From: "Wu, Jiaxin" <jiaxin.wu@intel.com>
To: Laszlo Ersek <lersek@redhat.com>,
David Woodhouse <dwmw2@infradead.org>,
"devel@edk2.groups.io" <devel@edk2.groups.io>,
"Wang, Jian J" <jian.j.wang@intel.com>,
Bret Barkelew <Bret.Barkelew@microsoft.com>
Cc: Richard Levitte <levitte@openssl.org>
Subject: Re: [edk2-devel] [PATCH v1 0/4] Support HTTPS HostName validation feature(CVE-2019-14553)
Date: Fri, 11 Oct 2019 02:24:38 +0000 [thread overview]
Message-ID: <895558F6EA4E3B41AC93A00D163B727416F7E4AB@SHSMSX107.ccr.corp.intel.com> (raw)
In-Reply-To: <23699ae3-10c2-037c-b3f5-ac8f5bea1fb7@redhat.com>
Hi Laszlo & David,
I think I have *repeated* several times that we are targeting to fix the HostName validation issue, not the IP or email address. *But* even so, the series patches for UEFI TLS is also allowable to specify IP as host name for CN or dNSName of SAN in the certificate. That's why I said "if the CN or SAN in the certificate are set correctly, it should be OK to pass the verification". The failure you mentioned here is to set the IP in iPAddress of SAN, I agree it's the routine and suggested setting, *but* obviously, it's not the target we are supported according the implementation/description of TlsSetVerifyHost. We are targeting to the hostname verification, and meanwhile compatible with the IP in the URI (But need the *correct* certificate setting).
IP addresses stored in the DNS names and CN are of cause ignored by X509_check_ip & X509_check_ip_asc().
Post my explain again:
> UEFI TLS only provides the *HostName* verification interface to upper driver (HttpDxe),
> not the IP/email verification capability. Please refer to UEFI Spec2.8 section 28.10.2:
> "...TLS session hostname for validation which is used to verify whether the name
> within the peer certificate matches a given host name..."
> In upper UEFI HTTP driver, we get the hostname from URI directly no matter it's the real
> FQDN (www.xxx.com) or IP address format string (1.2.3.4 or 2001:8b0:10b::5 (not "[2001:8b0:10b::5])),
> and set it to the TLS hostname filed via the interface -- EFI_TLS_VERIFY_HOST.
> That's implementation choice for HttpDxe to achieve the HTTPS HostName validation feature
> by following the standard TLS HostName verification capability.
Now, let's talking the iPAddress setting in SAN (same as email address), if you do need such feature that verify the IP in X509_check_ip & X509_check_ip_asc , please report new Bugzilla (need TLS Spec update the expose the setting interface), don't mix up the HTTPS hostname verification here.
Thanks,
Jiaxin
> -----Original Message-----
> From: Laszlo Ersek <lersek@redhat.com>
> Sent: Friday, October 11, 2019 2:04 AM
> To: David Woodhouse <dwmw2@infradead.org>; Wu, Jiaxin
> <jiaxin.wu@intel.com>; devel@edk2.groups.io; Wang, Jian J
> <jian.j.wang@intel.com>; Bret Barkelew <Bret.Barkelew@microsoft.com>
> Cc: Richard Levitte <levitte@openssl.org>
> Subject: Re: [edk2-devel] [PATCH v1 0/4] Support HTTPS HostName
> validation feature(CVE-2019-14553)
>
> On 10/10/19 17:45, David Woodhouse wrote:
> > On Thu, 2019-10-10 at 10:00 +0200, Laszlo Ersek wrote:
> >>> Subject: C=HU, ST=Pest, L=Budapest, O=Laszlo Ersek Home Office,
> OU=IPv6 cert, CN=fd33:eb1b:9b36::2
> >
> > Yeah, you're not actually testing the case I'm talking about. You want
> > a GEN_IP in the x509v3 Subject Alternative Name.
> >
> > Compare with...
> >
> > $ openssl s_client -connect vpn-i-ha01.intel.com:443 2>/dev/null | openssl
> x509 -noout -text | grep -A1 Alternative
> > X509v3 Subject Alternative Name:
> > DNS:vpn-int.intel.com, DNS:scsidcint01-a.intel.com, IP
> Address:134.191.232.101
> >
> > $ curl https://134.191.232.101/
> >
>
> OK, thank you.
>
> I can imagine two failure modes, with the patches applied.
>
> (1) Edk2 ignores the GEN_IP in the SAN, and rejects a matching server
> certificate.
>
> (2) Edk2 is confused by the GEN_IP in the SAN, and accepts an invalid
> (mismatched) server certificate.
>
> Can we tell which failure mode applies?
>
> (I can't test it easily myself, as I don't even know how to create a
> server certificate with a SAN -- any kind of SAN, let alone GEN_IP.)
>
> Case (2) is clearly bad, and it would be a sign that the patch series
> does not fully fix the issue.
>
> Case (1) would be tolerable, in my opinion. I assume a GEN_IP SAN is
> pretty rare in practice. Thus regressing it (perhaps temporarily) should
> be an acceptable trade-off for fixing the current gaping hole (= subject
> name not checked at all).
>
> Thanks
> Laszlo
next prev parent reply other threads:[~2019-10-11 2:24 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-27 3:44 [PATCH v1 0/4] Support HTTPS HostName validation feature(CVE-2019-14553) Wu, Jiaxin
2019-09-27 3:44 ` [PATCH v1 1/4] MdePkg/Include/Protocol/Tls.h: Add the data type of EfiTlsVerifyHost(CVE-2019-14553) Wu, Jiaxin
2019-09-27 3:44 ` [PATCH v1 2/4] CryptoPkg/TlsLib: Add the new API "TlsSetVerifyHost"(CVE-2019-14553) Wu, Jiaxin
2019-09-27 3:44 ` [PATCH v1 3/4] NetworkPkg/TlsDxe: Add the support of host validation to TlsDxe driver(CVE-2019-14553) Wu, Jiaxin
2019-09-27 3:44 ` [PATCH v1 4/4] NetworkPkg/HttpDxe: Set the HostName for the verification(CVE-2019-14553) Wu, Jiaxin
2019-09-29 6:09 ` [edk2-devel] [PATCH v1 0/4] Support HTTPS HostName validation feature(CVE-2019-14553) Wang, Jian J
2019-09-30 23:21 ` Laszlo Ersek
2019-10-01 9:02 ` David Woodhouse
2019-10-08 6:19 ` Wu, Jiaxin
2019-10-09 7:53 ` David Woodhouse
2019-10-09 20:24 ` Laszlo Ersek
2019-10-09 20:34 ` David Woodhouse
2019-10-10 3:11 ` Wu, Jiaxin
2019-10-10 8:00 ` Laszlo Ersek
2019-10-10 15:45 ` David Woodhouse
2019-10-10 18:03 ` Laszlo Ersek
2019-10-11 2:24 ` Wu, Jiaxin [this message]
2019-10-11 6:58 ` David Woodhouse
2019-10-11 8:04 ` Wu, Jiaxin
2019-10-11 10:55 ` Laszlo Ersek
2019-10-11 11:16 ` David Woodhouse
2019-10-11 15:36 ` Laszlo Ersek
2019-10-11 16:01 ` David Woodhouse
2019-10-14 16:15 ` Laszlo Ersek
2019-10-14 16:20 ` Laszlo Ersek
2019-10-14 16:53 ` David Woodhouse
2019-10-15 11:03 ` David Woodhouse
2019-10-15 11:06 ` David Woodhouse
2019-10-15 13:54 ` Laszlo Ersek
2019-10-15 15:29 ` David Woodhouse
2019-10-15 16:56 ` Laszlo Ersek
2019-10-15 17:34 ` Laszlo Ersek
2019-10-16 9:40 ` David Woodhouse
2019-10-16 10:27 ` Laszlo Ersek
2019-10-15 15:57 ` David Woodhouse
2019-10-15 17:28 ` Laszlo Ersek
2019-10-10 2:45 ` Wu, Jiaxin
2019-10-09 15:54 ` Laszlo Ersek
2019-10-10 2:46 ` Wu, Jiaxin
2019-10-15 23:08 ` [RFC v1 5/4] CryptoPkg/TlsLib: accept peer certs via both DNS names and IP addresses Laszlo Ersek
2019-10-16 5:18 ` [edk2-devel] " Wu, Jiaxin
2019-10-16 7:36 ` Laszlo Ersek
2019-10-16 7:54 ` Laszlo Ersek
2019-10-16 7:56 ` David Woodhouse
2019-10-16 8:08 ` Laszlo Ersek
2019-10-16 9:19 ` David Woodhouse
2019-10-16 11:41 ` Laszlo Ersek
2019-10-16 13:35 ` David Woodhouse
2019-10-16 14:43 ` Laszlo Ersek
2019-10-16 15:25 ` David Woodhouse
2019-10-17 15:35 ` Laszlo Ersek
2019-10-17 15:49 ` David Woodhouse
2019-10-18 13:25 ` Laszlo Ersek
2019-10-25 2:12 ` Wu, Jiaxin
2019-10-25 8:14 ` Laszlo Ersek
2019-10-24 19:47 ` Laszlo Ersek
2019-10-25 2:13 ` Wu, Jiaxin
2019-10-25 2:12 ` Wu, Jiaxin
2019-10-25 2:12 ` Wu, Jiaxin
2019-10-16 8:45 ` David Woodhouse
2019-10-16 11:01 ` David Woodhouse
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=895558F6EA4E3B41AC93A00D163B727416F7E4AB@SHSMSX107.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox