public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Laszlo Ersek" <lersek@redhat.com>
To: devel@edk2.groups.io, dwmw2@infradead.org,
	Sivaraman Nainar <sivaramann@amiindia.co.in>
Cc: "jiaxin.wu@intel.com" <jiaxin.wu@intel.com>,
	"siyuan.fu@intel.com" <siyuan.fu@intel.com>
Subject: Re: [edk2-devel] reg: Multiple Host Name Certificate
Date: Thu, 20 Jun 2019 16:27:59 +0200	[thread overview]
Message-ID: <4d6fad2a-f052-4444-3a68-7e79aeda2082@redhat.com> (raw)
In-Reply-To: <c117bafc9dbdae40b348bca41ac6c8c96dc3b948.camel@infradead.org>

Hello David,

On 06/20/19 14:35, David Woodhouse wrote:
> On Thu, 2019-06-20 at 11:27 +0000, Sivaraman Nainar wrote:
>> This support added when we integrating "TianoCore Bug 960
>> (HTTPS_HostName_Validation)". This has the support for performing
>> Host Name validation during HTTP Operations.
> 
> Hm, I can't see bug 960, at least not without and account — and
> bugzilla is sending its messages from an invalid address so registering
> an account failed on the first attempt. I'll add it to the "known
> broken senders" list and try again... in the meantime, do you have a
> link to the code please? 

TianoCore#960 is a security BZ that I had reported on 2018-05-29.

The title of the ticket is

"server certificate with invalid domain name (CN) accepted in
HTTPS-over-IPv6 boot"

It is indeed the bug that you think it is ("From code inspection I'd
have guessed that the code would tolerate *any* valid certificate, even
for a host other than the one it actually attempted to connect to.")

There is still no CVE number assigned.

Patches exist, but have not been posted to the list yet.

--*--

Normally, my above comments (in public) would amount to breaking a live
security embargo. In reality, this is not the case. That's because the
UEFI-2.8 spec has been released meanwhile (in March/April 2019 or so),
addressing Mantis#1921 ("HTTPS hostname validation"). Fixing the edk2
problem required changes to the UEFI spec too.

If you search both UEFI-2.7 and UEFI-2.8 for the enum constant
"EfiTlsVerifyHost", you will find it only in UEFI-2.8. Therefore, the
cat had been let out of the bag when UEFI-2.8 was released. In effect,
*that* ended the embargo on TianoCore#960. The fact that TianoCore#960
is still unreadable to the public (including the attached patches) is
"merely" a technical tidbit. :/

I'm CC'ing you on the BZ now, so you can read it even before it gets
opened up.

Thanks
Laszlo

  reply	other threads:[~2019-06-20 14:28 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-19 11:51 reg: Multiple Host Name Certificate Sivaraman Nainar
2019-06-20 10:47 ` [edk2-devel] " David Woodhouse
2019-06-20 11:27   ` Sivaraman Nainar
2019-06-20 12:35     ` David Woodhouse
2019-06-20 14:27       ` Laszlo Ersek [this message]
2019-06-20 15:20         ` David Woodhouse

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4d6fad2a-f052-4444-3a68-7e79aeda2082@redhat.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox