From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: redhat.com, ip: 209.132.183.28, mailfrom: lersek@redhat.com) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Thu, 20 Jun 2019 07:28:07 -0700 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id DFAE1308339A; Thu, 20 Jun 2019 14:28:01 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-117-226.ams2.redhat.com [10.36.117.226]) by smtp.corp.redhat.com (Postfix) with ESMTP id A2BFD60477; Thu, 20 Jun 2019 14:28:00 +0000 (UTC) Subject: Re: [edk2-devel] reg: Multiple Host Name Certificate To: devel@edk2.groups.io, dwmw2@infradead.org, Sivaraman Nainar Cc: "jiaxin.wu@intel.com" , "siyuan.fu@intel.com" References: <1ac12ecc87aa039ba36b64bc394769033f5ecf28.camel@infradead.org> From: "Laszlo Ersek" Message-ID: <4d6fad2a-f052-4444-3a68-7e79aeda2082@redhat.com> Date: Thu, 20 Jun 2019 16:27:59 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.44]); Thu, 20 Jun 2019 14:28:02 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable Hello David, On 06/20/19 14:35, David Woodhouse wrote: > On Thu, 2019-06-20 at 11:27 +0000, Sivaraman Nainar wrote: >> This support added when we integrating "TianoCore Bug 960 >> (HTTPS_HostName_Validation)". This has the support for performing >> Host Name validation during HTTP Operations. >=20 > Hm, I can't see bug 960, at least not without and account =E2=80=94 and > bugzilla is sending its messages from an invalid address so registering > an account failed on the first attempt. I'll add it to the "known > broken senders" list and try again... in the meantime, do you have a > link to the code please?=20 TianoCore#960 is a security BZ that I had reported on 2018-05-29. The title of the ticket is "server certificate with invalid domain name (CN) accepted in HTTPS-over-IPv6 boot" It is indeed the bug that you think it is ("From code inspection I'd have guessed that the code would tolerate *any* valid certificate, even for a host other than the one it actually attempted to connect to.") There is still no CVE number assigned. Patches exist, but have not been posted to the list yet. --*-- Normally, my above comments (in public) would amount to breaking a live security embargo. In reality, this is not the case. That's because the UEFI-2.8 spec has been released meanwhile (in March/April 2019 or so), addressing Mantis#1921 ("HTTPS hostname validation"). Fixing the edk2 problem required changes to the UEFI spec too. If you search both UEFI-2.7 and UEFI-2.8 for the enum constant "EfiTlsVerifyHost", you will find it only in UEFI-2.8. Therefore, the cat had been let out of the bag when UEFI-2.8 was released. In effect, *that* ended the embargo on TianoCore#960. The fact that TianoCore#960 is still unreadable to the public (including the attached patches) is "merely" a technical tidbit. :/ I'm CC'ing you on the BZ now, so you can read it even before it gets opened up. Thanks Laszlo