From: "Laszlo Ersek" <lersek@redhat.com>
To: devel@edk2.groups.io, dwmw2@infradead.org,
Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: "jiaxin.wu@intel.com" <jiaxin.wu@intel.com>,
"siyuan.fu@intel.com" <siyuan.fu@intel.com>
Subject: Re: [edk2-devel] reg: Multiple Host Name Certificate
Date: Thu, 20 Jun 2019 16:27:59 +0200 [thread overview]
Message-ID: <4d6fad2a-f052-4444-3a68-7e79aeda2082@redhat.com> (raw)
In-Reply-To: <c117bafc9dbdae40b348bca41ac6c8c96dc3b948.camel@infradead.org>
Hello David,
On 06/20/19 14:35, David Woodhouse wrote:
> On Thu, 2019-06-20 at 11:27 +0000, Sivaraman Nainar wrote:
>> This support added when we integrating "TianoCore Bug 960
>> (HTTPS_HostName_Validation)". This has the support for performing
>> Host Name validation during HTTP Operations.
>
> Hm, I can't see bug 960, at least not without and account — and
> bugzilla is sending its messages from an invalid address so registering
> an account failed on the first attempt. I'll add it to the "known
> broken senders" list and try again... in the meantime, do you have a
> link to the code please?
TianoCore#960 is a security BZ that I had reported on 2018-05-29.
The title of the ticket is
"server certificate with invalid domain name (CN) accepted in
HTTPS-over-IPv6 boot"
It is indeed the bug that you think it is ("From code inspection I'd
have guessed that the code would tolerate *any* valid certificate, even
for a host other than the one it actually attempted to connect to.")
There is still no CVE number assigned.
Patches exist, but have not been posted to the list yet.
--*--
Normally, my above comments (in public) would amount to breaking a live
security embargo. In reality, this is not the case. That's because the
UEFI-2.8 spec has been released meanwhile (in March/April 2019 or so),
addressing Mantis#1921 ("HTTPS hostname validation"). Fixing the edk2
problem required changes to the UEFI spec too.
If you search both UEFI-2.7 and UEFI-2.8 for the enum constant
"EfiTlsVerifyHost", you will find it only in UEFI-2.8. Therefore, the
cat had been let out of the bag when UEFI-2.8 was released. In effect,
*that* ended the embargo on TianoCore#960. The fact that TianoCore#960
is still unreadable to the public (including the attached patches) is
"merely" a technical tidbit. :/
I'm CC'ing you on the BZ now, so you can read it even before it gets
opened up.
Thanks
Laszlo
next prev parent reply other threads:[~2019-06-20 14:28 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-19 11:51 reg: Multiple Host Name Certificate Sivaraman Nainar
2019-06-20 10:47 ` [edk2-devel] " David Woodhouse
2019-06-20 11:27 ` Sivaraman Nainar
2019-06-20 12:35 ` David Woodhouse
2019-06-20 14:27 ` Laszlo Ersek [this message]
2019-06-20 15:20 ` David Woodhouse
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4d6fad2a-f052-4444-3a68-7e79aeda2082@redhat.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox