Re: [edk2-devel] reg: Multiple Host Name Certificate

["Laszlo Ersek" <lersek@redhat.com>]

Hello David,

On 06/20/19 14:35, David Woodhouse wrote:
> On Thu, 2019-06-20 at 11:27 +0000, Sivaraman Nainar wrote:
>> This support added when we integrating "TianoCore Bug 960
>> (HTTPS_HostName_Validation)". This has the support for performing
>> Host Name validation during HTTP Operations.
> 
> Hm, I can't see bug 960, at least not without and account — and
> bugzilla is sending its messages from an invalid address so registering
> an account failed on the first attempt. I'll add it to the "known
> broken senders" list and try again... in the meantime, do you have a
> link to the code please? 

TianoCore#960 is a security BZ that I had reported on 2018-05-29.

The title of the ticket is

"server certificate with invalid domain name (CN) accepted in
HTTPS-over-IPv6 boot"

It is indeed the bug that you think it is ("From code inspection I'd
have guessed that the code would tolerate *any* valid certificate, even
for a host other than the one it actually attempted to connect to.")

There is still no CVE number assigned.

Patches exist, but have not been posted to the list yet.

--*--

Normally, my above comments (in public) would amount to breaking a live
security embargo. In reality, this is not the case. That's because the
UEFI-2.8 spec has been released meanwhile (in March/April 2019 or so),
addressing Mantis#1921 ("HTTPS hostname validation"). Fixing the edk2
problem required changes to the UEFI spec too.

If you search both UEFI-2.7 and UEFI-2.8 for the enum constant
"EfiTlsVerifyHost", you will find it only in UEFI-2.8. Therefore, the
cat had been let out of the bag when UEFI-2.8 was released. In effect,
*that* ended the embargo on TianoCore#960. The fact that TianoCore#960
is still unreadable to the public (including the attached patches) is
"merely" a technical tidbit. :/

I'm CC'ing you on the BZ now, so you can read it even before it gets
opened up.

Thanks
Laszlo