From: "David Woodhouse" <dwmw2@infradead.org>
To: devel@edk2.groups.io, lersek@redhat.com, "Wu,
Jiaxin" <jiaxin.wu@intel.com>,
"Wang, Jian J" <jian.j.wang@intel.com>,
Bret Barkelew <Bret.Barkelew@microsoft.com>
Cc: Richard Levitte <levitte@openssl.org>
Subject: Re: [edk2-devel] [PATCH v1 0/4] Support HTTPS HostName validation feature(CVE-2019-14553)
Date: Tue, 15 Oct 2019 16:57:50 +0100 [thread overview]
Message-ID: <7962663e410ddb2652a9e3075589a1e3d6488213.camel@infradead.org> (raw)
In-Reply-To: <23699ae3-10c2-037c-b3f5-ac8f5bea1fb7@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 4065 bytes --]
On Thu, 2019-10-10 at 20:03 +0200, Laszlo Ersek wrote:
> (I can't test it easily myself, as I don't even know how to create a
> server certificate with a SAN -- any kind of SAN, let alone GEN_IP.)
I had to look it up again, but here goes...
$ cat v3.ext
subjectAltName = @alt_names
[alt_names]
DNS.1 = lersek-test.redhat.com
IP.2 = 192.168.124.2
IP.3 = fd33:eb1b:9b36::2
$ openssl req -nodes -newkey rsa:2048 -keyout key.pem -out cert.csr
...
$ openssl x509 -signkey ca-key.pem -in cert.csr -req -days 3650 -out cert.pem -extfile v3.ext
Signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Getting Private key
$ openssl x509 -in cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
56:c5:33:0f:b1:2d:e5:b5:1e:89:e5:a7:a2:45:a9:06:43:1f:4a:1e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Validity
Not Before: Oct 15 15:56:11 2019 GMT
Not After : Oct 12 15:56:11 2029 GMT
Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2432 bit)
Modulus:
00:b4:6b:27:98:25:af:c1:ff:1e:ca:b0:7e:f4:d8:
bc:ed:43:86:67:54:5d:da:b4:1e:c2:90:5f:83:3c:
02:11:fc:13:72:85:b2:88:a4:65:41:0b:76:5f:23:
be:8a:9f:fe:79:4b:73:3b:2e:c7:4b:3c:bf:16:c9:
97:55:35:17:f3:a1:72:4b:30:c2:e0:27:94:12:f3:
56:00:e6:ce:82:4b:11:5d:a4:1e:9b:fa:fa:b9:1b:
2a:4d:18:b5:ba:a5:e6:0c:c7:a8:a8:a1:6d:aa:88:
84:dc:96:0e:b2:6c:1c:35:aa:e7:c7:94:3d:f9:d5:
c7:c2:a2:0d:4b:b3:6e:7a:f7:08:5f:c5:09:cd:15:
93:1a:f7:98:df:2a:4c:66:89:24:ed:1f:d0:16:63:
81:65:a5:58:3b:a1:cd:25:62:9b:99:81:54:08:17:
18:ec:7c:2f:08:a2:3b:28:57:32:9d:17:47:0a:86:
fb:62:b1:41:99:e6:fb:de:a8:ea:20:7e:f3:1b:ee:
ba:ea:9a:21:64:29:92:f2:ad:73:e5:19:05:9d:37:
53:e2:11:9f:18:5f:22:ba:e2:8b:0d:00:8c:9e:2f:
a7:87:3d:40:be:4a:a2:a5:92:08:0c:2e:61:c0:58:
7c:9a:99:e1:d6:ac:83:39:25:cf:3e:1b:ed:eb:a3:
6d:9d:cb:c5:38:de:c1:c7:6e:9b:34:14:be:30:3e:
82:90:1e:b9:4a:9a:76:e4:ef:33:0c:46:a2:31:72:
f6:c3:61:0b:f8:aa:67:89:f4:a5:e5:76:37:a1:29:
9f:80:79:aa:75
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:lersek-test.redhat.com, IP Address:192.168.124.2, IP Address:FD33:EB1B:9B36:0:0:0:0:2
Signature Algorithm: sha256WithRSAEncryption
37:8c:17:6c:4d:5f:05:b6:70:b9:96:49:0a:e3:f6:3c:bd:3b:
d0:fe:56:ee:ad:58:15:6e:a6:79:a8:3b:d4:fa:09:f9:7d:85:
8a:8b:14:7b:e4:db:bf:2d:8d:32:28:26:d6:37:a5:51:90:e9:
75:25:b9:9d:63:db:35:29:8a:58:61:56:b2:2a:5a:d3:80:b7:
1d:4c:05:0b:49:da:6f:ec:67:f5:3d:09:f2:58:92:43:8d:39:
d7:f4:f3:3c:bd:9b:16:a2:c9:c0:63:5d:c9:1a:c3:a7:24:fa:
31:8c:7c:3e:98:98:87:8f:5b:fb:00:f5:41:15:16:89:c6:e3:
c4:63:3a:3d:3e:b8:b5:b7:af:cb:11:1a:13:f4:b2:df:c4:f4:
a1:a2:9c:d1:05:20:84:65:70:91:41:be:f4:26:c2:63:07:46:
d0:63:bf:27:3f:42:9c:69:22:e1:d6:6a:41:dc:97:51:2d:ef:
a1:11:20:ed:89:57:d6:d2:ad:6c:7f:88:69:ae:31:51:e8:cb:
9e:3a:e1:49:48:01:5b:d5:ab:93:53:5e:cb:2f:72:6e:84:af:
d0:c2:91:41:29:6f:3c:0b:df:c6:9c:77:14:fd:29:fc:65:0b:
2d:6c:61:69:a6:72:19:38:5f:a1:83:fd:6c:22:02:d7:b6:81:
9e:05:7c:58:2c:c9:eb:c0:09:aa:07:d1:b7:15:a1:e3:ea:27:
b1:f7:70:87:fe:d6:16:57:67:70:fe:65:9a:0f:1b:11:be:22:
08:2f:21:50:30:a4:35:99:d3:fb:4d:40:22:39:2c:f3
[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5174 bytes --]
next prev parent reply other threads:[~2019-10-15 15:58 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-27 3:44 [PATCH v1 0/4] Support HTTPS HostName validation feature(CVE-2019-14553) Wu, Jiaxin
2019-09-27 3:44 ` [PATCH v1 1/4] MdePkg/Include/Protocol/Tls.h: Add the data type of EfiTlsVerifyHost(CVE-2019-14553) Wu, Jiaxin
2019-09-27 3:44 ` [PATCH v1 2/4] CryptoPkg/TlsLib: Add the new API "TlsSetVerifyHost"(CVE-2019-14553) Wu, Jiaxin
2019-09-27 3:44 ` [PATCH v1 3/4] NetworkPkg/TlsDxe: Add the support of host validation to TlsDxe driver(CVE-2019-14553) Wu, Jiaxin
2019-09-27 3:44 ` [PATCH v1 4/4] NetworkPkg/HttpDxe: Set the HostName for the verification(CVE-2019-14553) Wu, Jiaxin
2019-09-29 6:09 ` [edk2-devel] [PATCH v1 0/4] Support HTTPS HostName validation feature(CVE-2019-14553) Wang, Jian J
2019-09-30 23:21 ` Laszlo Ersek
2019-10-01 9:02 ` David Woodhouse
2019-10-08 6:19 ` Wu, Jiaxin
2019-10-09 7:53 ` David Woodhouse
2019-10-09 20:24 ` Laszlo Ersek
2019-10-09 20:34 ` David Woodhouse
2019-10-10 3:11 ` Wu, Jiaxin
2019-10-10 8:00 ` Laszlo Ersek
2019-10-10 15:45 ` David Woodhouse
2019-10-10 18:03 ` Laszlo Ersek
2019-10-11 2:24 ` Wu, Jiaxin
2019-10-11 6:58 ` David Woodhouse
2019-10-11 8:04 ` Wu, Jiaxin
2019-10-11 10:55 ` Laszlo Ersek
2019-10-11 11:16 ` David Woodhouse
2019-10-11 15:36 ` Laszlo Ersek
2019-10-11 16:01 ` David Woodhouse
2019-10-14 16:15 ` Laszlo Ersek
2019-10-14 16:20 ` Laszlo Ersek
2019-10-14 16:53 ` David Woodhouse
2019-10-15 11:03 ` David Woodhouse
2019-10-15 11:06 ` David Woodhouse
2019-10-15 13:54 ` Laszlo Ersek
2019-10-15 15:29 ` David Woodhouse
2019-10-15 16:56 ` Laszlo Ersek
2019-10-15 17:34 ` Laszlo Ersek
2019-10-16 9:40 ` David Woodhouse
2019-10-16 10:27 ` Laszlo Ersek
2019-10-15 15:57 ` David Woodhouse [this message]
2019-10-15 17:28 ` Laszlo Ersek
2019-10-10 2:45 ` Wu, Jiaxin
2019-10-09 15:54 ` Laszlo Ersek
2019-10-10 2:46 ` Wu, Jiaxin
2019-10-15 23:08 ` [RFC v1 5/4] CryptoPkg/TlsLib: accept peer certs via both DNS names and IP addresses Laszlo Ersek
2019-10-16 5:18 ` [edk2-devel] " Wu, Jiaxin
2019-10-16 7:36 ` Laszlo Ersek
2019-10-16 7:54 ` Laszlo Ersek
2019-10-16 7:56 ` David Woodhouse
2019-10-16 8:08 ` Laszlo Ersek
2019-10-16 9:19 ` David Woodhouse
2019-10-16 11:41 ` Laszlo Ersek
2019-10-16 13:35 ` David Woodhouse
2019-10-16 14:43 ` Laszlo Ersek
2019-10-16 15:25 ` David Woodhouse
2019-10-17 15:35 ` Laszlo Ersek
2019-10-17 15:49 ` David Woodhouse
2019-10-18 13:25 ` Laszlo Ersek
2019-10-25 2:12 ` Wu, Jiaxin
2019-10-25 8:14 ` Laszlo Ersek
2019-10-24 19:47 ` Laszlo Ersek
2019-10-25 2:13 ` Wu, Jiaxin
2019-10-25 2:12 ` Wu, Jiaxin
2019-10-25 2:12 ` Wu, Jiaxin
2019-10-16 8:45 ` David Woodhouse
2019-10-16 11:01 ` David Woodhouse
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7962663e410ddb2652a9e3075589a1e3d6488213.camel@infradead.org \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox