From: "David Woodhouse" <dwmw2@infradead.org>
To: devel@edk2.groups.io, sivaramann@amiindia.co.in
Cc: "jiaxin.wu@intel.com" <jiaxin.wu@intel.com>,
"siyuan.fu@intel.com" <siyuan.fu@intel.com>
Subject: Re: [edk2-devel] reg: Multiple Host Name Certificate
Date: Thu, 20 Jun 2019 11:47:39 +0100 [thread overview]
Message-ID: <1ac12ecc87aa039ba36b64bc394769033f5ecf28.camel@infradead.org> (raw)
In-Reply-To: <B4DE137BDB63634BAC03BD9DE765F197028B255A3A@VENUS1.in.megatrends.com>
[-- Attachment #1: Type: text/plain, Size: 1209 bytes --]
On Wed, 2019-06-19 at 11:51 +0000, Sivaraman Nainar wrote:
> Can you please help to confirm the behavior
>
> From: Sivaraman Nainar
> Sent: Friday, June 7, 2019 2:48 PM
> To: devel@edk2.groups.io
> Subject: reg: Multiple Host Name Certificate
>
> Hello:
>
> Can someone help to confirm if EDK2 supports multiple Host Name
> support.
>
> We need to have an environment where the HTTPS request should work
> fine for IP & Host Name based access. When we create certificates
> with CN as Host Name and SAN as IP TLS Handshake works only for Host
> Name and it provides Handshake Error when the request are IP Based.
>
> If this question need to be raised in other forum please help to
> redirect.
>
I can't actually see where we do these checks at all. OpenSSL doesn't
do them for us internally (as it doesn't even know the hostname we
happened to use to establish the connection), although it does offer
X509_check_ip() and X509_check_host() functions.
From code inspection I'd have guessed that the code would tolerate
*any* valid certificate, even for a host other than the one it actually
attempted to connect to. Surely that can't be true? Where *is* it?
[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5174 bytes --]
next prev parent reply other threads:[~2019-06-20 10:47 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-19 11:51 reg: Multiple Host Name Certificate Sivaraman Nainar
2019-06-20 10:47 ` David Woodhouse [this message]
2019-06-20 11:27 ` [edk2-devel] " Sivaraman Nainar
2019-06-20 12:35 ` David Woodhouse
2019-06-20 14:27 ` Laszlo Ersek
2019-06-20 15:20 ` David Woodhouse
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1ac12ecc87aa039ba36b64bc394769033f5ecf28.camel@infradead.org \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox