From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.groups.io with SMTP id smtpd.web10.3413.1570694409961301914 for ; Thu, 10 Oct 2019 01:00:10 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: redhat.com, ip: 209.132.183.28, mailfrom: lersek@redhat.com) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 331D280F81; Thu, 10 Oct 2019 08:00:09 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-48.rdu2.redhat.com [10.10.120.48]) by smtp.corp.redhat.com (Postfix) with ESMTP id 572695C1B5; Thu, 10 Oct 2019 08:00:07 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH v1 0/4] Support HTTPS HostName validation feature(CVE-2019-14553) To: David Woodhouse , "Wu, Jiaxin" , "devel@edk2.groups.io" , "Wang, Jian J" , Bret Barkelew Cc: Richard Levitte References: <20190927034441.3096-1-Jiaxin.wu@intel.com> <69774fe6-ea00-44b9-5468-c092dea6cd36@redhat.com> <8106467c9f4132c831d0aa604e897fe9d4dda12a.camel@infradead.org> <895558F6EA4E3B41AC93A00D163B727416F5D921@SHSMSX107.ccr.corp.intel.com> <777053db79600eb90a19945700293d14f4978344.camel@infradead.org> <6bb5d2f6-ec6f-1766-e19b-03fd45c1bc12@redhat.com> <9A4966EE-76CD-465C-A6CA-70DD9E38D834@infradead.org> From: "Laszlo Ersek" Message-ID: <850a81a8-2cdc-0708-4ff7-db9825fdaedc@redhat.com> Date: Thu, 10 Oct 2019 10:00:05 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <9A4966EE-76CD-465C-A6CA-70DD9E38D834@infradead.org> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Thu, 10 Oct 2019 08:00:09 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 10/09/19 22:34, David Woodhouse wrote: > Can you show result of 'openssl x509 -noout -text -in xxxxxx.pem' on > your certs please. Sure. I had thought of that actually (I could have attached the certificates at once), but I figured, let me not share crypto stuff unless specifically asked for :) > Would like to check if you really have a cert for the hostname string > "192.168.124.2" or to the IP address. They are different things. Very interesting! This makes me curious. The *host* certificates were generated with the "genkey" utility ("Red Hat Keypair Generation"), not with naked openssl tool invocations. That's because Apache setup is not for the faint-hearted, and I had decided up-front (when I first looked into setting up mod_ssl) that I'd follow the official documentation, here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-web_servers So I ran genkey 'fd33:eb1b:9b36::2' genkey 192.168.124.2 and went through the dialogs, which were already filled in with the argument passed on the command line (which the genkey manual calls "hostname"). The *CA* cert was generated with openssl directly, however. Also, for signing the CSRs (certificate signing requests), produced by "genkey", I also used openssl manually. Please find the certificates below (including the CA certificate): > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > a7:b5:04:75:6a:2f:ee:7e > Signature Algorithm: sha256WithRSAEncryption > Issuer: C=HU, ST=Pest, L=Budapest, O=Laszlo Ersek Home Office, OU=Certificate Authority, CN=Laszlo Ersek CA/emailAddress=lersek@redhat.com > Validity > Not Before: Oct 9 16:06:08 2019 GMT > Not After : Nov 8 16:06:08 2019 GMT > Subject: C=HU, ST=Pest, L=Budapest, O=Laszlo Ersek Home Office, OU=Certificate Authority, CN=Laszlo Ersek CA/emailAddress=lersek@redhat.com > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > 00:d4:db:3b:fa:98:bd:15:02:3a:32:ea:64:d5:1d: > d8:80:03:fa:fb:4e:d8:47:45:3b:57:6a:36:80:83: > e1:6d:c4:0b:f7:24:00:ad:54:63:77:dd:86:71:f3: > fc:f4:e5:81:d4:6c:7d:23:b9:58:9e:cc:93:ee:93: > ed:24:62:8b:94:8f:de:3a:6a:a9:cd:1a:38:f0:df: > 17:91:7a:22:ca:35:94:3a:1f:cb:56:97:be:bb:69: > 1f:12:3a:7c:a4:35:6c:15:0e:27:a0:0a:2b:3d:61: > bd:ed:a6:84:29:bc:0a:d8:0c:98:4c:e9:7d:6b:36: > da:29:1d:49:57:8d:89:2a:62:e7:4f:00:56:46:9b: > a7:21:9f:b6:83:c7:dd:69:b0:8b:a3:bf:fa:ef:50: > a4:05:6f:b1:87:83:87:93:c7:ba:0e:cb:50:28:05: > f5:a7:0a:fe:be:13:71:1a:4b:6c:7b:f6:c9:cc:b2: > 65:cd:62:29:e3:08:c7:da:5c:ca:4d:dd:74:a4:d1: > 37:52:ea:ad:72:87:cf:48:f3:85:af:15:ab:e8:dc: > 50:f2:f7:7a:59:ed:b7:69:4f:a2:55:39:e5:ae:09: > 75:45:69:a5:3a:a0:cd:52:ee:f2:15:d5:3c:fc:c0: > 00:b7:25:71:ba:00:ba:63:08:8a:fc:b6:af:94:a4: > 5b:cb > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Subject Key Identifier: > 2F:A1:8A:8D:60:DC:74:D8:3C:46:B2:57:6C:E9:81:34:B1:72:82:F5 > X509v3 Authority Key Identifier: > keyid:2F:A1:8A:8D:60:DC:74:D8:3C:46:B2:57:6C:E9:81:34:B1:72:82:F5 > > X509v3 Basic Constraints: > CA:TRUE > Signature Algorithm: sha256WithRSAEncryption > 5f:fb:ca:7c:52:c6:81:f3:3f:48:02:c6:31:64:dc:a5:2f:a6: > 83:ef:b2:9d:68:7f:1a:e6:1d:8d:e0:50:08:ed:96:4f:56:8a: > eb:cd:3a:ac:74:f6:e4:68:55:0d:73:b3:bf:45:cd:35:e0:4b: > 70:bf:25:30:75:62:e1:5a:53:00:ff:ca:3c:c0:86:ad:44:73: > 5b:64:d8:85:ea:32:38:3b:4b:60:85:95:e5:10:f3:92:19:0e: > 55:67:26:c5:56:50:92:8c:d2:33:5b:5f:c6:27:c1:9a:6a:a5: > ad:1b:21:04:47:ce:94:f0:2a:38:26:43:5f:9b:c0:f5:33:80: > 59:72:33:e8:06:89:e1:7e:44:5c:cb:67:fa:f4:de:27:94:9c: > 44:1d:81:40:6f:46:bc:2f:93:89:30:48:99:bc:53:29:44:a7: > e1:9d:9c:05:98:14:3d:ab:e2:1c:3e:91:83:4a:74:9d:ed:14: > d4:86:2d:c0:4e:4e:20:fc:29:31:60:b9:63:50:23:52:b1:2f: > 9f:50:b4:d7:23:3e:08:c2:b3:bf:d3:b6:84:16:6d:71:fe:2a: > b0:71:f0:94:67:84:1d:45:8d:22:3d:4a:f4:65:73:0c:81:8a: > 4e:b7:52:b8:21:ab:ce:8d:50:e0:22:af:4f:2e:30:4f:95:8c: > 9c:26:0d:fe > Certificate: > Data: > Version: 1 (0x0) > Serial Number: > d1:ea:de:57:cb:4b:44:7b > Signature Algorithm: sha256WithRSAEncryption > Issuer: C=HU, ST=Pest, L=Budapest, O=Laszlo Ersek Home Office, OU=Certificate Authority, CN=Laszlo Ersek CA/emailAddress=lersek@redhat.com > Validity > Not Before: Oct 9 16:22:49 2019 GMT > Not After : Nov 8 16:22:49 2019 GMT > Subject: C=HU, ST=Pest, L=Budapest, O=Laszlo Ersek Home Office, OU=IPv6 cert, CN=fd33:eb1b:9b36::2 > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > 00:d5:94:80:83:2c:fa:35:20:89:2c:b5:e8:f4:48: > 9a:f7:77:77:5c:9e:f4:cc:a7:f5:c7:d3:e8:29:0c: > 95:36:9f:ca:5c:dd:c0:d1:f5:14:14:eb:89:19:cc: > 8c:0e:35:d2:02:02:b5:56:d1:56:c4:f1:61:6c:cd: > ba:21:6d:27:e8:77:db:ec:12:c8:f0:c0:a9:97:2c: > 77:00:71:2d:36:b5:e7:08:10:d3:28:4b:96:ce:a1: > 4a:a6:ca:ca:9a:11:56:61:21:f2:2a:45:8c:02:a9: > 26:5d:46:d3:11:dd:35:b9:d8:19:26:cf:63:cf:d0: > f6:04:4f:07:24:27:e3:91:8b:9b:4b:01:61:ab:0a: > 4b:c9:c7:04:36:99:9b:94:e8:56:be:b8:14:08:73: > d4:f6:c1:0b:7f:10:20:bd:89:79:e5:9c:24:9f:03: > d2:b8:6b:20:b5:d1:dc:fe:ce:0d:8d:2b:a5:9b:a5: > 26:c4:85:90:4f:b9:e9:39:7b:c6:d7:9a:8a:e1:9f: > 47:93:db:dd:bc:d6:56:6c:16:10:b7:08:49:6b:38: > 7b:43:55:18:b3:e4:d4:69:94:df:51:21:7f:da:02: > 79:0f:da:65:b0:11:25:70:93:99:9d:a2:ab:8c:c9: > fb:ca:e2:7e:5f:b8:90:65:dd:fc:54:a7:ca:de:e3: > 6b:57 > Exponent: 65537 (0x10001) > Signature Algorithm: sha256WithRSAEncryption > 4d:e8:e4:17:02:74:af:a7:19:99:de:4b:44:e7:c1:7e:78:99: > b2:e3:8f:a6:59:67:c7:b7:df:83:b9:2a:aa:aa:01:65:2d:6f: > 0a:87:ec:49:31:01:9a:03:fd:66:36:37:cf:9a:d7:59:4f:ef: > a4:d8:c1:9d:55:b2:76:c4:1e:d7:98:3d:4e:12:25:1a:0a:51: > 40:e3:a0:45:3c:37:ad:f0:f8:c3:af:a1:52:47:97:77:ef:3f: > ad:d0:56:97:e0:83:c5:e9:f0:d5:e5:74:57:fe:b2:85:86:e7: > cd:e9:36:c0:54:cf:aa:35:4d:b6:81:42:6f:3a:9c:c4:5b:84: > 31:fc:3c:d6:42:1c:07:2d:62:59:ff:0b:f4:c4:56:e0:2c:bf: > 41:f4:63:40:05:c3:27:08:6c:a0:04:4c:c2:d2:8d:23:a0:30: > 7c:c2:58:92:ad:14:25:e3:39:3f:53:37:1d:3e:20:57:94:3f: > c9:64:d9:a3:11:d9:41:52:2e:28:00:49:72:0e:0c:96:89:02: > 1c:10:7e:cf:81:61:6c:54:97:40:f2:06:98:96:51:da:62:3a: > c6:10:fb:3a:4c:47:65:ea:e7:86:b2:bb:94:3d:de:93:ff:72: > b5:29:a7:53:ec:32:f5:dd:7d:09:18:70:89:58:b9:e9:41:8c: > ca:0e:2a:5b > Certificate: > Data: > Version: 1 (0x0) > Serial Number: > d1:ea:de:57:cb:4b:44:7a > Signature Algorithm: sha256WithRSAEncryption > Issuer: C=HU, ST=Pest, L=Budapest, O=Laszlo Ersek Home Office, OU=Certificate Authority, CN=Laszlo Ersek CA/emailAddress=lersek@redhat.com > Validity > Not Before: Oct 9 16:20:46 2019 GMT > Not After : Nov 8 16:20:46 2019 GMT > Subject: C=HU, ST=Pest, L=Budapest, O=Laszlo Ersek Home Office, OU=IPv4 cert, CN=192.168.124.2 > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > 00:c8:e8:5a:b7:57:de:8c:5f:e9:71:8b:ca:4f:41: > 9c:6b:33:c7:d7:45:ab:41:6e:b0:77:00:bd:a6:39: > ab:e0:fb:23:05:e6:69:c4:56:9b:12:ec:46:fb:86: > 75:7e:11:66:c7:8f:f4:db:ce:e7:ce:70:56:26:3c: > e1:d9:81:6e:44:cd:56:90:9f:20:fd:ed:a7:be:ad: > 8a:7b:c3:98:3e:c9:ba:ec:eb:79:4d:a2:1c:93:89: > 89:0a:1a:4e:7b:31:c5:2f:cd:cc:90:d6:07:22:56: > 9c:e8:e9:51:65:18:e2:31:05:cd:49:52:54:8c:a1: > 1b:51:fa:8a:fa:66:9e:39:29:88:1a:e1:c5:31:ea: > 16:25:4a:95:47:4c:53:d1:20:dd:2c:29:32:e5:d8: > 0b:32:2d:52:c5:32:68:f7:7a:cf:15:d3:4f:95:03: > c9:0b:8b:46:b9:c8:e4:46:77:01:08:d7:ad:c3:0a: > 15:e2:70:62:a1:6f:d8:08:f0:60:9f:ee:34:f6:95: > 5c:f3:c2:e0:e2:18:ec:ff:4c:74:9e:92:5a:8f:8b: > be:38:f0:99:44:0f:95:34:a6:cb:f7:5d:59:72:30: > 58:f7:0c:3b:5a:23:d4:bc:26:71:47:7f:08:f0:fa: > 11:79:55:56:ed:bf:da:4f:df:55:d6:87:91:13:9e: > 54:8d > Exponent: 65537 (0x10001) > Signature Algorithm: sha256WithRSAEncryption > a2:f7:e8:7c:28:be:66:97:73:80:9a:38:4f:58:de:44:6f:10: > 97:b1:e6:d4:1b:00:e8:49:77:09:3f:b2:34:0c:cc:93:42:cc: > ff:7e:97:51:7e:ce:3d:f6:9f:e8:22:e5:d5:da:e5:db:f9:96: > 4c:07:11:0b:ff:57:07:98:89:df:27:9d:30:f5:e3:6d:19:d0: > b4:50:36:63:63:a9:9c:e1:a9:80:14:c7:07:9b:f0:d1:58:a8: > 00:3d:34:0c:7d:25:2f:a1:0c:4a:b8:98:61:9d:c8:8e:83:b0: > e2:b1:06:61:62:5d:67:28:32:f4:88:18:4a:13:52:55:ef:75: > 23:f2:6b:ce:d2:64:f7:07:c4:1f:50:6e:f4:1f:1f:d5:0f:fe: > fa:33:62:e5:af:0a:1d:19:fb:e0:73:82:82:ed:6e:5b:21:81: > 5e:62:b8:30:8a:20:f9:4f:a8:5b:f2:55:c2:68:92:ad:d8:b1: > ae:ea:a0:d5:39:60:fd:f2:5f:23:62:43:de:2e:b6:3e:11:ac: > 12:7b:94:e3:b9:84:6c:2f:8e:04:8a:2b:af:5a:08:f4:7b:dc: > 61:b4:9a:19:00:d5:fb:14:33:52:4c:49:c2:18:cd:73:8e:e8: > d1:45:9b:ba:57:6b:5a:db:31:d7:70:13:d5:a8:26:5c:77:88: > ba:be:09:d3 Futhermore, my Apache config is, for the "proper" certificate assignment case (excerpt from "/etc/httpd/conf.d/ssl.conf"): > > SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2 > SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA > SSLCertificateFile /etc/pki/tls/certs/fd33:eb1b:9b36::2.signedcert.pem > SSLCertificateKeyFile /etc/pki/tls/private/fd33:eb1b:9b36::2.key > > SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2 > SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA > SSLCertificateFile /etc/pki/tls/certs/192.168.124.2.signedcert.pem > SSLCertificateKeyFile /etc/pki/tls/private/192.168.124.2.key Thanks Laszlo