From: "Laszlo Ersek" <lersek@redhat.com>
To: devel@edk2.groups.io, dwmw2@infradead.org, "Wu,
Jiaxin" <jiaxin.wu@intel.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>,
"Wang, Jian J" <jian.j.wang@intel.com>,
Richard Levitte <levitte@openssl.org>,
Sivaraman Nainar <sivaramann@amiindia.co.in>
Subject: Re: [edk2-devel] [RFC v1 5/4] CryptoPkg/TlsLib: accept peer certs via both DNS names and IP addresses
Date: Thu, 17 Oct 2019 17:35:00 +0200 [thread overview]
Message-ID: <64366517-6a4e-41da-0ab5-6dea3580bf30@redhat.com> (raw)
In-Reply-To: <c7e456ec1f6f9b4499df9c3624e933912f303b1e.camel@infradead.org>
Jiaxin,
On 10/16/19 17:25, David Woodhouse wrote:
> On Wed, 2019-10-16 at 16:43 +0200, Laszlo Ersek wrote:
>> Regarding the current edk2 patch set, I think we should do the following:
>>
>> - use X509_VERIFY_PARAM_set1_ip() rather than
>> X509_VERIFY_PARAM_set1_ip_asc()
>>
>> - incorporate "StdLib/BsdSocketLib/inet_pton.c" from the edk2-libc
>> project (which used to be part of edk2 itself) into TlsLib, and call
>> inet_pton() for parsing the address as both IPv4 and IPv6.
>
> That makes sense.
Please wait a little before starting work on this. I've been made aware,
in <https://hackerone.com/reports/715413>, of the practices of various
certificate authorities:
[1] https://www.geocerts.com/support/ip-address-in-ssl-certificate
[2]
https://www.leaderssl.com/articles/381-issuing-ssl-certificate-for-an-ip-address
[3]
https://support.globalsign.com/customer/en/portal/articles/1216536-securing-a-public-ip-address---ssl-certificates
What's most worrisome is [3], which writes:
If you are targeting Windows 10 and later, you can populate the IP
address in either field. If however, you are targeting Windows 8.1
and earlier, you should only specify the IP address as the common
name.
Keyword being "only".
Assuming the above quote precisely reflects reality: if we made edk2
strictly insist on the IP address being in the SAN.iPAddress field, then
edk2 could not HTTPS-boot from such web servers that intend to serve
Windows clients up to 8.1.
Reference [2] advises to put the IP address in both CN and SAN.iPAddress
for best compatibility, and that would be fine, for
X509_VERIFY_PARAM_set1_ip(). But the word "only" in [3] is really bad
for X509_VERIFY_PARAM_set1_ip().
Thanks
Laszlo
next prev parent reply other threads:[~2019-10-17 15:35 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-27 3:44 [PATCH v1 0/4] Support HTTPS HostName validation feature(CVE-2019-14553) Wu, Jiaxin
2019-09-27 3:44 ` [PATCH v1 1/4] MdePkg/Include/Protocol/Tls.h: Add the data type of EfiTlsVerifyHost(CVE-2019-14553) Wu, Jiaxin
2019-09-27 3:44 ` [PATCH v1 2/4] CryptoPkg/TlsLib: Add the new API "TlsSetVerifyHost"(CVE-2019-14553) Wu, Jiaxin
2019-09-27 3:44 ` [PATCH v1 3/4] NetworkPkg/TlsDxe: Add the support of host validation to TlsDxe driver(CVE-2019-14553) Wu, Jiaxin
2019-09-27 3:44 ` [PATCH v1 4/4] NetworkPkg/HttpDxe: Set the HostName for the verification(CVE-2019-14553) Wu, Jiaxin
2019-09-29 6:09 ` [edk2-devel] [PATCH v1 0/4] Support HTTPS HostName validation feature(CVE-2019-14553) Wang, Jian J
2019-09-30 23:21 ` Laszlo Ersek
2019-10-01 9:02 ` David Woodhouse
2019-10-08 6:19 ` Wu, Jiaxin
2019-10-09 7:53 ` David Woodhouse
2019-10-09 20:24 ` Laszlo Ersek
2019-10-09 20:34 ` David Woodhouse
2019-10-10 3:11 ` Wu, Jiaxin
2019-10-10 8:00 ` Laszlo Ersek
2019-10-10 15:45 ` David Woodhouse
2019-10-10 18:03 ` Laszlo Ersek
2019-10-11 2:24 ` Wu, Jiaxin
2019-10-11 6:58 ` David Woodhouse
2019-10-11 8:04 ` Wu, Jiaxin
2019-10-11 10:55 ` Laszlo Ersek
2019-10-11 11:16 ` David Woodhouse
2019-10-11 15:36 ` Laszlo Ersek
2019-10-11 16:01 ` David Woodhouse
2019-10-14 16:15 ` Laszlo Ersek
2019-10-14 16:20 ` Laszlo Ersek
2019-10-14 16:53 ` David Woodhouse
2019-10-15 11:03 ` David Woodhouse
2019-10-15 11:06 ` David Woodhouse
2019-10-15 13:54 ` Laszlo Ersek
2019-10-15 15:29 ` David Woodhouse
2019-10-15 16:56 ` Laszlo Ersek
2019-10-15 17:34 ` Laszlo Ersek
2019-10-16 9:40 ` David Woodhouse
2019-10-16 10:27 ` Laszlo Ersek
2019-10-15 15:57 ` David Woodhouse
2019-10-15 17:28 ` Laszlo Ersek
2019-10-10 2:45 ` Wu, Jiaxin
2019-10-09 15:54 ` Laszlo Ersek
2019-10-10 2:46 ` Wu, Jiaxin
2019-10-15 23:08 ` [RFC v1 5/4] CryptoPkg/TlsLib: accept peer certs via both DNS names and IP addresses Laszlo Ersek
2019-10-16 5:18 ` [edk2-devel] " Wu, Jiaxin
2019-10-16 7:36 ` Laszlo Ersek
2019-10-16 7:54 ` Laszlo Ersek
2019-10-16 7:56 ` David Woodhouse
2019-10-16 8:08 ` Laszlo Ersek
2019-10-16 9:19 ` David Woodhouse
2019-10-16 11:41 ` Laszlo Ersek
2019-10-16 13:35 ` David Woodhouse
2019-10-16 14:43 ` Laszlo Ersek
2019-10-16 15:25 ` David Woodhouse
2019-10-17 15:35 ` Laszlo Ersek [this message]
2019-10-17 15:49 ` David Woodhouse
2019-10-18 13:25 ` Laszlo Ersek
2019-10-25 2:12 ` Wu, Jiaxin
2019-10-25 8:14 ` Laszlo Ersek
2019-10-24 19:47 ` Laszlo Ersek
2019-10-25 2:13 ` Wu, Jiaxin
2019-10-25 2:12 ` Wu, Jiaxin
2019-10-25 2:12 ` Wu, Jiaxin
2019-10-16 8:45 ` David Woodhouse
2019-10-16 11:01 ` David Woodhouse
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=64366517-6a4e-41da-0ab5-6dea3580bf30@redhat.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox