 2020 09:54:55 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <10736.1583620850271595025@groups.io> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit On 03/07/20 23:40, Sean via Groups.Io wrote: > The name of this flag is terrible but if you read the 2.8 spec. > https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_A_Feb14.pdf > page 1436. > Says: > EFI_TLS_VERIFY_FLAG_NONE means no additional flags set for hostname validation. Wildcards are supported and they match only in the left-most label. > > In the HttpDxe driver we made a change to support wildcards as wildcards are pretty commonly used in web services. > https://github.com/microsoft/mu_basecore/commit/931ff1a45ce13a6a8c3e296f89c6de21f23a17ed#diff-45ead71899abef9932d2697dbd1d8867 > > There is a lot of noise on this thread but its the best i can find. > https://bugzilla.tianocore.org/show_bug.cgi?id=960 > > We might need to open a new bugzilla as i think 960 is resolved but is too strict for practical usage. Yes, please open a new Bugzilla ticket for investigating EFI_TLS_VERIFY_FLAG_NO_WILDCARDS vs. EFI_TLS_VERIFY_FLAG_NONE. Thanks! Laszlo