Re: reg: Multiple Host Name Certificate

Re: reg: Multiple Host Name Certificate

[Sivaraman Nainar]

[-- Attachment #1: Type: text/plain, Size: 625 bytes --]

Can you please help to confirm the behavior

From: Sivaraman Nainar
Sent: Friday, June 7, 2019 2:48 PM
To: devel@edk2.groups.io
Subject: reg: Multiple Host Name Certificate

Hello:

Can someone help to confirm if EDK2 supports multiple Host Name support.

We need to have an environment where the HTTPS request should work fine for IP & Host Name based access. When we create certificates with CN as Host Name and SAN as IP TLS Handshake works only for Host Name and it provides Handshake Error when the request are IP Based.

If this question need to be raised in other forum please help to redirect.

-Siva

[-- Attachment #2: Type: text/html, Size: 3066 bytes --]

Re: [edk2-devel] reg: Multiple Host Name Certificate

[David Woodhouse]

[-- Attachment #1: Type: text/plain, Size: 1209 bytes --]

On Wed, 2019-06-19 at 11:51 +0000, Sivaraman Nainar wrote:
> Can you please help to confirm the behavior
>  
> From: Sivaraman Nainar 
> Sent: Friday, June 7, 2019 2:48 PM
> To: devel@edk2.groups.io
> Subject: reg: Multiple Host Name Certificate
>  
> Hello:
>  
> Can someone help to confirm if EDK2 supports multiple Host Name
> support.
>  
> We need to have an environment where the HTTPS request should work
> fine for IP & Host Name based access. When we create certificates
> with CN as Host Name and SAN as IP TLS Handshake works only for Host
> Name and it provides Handshake Error when the request are IP Based.
>  
> If this question need to be raised in other forum please help to
> redirect.
>  


I can't actually see where we do these checks at all. OpenSSL doesn't
do them for us internally (as it doesn't even know the hostname we
happened to use to establish the connection), although it does offer
X509_check_ip() and X509_check_host() functions. 

From code inspection I'd have guessed that the code would tolerate
*any* valid certificate, even for a host other than the one it actually
attempted to connect to. Surely that can't be true? Where *is* it?



[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5174 bytes --]

Re: [edk2-devel] reg: Multiple Host Name Certificate

[Sivaraman Nainar]

Hello :

This support added when we integrating "TianoCore Bug 960 (HTTPS_HostName_Validation)". This has the support for performing Host Name validation during HTTP Operations.

-Siva
-----Original Message-----
From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of David Woodhouse
Sent: Thursday, June 20, 2019 4:18 PM
To: devel@edk2.groups.io; Sivaraman Nainar
Cc: jiaxin.wu@intel.com; siyuan.fu@intel.com
Subject: Re: [edk2-devel] reg: Multiple Host Name Certificate

On Wed, 2019-06-19 at 11:51 +0000, Sivaraman Nainar wrote:
> Can you please help to confirm the behavior
>  
> From: Sivaraman Nainar 
> Sent: Friday, June 7, 2019 2:48 PM
> To: devel@edk2.groups.io
> Subject: reg: Multiple Host Name Certificate
>  
> Hello:
>  
> Can someone help to confirm if EDK2 supports multiple Host Name
> support.
>  
> We need to have an environment where the HTTPS request should work
> fine for IP & Host Name based access. When we create certificates
> with CN as Host Name and SAN as IP TLS Handshake works only for Host
> Name and it provides Handshake Error when the request are IP Based.
>  
> If this question need to be raised in other forum please help to
> redirect.
>  


I can't actually see where we do these checks at all. OpenSSL doesn't
do them for us internally (as it doesn't even know the hostname we
happened to use to establish the connection), although it does offer
X509_check_ip() and X509_check_host() functions. 

From code inspection I'd have guessed that the code would tolerate
*any* valid certificate, even for a host other than the one it actually
attempted to connect to. Surely that can't be true? Where *is* it?

Re: [edk2-devel] reg: Multiple Host Name Certificate

[David Woodhouse]

[-- Attachment #1: Type: text/plain, Size: 544 bytes --]

On Thu, 2019-06-20 at 11:27 +0000, Sivaraman Nainar wrote:
> This support added when we integrating "TianoCore Bug 960
> (HTTPS_HostName_Validation)". This has the support for performing
> Host Name validation during HTTP Operations.

Hm, I can't see bug 960, at least not without and account — and
bugzilla is sending its messages from an invalid address so registering
an account failed on the first attempt. I'll add it to the "known
broken senders" list and try again... in the meantime, do you have a
link to the code please? 

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5174 bytes --]

Re: [edk2-devel] reg: Multiple Host Name Certificate

[Laszlo Ersek]

Hello David,

On 06/20/19 14:35, David Woodhouse wrote:
> On Thu, 2019-06-20 at 11:27 +0000, Sivaraman Nainar wrote:
>> This support added when we integrating "TianoCore Bug 960
>> (HTTPS_HostName_Validation)". This has the support for performing
>> Host Name validation during HTTP Operations.
> 
> Hm, I can't see bug 960, at least not without and account — and
> bugzilla is sending its messages from an invalid address so registering
> an account failed on the first attempt. I'll add it to the "known
> broken senders" list and try again... in the meantime, do you have a
> link to the code please? 

TianoCore#960 is a security BZ that I had reported on 2018-05-29.

The title of the ticket is

"server certificate with invalid domain name (CN) accepted in
HTTPS-over-IPv6 boot"

It is indeed the bug that you think it is ("From code inspection I'd
have guessed that the code would tolerate *any* valid certificate, even
for a host other than the one it actually attempted to connect to.")

There is still no CVE number assigned.

Patches exist, but have not been posted to the list yet.

--*--

Normally, my above comments (in public) would amount to breaking a live
security embargo. In reality, this is not the case. That's because the
UEFI-2.8 spec has been released meanwhile (in March/April 2019 or so),
addressing Mantis#1921 ("HTTPS hostname validation"). Fixing the edk2
problem required changes to the UEFI spec too.

If you search both UEFI-2.7 and UEFI-2.8 for the enum constant
"EfiTlsVerifyHost", you will find it only in UEFI-2.8. Therefore, the
cat had been let out of the bag when UEFI-2.8 was released. In effect,
*that* ended the embargo on TianoCore#960. The fact that TianoCore#960
is still unreadable to the public (including the attached patches) is
"merely" a technical tidbit. :/

I'm CC'ing you on the BZ now, so you can read it even before it gets
opened up.

Thanks
Laszlo

Re: [edk2-devel] reg: Multiple Host Name Certificate

[David Woodhouse]

[-- Attachment #1: Type: text/plain, Size: 471 bytes --]

On Thu, 2019-06-20 at 16:27 +0200, Laszlo Ersek wrote:
> It is indeed the bug that you think it is ("From code inspection I'd
> have guessed that the code would tolerate *any* valid certificate, even
> for a host other than the one it actually attempted to connect to.")

:)

> I'm CC'ing you on the BZ now, so you can read it even before it gets
> opened up.

... and I've pointed out the problem in the implementation of
TlsSetVerifyHost(). :)

Thanks.


[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5174 bytes --]