From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by mx.groups.io with SMTP id smtpd.web12.665.1583971498171096746 for ; Wed, 11 Mar 2020 17:04:58 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 134.134.136.65, mailfrom: jiaxin.wu@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 11 Mar 2020 17:04:57 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,542,1574150400"; d="scan'208,217";a="443743213" Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203]) by fmsmga006.fm.intel.com with ESMTP; 11 Mar 2020 17:04:55 -0700 Received: from fmsmsx606.amr.corp.intel.com (10.18.126.86) by FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS) id 14.3.439.0; Wed, 11 Mar 2020 17:04:52 -0700 Received: from fmsmsx606.amr.corp.intel.com (10.18.126.86) by fmsmsx606.amr.corp.intel.com (10.18.126.86) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Wed, 11 Mar 2020 17:04:11 -0700 Received: from shsmsx104.ccr.corp.intel.com (10.239.4.70) by fmsmsx606.amr.corp.intel.com (10.18.126.86) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.1713.5 via Frontend Transport; Wed, 11 Mar 2020 17:04:10 -0700 Received: from shsmsx107.ccr.corp.intel.com ([169.254.9.232]) by SHSMSX104.ccr.corp.intel.com ([169.254.5.206]) with mapi id 14.03.0439.000; Thu, 12 Mar 2020 08:04:08 +0800 From: "Wu, Jiaxin" To: Sivaraman Nainar , "devel@edk2.groups.io" , "lersek@redhat.com" CC: "Madhan B. Santharam" , "Arun Subramanian B" , Bhuvaneshwari M R , Ramesh R. , Srini Narayana , "Fu, Siyuan" Subject: Re: reg: Host Name Validation with Wild Card Certificate Thread-Topic: reg: Host Name Validation with Wild Card Certificate Thread-Index: AdXze9fi9m5g3RwrTAW35AjbpsuUsQDPqFmQAFGcQEA= Date: Thu, 12 Mar 2020 00:04:08 +0000 Message-ID: <895558F6EA4E3B41AC93A00D163B72741703F5D7@SHSMSX107.ccr.corp.intel.com> References: <15F9A1F7132299A3.15852@groups.io> In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiZjEyNTIxMjgtMGFhNC00OGMwLWJlZDktNGMxNmE5YmFlY2IxIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiSWJ5NE1TWGZZRjhsd3Jua3FYa2M5NkZcL2k4Wlk4YUNWQVJyaGZjM1wvUjI3UlwvTWF4K3M1OTI4S1lqSTVTUHlSZSJ9 x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: jiaxin.wu@intel.com Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_895558F6EA4E3B41AC93A00D163B72741703F5D7SHSMSX107ccrcor_" --_000_895558F6EA4E3B41AC93A00D163B72741703F5D7SHSMSX107ccrcor_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Siva, That's just my implementation to restrict the wildcards support, if you ha= ve the real usage case, please report Bugzilla to support the wildcards, it= will be better to provide the usage case in the bugzilla. Thanks, Jiaxin From: Sivaraman Nainar Sent: Tuesday, March 10, 2020 5:04 PM To: devel@edk2.groups.io; Wu, Jiaxin ; lersek@redhat.= com Cc: Madhan B. Santharam ; Arun Subramanian B ; Bhuvaneshwari M R ; Ramesh = R. ; Srini Narayana ; Sivaraman Nainar ; Fu, Siyuan Subject: RE: reg: Host Name Validation with Wild Card Certificate Hello Jiaxin: Would you please provide your comments on the below Query. -Siva From: devel@edk2.groups.io [mailto:devel@edk2= .groups.io] On Behalf Of Sivaraman Nainar Sent: Friday, March 6, 2020 11:37 AM To: To:; Wu, Jiaxin; Fu, Siyuan Cc: Madhan B. Santharam; Arun Subramanian B; Bhuvaneshwari M R; Ramesh R.;= Srini Narayana Subject: [edk2-devel] reg: Host Name Validation with Wild Card Certificate Hello all: Need a clarification on the Host Name support added in the HTTP Boot. When certificates are generated with the Wild Card in the SAN the host na= me validation is getting failed with the below error codes. Ex: DNS Name=3D*.ami.internal-test.com TlsDoHandshake SSL_HANDSHAKE_ERROR State=3D0x4 SSL_ERROR_SSL TlsDoHandshake ERROR 0x1416F086=3DL14:F16F:R86 Http Request failed. Code=3DAborted If the Host verify flag is changed from HttpInstance->TlsConfigData.VerifyHost.Flags =3D EFI_TLS_VERIFY_FLAG_NO= _WILDCARDS; To HttpInstance->TlsConfigData.VerifyHost.Flags =3D EFI_TLS_VERIFY_FLAG_N= ONE; Then the Http request can pass. Is the host Name support strictly not allowing Wild card support? In this = case do we need to have multiple Certiricate to have each URL with exact Ho= st Name? Thanks Siva This e-mail is intended for the use of the addressee only and may contain = privileged, confidential, or proprietary information that is exempt from di= sclosure under law. If you have received this message in error, please info= rm us promptly by reply e-mail, then delete the e-mail and destroy any prin= ted copy. Thank you. --_000_895558F6EA4E3B41AC93A00D163B72741703F5D7SHSMSX107ccrcor_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi Siva,

 

That’s just my implementation to restrict the= wildcards support, if you have the real usage case, please report Bugzilla= to support the wildcards, it will be better to provide the usage case in t= he bugzilla.

 

Thanks,

Jiaxin

 

 

 

From: Si= varaman Nainar <sivaramann@amiindia.co.in>
Sent: Tuesday, March 10, 2020 5:04 PM
To: devel@edk2.groups.io; Wu, Jiaxin <jiaxin.wu@intel.com>; l= ersek@redhat.com
Cc: Madhan B. Santharam <madhans@ami.com>; Arun Subramanian B= <arunsubramanianb@ami.com>; Bhuvaneshwari M R <bhuvaneshwarimr@am= iindia.co.in>; Ramesh R. <rameshr@ami.com>; Srini Narayana <Sri= niN@ami.com>; Sivaraman Nainar <sivaramann@amiindia.co.in>; Fu, Siyuan <siyuan.fu@intel.com>
Subject: RE: reg: Host Name Validation with Wild Card Certificate

 

Hello Jiaxin:

 

Would you please prov= ide your comments on the below Query.

 

-Siva

From: devel@edk2.groups.io [mailto:= devel@edk2.groups.io] On Behalf Of Sivaraman Nainar
Sent: Friday, March 6, 2020 11:37 AM
To: To:; Wu, Jiaxin; Fu, Siyuan
Cc: Madhan B. Santharam; Arun Subramanian B; Bhuvaneshwari M R; Ram= esh R.; Srini Narayana
Subject: [edk2-devel] reg: Host Name Validation with Wild Card Cert= ificate

 

Hello all:

 

Need a clarification on the Host Name support added= in the HTTP Boot.

 

When certificates are generated with the Wild Card = in the SAN  the host name validation is getting failed with the below = error codes.

Ex: DNS Name=3D*.ami.internal-test.com

 

Tls= DoHandshake SSL_HANDSHAKE_ERROR State=3D0x4 SSL_ERROR_SSL=

Tls= DoHandshake ERROR 0x1416F086=3DL14:F16F:R86

Htt= p Request failed. Code=3DAborted

 

If the Host verify flag is changed from

HttpInstance->TlsConfigData.VerifyHost.Flag= s    =3D EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;

To

HttpInstance->TlsConfigData.VerifyHost.Flag= s    =3D  EFI_TLS_VERIFY_FLAG_NONE;

 

Then the Http request can pass.

 

Is the host Name support strictly not allowing Wild= card support? In this case do we need to have multiple Certiricate to have= each URL with exact Host Name?

 

Thanks

Siva

This e-mail is intended for the use of the addr= essee only and may contain privileged, confidential, or proprietary informa= tion that is exempt from disclosure under law. If you have received this message in error, please inform us promptly by = reply e-mail, then delete the e-mail and destroy any printed copy. Thank yo= u.

--_000_895558F6EA4E3B41AC93A00D163B72741703F5D7SHSMSX107ccrcor_--