From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [14.98.235.2]) by mx.groups.io with SMTP id smtpd.web12.7825.1583474825656787419 for ; Thu, 05 Mar 2020 22:07:06 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=none, err=SPF record not found (domain: amiindia.co.in, ip: 14.98.235.2, mailfrom: sivaramann@amiindia.co.in) Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5E3C682047; Fri, 6 Mar 2020 11:44:51 +0530 (IST) Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2A21682046; Fri, 6 Mar 2020 11:44:50 +0530 (IST) Received: from webmail.amiindia.co.in (venus2.in.megatrends.com [10.0.0.7]) by IMSVA.IN.MEGATRENDS.COM (Postfix) with ESMTPS; Fri, 6 Mar 2020 11:44:50 +0530 (IST) Received: from VENUS1.in.megatrends.com ([fe80::951:7975:6ecf:eae5]) by Venus2.in.megatrends.com ([fe80::2002:4a07:4f17:c09b%14]) with mapi id 14.03.0248.002; Fri, 6 Mar 2020 11:35:55 +0530 From: "Sivaraman Nainar" To: "To:" , "Wu, Jiaxin" , "Fu, Siyuan" CC: "Madhan B. Santharam" , "Arun Subramanian B" , Bhuvaneshwari M R , Ramesh R. , Srini Narayana Subject: reg: Host Name Validation with Wild Card Certificate Thread-Topic: reg: Host Name Validation with Wild Card Certificate Thread-Index: AdXze9fi9m5g3RwrTAW35AjbpsuUsQ== Date: Fri, 6 Mar 2020 06:07:07 +0000 Message-ID: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.0.0.226] MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-TM-AS-Product-Ver: IMSVA-9.1.0.1817-8.5.0.1020-25272.005 X-TM-AS-Result: No--15.171-5.0-31-10 X-imss-scan-details: No--15.171-5.0-31-10 X-TMASE-Version: IMSVA-9.1.0.1817-8.5.1020-25272.005 X-TMASE-Result: 10--15.171100-10.000000 X-TMASE-MatchedRID: zndDlPK4YUpYukXu/bAZ07BZAi3nrnzb4oSd18bdmwJpsnGGIgWMmb67 LxTidyGBrjyUl8kKQtz2Jzq6yZuBqZC0Ht7h6sHdqg0gbtLVIa+jXi/7W48JB8AkyHiYDAQb1Is 5GvhmGbw2ZvhXd39zJnyC5eu2BgKmiJx4642cvJb9KXlxhBAZb5hwKdlCfPk8StFk/81wIJKQM2 zg4yhfEpqEb+LwlrVjt1gVV8hFpdLvOC1QV7aBzlnAtIGDGCFo+eBf9ovw8I0j0vSXSt1uP24GP EMJeKPOJFfll7wWwfAB/+giEOsxzFy8LiE9LxheIj0zFI5DoJLAtpDNMLs81qTsE8Z/jrr+IUEc OllE7cOlFYL0oNKxPHCVOA5OEjiE0b0gTJDrX6wOsNNBnlgRWn0tCKdnhB58r10pknZXGJrPPeN 6HN6d7FdeyAYu6Pty33fj+sMArfOEbaqKQSlAZQ1WvgFAFWqR1jx0Zy08DVbKfk3zP2qdB2aVdZ aSxZ65puaxAHVA3oc= X-TMASE-SNAP-Result: 1.821001.0001-0-1-12:0,22:0,33:0,34:0-0 Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_B4DE137BDB63634BAC03BD9DE765F197029AE9C609VENUS1inmegat_" --_000_B4DE137BDB63634BAC03BD9DE765F197029AE9C609VENUS1inmegat_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hello all: Need a clarification on the Host Name support added in the HTTP Boot. When certificates are generated with the Wild Card in the SAN the host nam= e validation is getting failed with the below error codes. Ex: DNS Name=3D*.ami.internal-test.com TlsDoHandshake SSL_HANDSHAKE_ERROR State=3D0x4 SSL_ERROR_SSL TlsDoHandshake ERROR 0x1416F086=3DL14:F16F:R86 Http Request failed. Code=3DAborted If the Host verify flag is changed from HttpInstance->TlsConfigData.VerifyHost.Flags =3D EFI_TLS_VERIFY_FLAG_NO_= WILDCARDS; To HttpInstance->TlsConfigData.VerifyHost.Flags =3D EFI_TLS_VERIFY_FLAG_NO= NE; Then the Http request can pass. Is the host Name support strictly not allowing Wild card support? In this c= ase do we need to have multiple Certiricate to have each URL with exact Hos= t Name? Thanks Siva --_000_B4DE137BDB63634BAC03BD9DE765F197029AE9C609VENUS1inmegat_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hello all:

 

Need a clarification on the Host Name support added = in the HTTP Boot.

 

When certificates are generated with the Wild Card i= n the SAN  the host name validation is getting failed with the below e= rror codes.

Ex: DNS Name=3D*.ami.internal-test.com

 

TlsDoHandshake SSL_HANDSHAKE_ERROR State=3D0x4 SSL_ERROR_S= SL

TlsDoHandshake ERROR 0x1416F086=3DL14:F16F:R86<= /span>

Http Request failed. Code=3DAborted

 

If th= e Host verify flag is changed from

HttpInstance->TlsConfigData.VerifyHost.Flags    =3D&= nbsp;EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;

To

HttpInstance->TlsConfigData.VerifyHost.Flags    =3D&= nbsp; EFI_TLS_VERIFY_FLAG_NONE;

=  

Then = the Http request can pass.

 

Is the host Name support strictly not allowing Wild = card support? In this case do we need to have multiple Certiricate to have = each URL with exact Host Name?

 

Thanks

Siva

--_000_B4DE137BDB63634BAC03BD9DE765F197029AE9C609VENUS1inmegat_-- From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [14.98.235.2]) by mx.groups.io with SMTP id smtpd.web12.1767.1583831038234896094 for ; Tue, 10 Mar 2020 02:03:59 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=none, err=SPF record not found (domain: amiindia.co.in, ip: 14.98.235.2, mailfrom: sivaramann@amiindia.co.in) Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [127.0.0.1]) by IMSVA (Postfix) with ESMTP id F174B82067; Tue, 10 Mar 2020 14:41:45 +0530 (IST) Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CE58882066; Tue, 10 Mar 2020 14:41:45 +0530 (IST) Received: from webmail.amiindia.co.in (venus2.in.megatrends.com [10.0.0.7]) by IMSVA.IN.MEGATRENDS.COM (Postfix) with ESMTPS; Tue, 10 Mar 2020 14:41:45 +0530 (IST) Received: from VENUS1.in.megatrends.com ([fe80::951:7975:6ecf:eae5]) by Venus2.in.megatrends.com ([fe80::2002:4a07:4f17:c09b%14]) with mapi id 14.03.0248.002; Tue, 10 Mar 2020 14:33:36 +0530 From: "Sivaraman Nainar" To: "devel@edk2.groups.io" , "Wu, Jiaxin" , "lersek@redhat.com" CC: "Madhan B. Santharam" , "Arun Subramanian B" , Bhuvaneshwari M R , Ramesh R. , Srini Narayana , Sivaraman Nainar , "Fu, Siyuan" Subject: Re: reg: Host Name Validation with Wild Card Certificate Thread-Topic: reg: Host Name Validation with Wild Card Certificate Thread-Index: AdXze9fi9m5g3RwrTAW35AjbpsuUsQDPqFmQ Date: Tue, 10 Mar 2020 09:04:01 +0000 Message-ID: References: <15F9A1F7132299A3.15852@groups.io> In-Reply-To: <15F9A1F7132299A3.15852@groups.io> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.0.0.226] MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-TM-AS-Product-Ver: IMSVA-9.1.0.1817-8.5.0.1020-25280.006 X-TM-AS-Result: No--24.399-5.0-31-10 X-imss-scan-details: No--24.399-5.0-31-10 X-TMASE-Version: IMSVA-9.1.0.1817-8.5.1020-25280.006 X-TMASE-Result: 10--24.399300-10.000000 X-TMASE-MatchedRID: JorHcieTUsk7iuZ/mdYYthQr3/CdlBOILIHZB0nMVDF0dohlEITcxhqY 8vdG07WNqybRKSu3vNcnTBdLg83j/7+bXcGnGRJ6AvkRGmGzmNnO/T5SZgJlw1mtJm/fZa5svZL ctNfuqT9pohtqEp6dF6o2fOuRT7aaO8XR0zqlRv4HT/9zVlNcjO7vUz7Ske6oYAuqIPqt7rKs4c d79EiYewUKfnD5eilYzNIobH2DzGF3G1bsm5zfjMXa6Xq+xbpka0IEkYOsokWGsnlHOiGwocjdt jHY+jGWs1RWeqLGIw4wo+sXt0rnszH+T3YvtHy2P/mlMDR9HNS7+r627MDAzAdnH3FQrCBXRfz7 IWB2L9su+/ZxS0sr+1MV11xUs7fNZaWoKfR05a/MEmMJ+LiV/Q05t9LK+kfyfuQW+l720Km7fjw ZEcnD7OzhkZcJwPyQ71Wx2uUbPLdDr8MVm6DK3bv81BNUjUj5jNLxrcxKViUth87d3SbqHb8tQ+ d++9tXIh+tykRVOgmBFNZJ/RfzGSY6ALX8FNLOvGAx/1ATZ5v/RWw03+xdxabN5Xxnq7eXf9krI FPI8jVu7xCoxCPC8oDcpVWyPxAMqAn+yHbzwCcwMfxyID/dnX9rwbumNaX9IoALBmt6oJpNmHbZ fvaSSly8LiE9LxheIj0zFI5DoJLAtpDNMLs81qTsE8Z/jrr+q53bbaX6zrf/oJYIO0yI2BuOie4 QoudC0b0gTJDrX6x05zsoB1UKTr/x/ZudoDvrUJoXCtuJyr7ppvXmg9tOeKmyngkxQzmqguzJyb /w33qXBXaJoB9JZxRFJJyf5BJeyJ1gFgOMhOnQBQ8SBUzMXyKDmlJlXxLz33fj+sMArfOEbaqKQ SlAZdXnqSZ+6VaXt0xl57I9DG4j9EfBd4V9AH5GvheW2+qen5US3W0QFE0= X-TMASE-SNAP-Result: 1.821001.0001-0-1-12:0,22:0,33:0,34:0-0 Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_B4DE137BDB63634BAC03BD9DE765F197029AE9E334VENUS1inmegat_" --_000_B4DE137BDB63634BAC03BD9DE765F197029AE9E334VENUS1inmegat_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hello Jiaxin: Would you please provide your comments on the below Query. -Siva From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of Siva= raman Nainar Sent: Friday, March 6, 2020 11:37 AM To: To:; Wu, Jiaxin; Fu, Siyuan Cc: Madhan B. Santharam; Arun Subramanian B; Bhuvaneshwari M R; Ramesh R.;= Srini Narayana Subject: [edk2-devel] reg: Host Name Validation with Wild Card Certificate Hello all: Need a clarification on the Host Name support added in the HTTP Boot. When certificates are generated with the Wild Card in the SAN the host na= me validation is getting failed with the below error codes. Ex: DNS Name=3D*.ami.internal-test.com TlsDoHandshake SSL_HANDSHAKE_ERROR State=3D0x4 SSL_ERROR_SSL TlsDoHandshake ERROR 0x1416F086=3DL14:F16F:R86 Http Request failed. Code=3DAborted If the Host verify flag is changed from HttpInstance->TlsConfigData.VerifyHost.Flags =3D EFI_TLS_VERIFY_FLAG_NO= _WILDCARDS; To HttpInstance->TlsConfigData.VerifyHost.Flags =3D EFI_TLS_VERIFY_FLAG_N= ONE; Then the Http request can pass. Is the host Name support strictly not allowing Wild card support? In this = case do we need to have multiple Certiricate to have each URL with exact Ho= st Name? Thanks Siva This e-mail is intended for the use of the addressee only and may contain = privileged, confidential, or proprietary information that is exempt from di= sclosure under law. If you have received this message in error, please info= rm us promptly by reply e-mail, then delete the e-mail and destroy any prin= ted copy. Thank you. --_000_B4DE137BDB63634BAC03BD9DE765F197029AE9E334VENUS1inmegat_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hello Jiaxin:

 

Would you please prov= ide your comments on the below Query.

 

-Siva

From: devel@edk2.groups.io [mailto:devel@edk= 2.groups.io] On Behalf Of Sivaraman Nainar
Sent: Friday, March 6, 2020 11:37 AM
To: To:; Wu, Jiaxin; Fu, Siyuan
Cc: Madhan B. Santharam; Arun Subramanian B; Bhuvaneshwari M R; Ram= esh R.; Srini Narayana
Subject: [edk2-devel] reg: Host Name Validation with Wild Card Cert= ificate

 

Hello all:

 

Need a clarification on the Host Name support added= in the HTTP Boot.

 

When certificates are generated with the Wild Card = in the SAN  the host name validation is getting failed with the below = error codes.

Ex: DNS Name=3D*.ami.internal-test.com

 

Tls= DoHandshake SSL_HANDSHAKE_ERROR State=3D0x4 SSL_ERROR_SSL=

Tls= DoHandshake ERROR 0x1416F086=3DL14:F16F:R86

Htt= p Request failed. Code=3DAborted

 

If t= he Host verify flag is changed from

HttpInstance->TlsConfigData.VerifyHost.Flags    =3D=  EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;

To

HttpInstance->TlsConfigData.VerifyHost.Flags    =3D=   EFI_TLS_VERIFY_FLAG_NONE;

&nbs= p;

Then= the Http request can pass.

 

Is the host Name support strictly not allowing Wild= card support? In this case do we need to have multiple Certiricate to have= each URL with exact Host Name?

 

Thanks

Siva

This e-mail is intended for the use= of the addressee only and may contain privileged, confidential, or proprie= tary information that is exempt from disclosure under law. If you have received this message in error, please inform us promptly by = reply e-mail, then delete the e-mail and destroy any printed copy. Thank yo= u.

--_000_B4DE137BDB63634BAC03BD9DE765F197029AE9E334VENUS1inmegat_-- From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by mx.groups.io with SMTP id smtpd.web12.665.1583971498171096746 for ; Wed, 11 Mar 2020 17:04:58 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 134.134.136.65, mailfrom: jiaxin.wu@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 11 Mar 2020 17:04:57 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,542,1574150400"; d="scan'208,217";a="443743213" Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203]) by fmsmga006.fm.intel.com with ESMTP; 11 Mar 2020 17:04:55 -0700 Received: from fmsmsx606.amr.corp.intel.com (10.18.126.86) by FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS) id 14.3.439.0; Wed, 11 Mar 2020 17:04:52 -0700 Received: from fmsmsx606.amr.corp.intel.com (10.18.126.86) by fmsmsx606.amr.corp.intel.com (10.18.126.86) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Wed, 11 Mar 2020 17:04:11 -0700 Received: from shsmsx104.ccr.corp.intel.com (10.239.4.70) by fmsmsx606.amr.corp.intel.com (10.18.126.86) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.1713.5 via Frontend Transport; Wed, 11 Mar 2020 17:04:10 -0700 Received: from shsmsx107.ccr.corp.intel.com ([169.254.9.232]) by SHSMSX104.ccr.corp.intel.com ([169.254.5.206]) with mapi id 14.03.0439.000; Thu, 12 Mar 2020 08:04:08 +0800 From: "Wu, Jiaxin" To: Sivaraman Nainar , "devel@edk2.groups.io" , "lersek@redhat.com" CC: "Madhan B. Santharam" , "Arun Subramanian B" , Bhuvaneshwari M R , Ramesh R. , Srini Narayana , "Fu, Siyuan" Subject: Re: reg: Host Name Validation with Wild Card Certificate Thread-Topic: reg: Host Name Validation with Wild Card Certificate Thread-Index: AdXze9fi9m5g3RwrTAW35AjbpsuUsQDPqFmQAFGcQEA= Date: Thu, 12 Mar 2020 00:04:08 +0000 Message-ID: <895558F6EA4E3B41AC93A00D163B72741703F5D7@SHSMSX107.ccr.corp.intel.com> References: <15F9A1F7132299A3.15852@groups.io> In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiZjEyNTIxMjgtMGFhNC00OGMwLWJlZDktNGMxNmE5YmFlY2IxIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiSWJ5NE1TWGZZRjhsd3Jua3FYa2M5NkZcL2k4Wlk4YUNWQVJyaGZjM1wvUjI3UlwvTWF4K3M1OTI4S1lqSTVTUHlSZSJ9 x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: jiaxin.wu@intel.com Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_895558F6EA4E3B41AC93A00D163B72741703F5D7SHSMSX107ccrcor_" --_000_895558F6EA4E3B41AC93A00D163B72741703F5D7SHSMSX107ccrcor_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Siva, That's just my implementation to restrict the wildcards support, if you ha= ve the real usage case, please report Bugzilla to support the wildcards, it= will be better to provide the usage case in the bugzilla. Thanks, Jiaxin From: Sivaraman Nainar Sent: Tuesday, March 10, 2020 5:04 PM To: devel@edk2.groups.io; Wu, Jiaxin ; lersek@redhat.= com Cc: Madhan B. Santharam ; Arun Subramanian B ; Bhuvaneshwari M R ; Ramesh = R. ; Srini Narayana ; Sivaraman Nainar ; Fu, Siyuan Subject: RE: reg: Host Name Validation with Wild Card Certificate Hello Jiaxin: Would you please provide your comments on the below Query. -Siva From: devel@edk2.groups.io [mailto:devel@edk2= .groups.io] On Behalf Of Sivaraman Nainar Sent: Friday, March 6, 2020 11:37 AM To: To:; Wu, Jiaxin; Fu, Siyuan Cc: Madhan B. Santharam; Arun Subramanian B; Bhuvaneshwari M R; Ramesh R.;= Srini Narayana Subject: [edk2-devel] reg: Host Name Validation with Wild Card Certificate Hello all: Need a clarification on the Host Name support added in the HTTP Boot. When certificates are generated with the Wild Card in the SAN the host na= me validation is getting failed with the below error codes. Ex: DNS Name=3D*.ami.internal-test.com TlsDoHandshake SSL_HANDSHAKE_ERROR State=3D0x4 SSL_ERROR_SSL TlsDoHandshake ERROR 0x1416F086=3DL14:F16F:R86 Http Request failed. Code=3DAborted If the Host verify flag is changed from HttpInstance->TlsConfigData.VerifyHost.Flags =3D EFI_TLS_VERIFY_FLAG_NO= _WILDCARDS; To HttpInstance->TlsConfigData.VerifyHost.Flags =3D EFI_TLS_VERIFY_FLAG_N= ONE; Then the Http request can pass. Is the host Name support strictly not allowing Wild card support? In this = case do we need to have multiple Certiricate to have each URL with exact Ho= st Name? Thanks Siva This e-mail is intended for the use of the addressee only and may contain = privileged, confidential, or proprietary information that is exempt from di= sclosure under law. If you have received this message in error, please info= rm us promptly by reply e-mail, then delete the e-mail and destroy any prin= ted copy. Thank you. --_000_895558F6EA4E3B41AC93A00D163B72741703F5D7SHSMSX107ccrcor_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi Siva,

 

That’s just my implementation to restrict the= wildcards support, if you have the real usage case, please report Bugzilla= to support the wildcards, it will be better to provide the usage case in t= he bugzilla.

 

Thanks,

Jiaxin

 

 

 

From: Si= varaman Nainar <sivaramann@amiindia.co.in>
Sent: Tuesday, March 10, 2020 5:04 PM
To: devel@edk2.groups.io; Wu, Jiaxin <jiaxin.wu@intel.com>; l= ersek@redhat.com
Cc: Madhan B. Santharam <madhans@ami.com>; Arun Subramanian B= <arunsubramanianb@ami.com>; Bhuvaneshwari M R <bhuvaneshwarimr@am= iindia.co.in>; Ramesh R. <rameshr@ami.com>; Srini Narayana <Sri= niN@ami.com>; Sivaraman Nainar <sivaramann@amiindia.co.in>; Fu, Siyuan <siyuan.fu@intel.com>
Subject: RE: reg: Host Name Validation with Wild Card Certificate

 

Hello Jiaxin:

 

Would you please prov= ide your comments on the below Query.

 

-Siva

From: devel@edk2.groups.io [mailto:= devel@edk2.groups.io] On Behalf Of Sivaraman Nainar
Sent: Friday, March 6, 2020 11:37 AM
To: To:; Wu, Jiaxin; Fu, Siyuan
Cc: Madhan B. Santharam; Arun Subramanian B; Bhuvaneshwari M R; Ram= esh R.; Srini Narayana
Subject: [edk2-devel] reg: Host Name Validation with Wild Card Cert= ificate

 

Hello all:

 

Need a clarification on the Host Name support added= in the HTTP Boot.

 

When certificates are generated with the Wild Card = in the SAN  the host name validation is getting failed with the below = error codes.

Ex: DNS Name=3D*.ami.internal-test.com

 

Tls= DoHandshake SSL_HANDSHAKE_ERROR State=3D0x4 SSL_ERROR_SSL=

Tls= DoHandshake ERROR 0x1416F086=3DL14:F16F:R86

Htt= p Request failed. Code=3DAborted

 

If the Host verify flag is changed from

HttpInstance->TlsConfigData.VerifyHost.Flag= s    =3D EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;

To

HttpInstance->TlsConfigData.VerifyHost.Flag= s    =3D  EFI_TLS_VERIFY_FLAG_NONE;

 

Then the Http request can pass.

 

Is the host Name support strictly not allowing Wild= card support? In this case do we need to have multiple Certiricate to have= each URL with exact Host Name?

 

Thanks

Siva

This e-mail is intended for the use of the addr= essee only and may contain privileged, confidential, or proprietary informa= tion that is exempt from disclosure under law. If you have received this message in error, please inform us promptly by = reply e-mail, then delete the e-mail and destroy any printed copy. Thank yo= u.

--_000_895558F6EA4E3B41AC93A00D163B72741703F5D7SHSMSX107ccrcor_--