public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Sivaraman Nainar" <sivaramann@amiindia.co.in>
To: "To:" <devel@edk2.groups.io>, "Wu, Jiaxin" <jiaxin.wu@intel.com>,
	"Fu, Siyuan" <siyuan.fu@intel.com>
Cc: "Madhan B. Santharam" <madhans@ami.com>,
	"Arun Subramanian  B" <arunsubramanianb@ami.com>,
	Bhuvaneshwari M R <bhuvaneshwarimr@amiindia.co.in>,
	Ramesh R. <rameshr@ami.com>, Srini Narayana <SriniN@ami.com>
Subject: reg: Host Name Validation with Wild Card Certificate
Date: Fri, 6 Mar 2020 06:07:07 +0000	[thread overview]
Message-ID: <B4DE137BDB63634BAC03BD9DE765F197029AE9C609@VENUS1.in.megatrends.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 825 bytes --]

Hello all:

Need a clarification on the Host Name support added in the HTTP Boot.

When certificates are generated with the Wild Card in the SAN  the host name validation is getting failed with the below error codes.
Ex: DNS Name=*.ami.internal-test.com

TlsDoHandshake SSL_HANDSHAKE_ERROR State=0x4 SSL_ERROR_SSL
TlsDoHandshake ERROR 0x1416F086=L14:F16F:R86
Http Request failed. Code=Aborted

If the Host verify flag is changed from
HttpInstance->TlsConfigData.VerifyHost.Flags    = EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
To
HttpInstance->TlsConfigData.VerifyHost.Flags    =  EFI_TLS_VERIFY_FLAG_NONE;

Then the Http request can pass.

Is the host Name support strictly not allowing Wild card support? In this case do we need to have multiple Certiricate to have each URL with exact Host Name?

Thanks
Siva

[-- Attachment #2: Type: text/html, Size: 4050 bytes --]

             reply	other threads:[~2020-03-06  6:07 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-03-06  6:07 Sivaraman Nainar [this message]
2020-03-07 22:40 ` [edk2-devel] reg: Host Name Validation with Wild Card Certificate Sean
2020-03-08  8:54   ` Laszlo Ersek
     [not found] <15F9A1F7132299A3.15852@groups.io>
2020-03-10  9:04 ` Sivaraman Nainar
2020-03-12  0:04   ` Wu, Jiaxin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=B4DE137BDB63634BAC03BD9DE765F197029AE9C609@VENUS1.in.megatrends.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox