reg: Host Name Validation with Wild Card Certificate

reg: Host Name Validation with Wild Card Certificate

[Sivaraman Nainar]

[-- Attachment #1: Type: text/plain, Size: 825 bytes --]

Hello all:

Need a clarification on the Host Name support added in the HTTP Boot.

When certificates are generated with the Wild Card in the SAN  the host name validation is getting failed with the below error codes.
Ex: DNS Name=*.ami.internal-test.com

TlsDoHandshake SSL_HANDSHAKE_ERROR State=0x4 SSL_ERROR_SSL
TlsDoHandshake ERROR 0x1416F086=L14:F16F:R86
Http Request failed. Code=Aborted

If the Host verify flag is changed from
HttpInstance->TlsConfigData.VerifyHost.Flags    = EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
To
HttpInstance->TlsConfigData.VerifyHost.Flags    =  EFI_TLS_VERIFY_FLAG_NONE;

Then the Http request can pass.

Is the host Name support strictly not allowing Wild card support? In this case do we need to have multiple Certiricate to have each URL with exact Host Name?

Thanks
Siva

[-- Attachment #2: Type: text/html, Size: 4050 bytes --]

Re: [edk2-devel] reg: Host Name Validation with Wild Card Certificate

[Sean]

[-- Attachment #1: Type: text/plain, Size: 798 bytes --]

The name of this flag is terrible but if you read the 2.8 spec.
https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_A_Feb14.pdf
page 1436.
Says:
EFI_TLS_VERIFY_FLAG_NONE means no additional flags set for hostname validation. Wildcards are supported and they match only in the left-most label.

In the HttpDxe driver we made a change to support wildcards as wildcards are pretty commonly used in web services.
https://github.com/microsoft/mu_basecore/commit/931ff1a45ce13a6a8c3e296f89c6de21f23a17ed#diff-45ead71899abef9932d2697dbd1d8867

There is a lot of noise on this thread but its the best i can find.
https://bugzilla.tianocore.org/show_bug.cgi?id=960

We might need to open a new bugzilla as i think 960 is resolved but is too strict for practical usage.

Thanks
Sean

[-- Attachment #2: Type: text/html, Size: 1205 bytes --]

Re: [edk2-devel] reg: Host Name Validation with Wild Card Certificate

[Laszlo Ersek]

On 03/07/20 23:40, Sean via Groups.Io wrote:
> The name of this flag is terrible but if you read the 2.8 spec.
> https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_A_Feb14.pdf
> page 1436.
> Says:
> EFI_TLS_VERIFY_FLAG_NONE means no additional flags set for hostname validation. Wildcards are supported and they match only in the left-most label.
> 
> In the HttpDxe driver we made a change to support wildcards as wildcards are pretty commonly used in web services.
> https://github.com/microsoft/mu_basecore/commit/931ff1a45ce13a6a8c3e296f89c6de21f23a17ed#diff-45ead71899abef9932d2697dbd1d8867
> 
> There is a lot of noise on this thread but its the best i can find.
> https://bugzilla.tianocore.org/show_bug.cgi?id=960
> 
> We might need to open a new bugzilla as i think 960 is resolved but is too strict for practical usage.

Yes, please open a new Bugzilla ticket for investigating
EFI_TLS_VERIFY_FLAG_NO_WILDCARDS vs. EFI_TLS_VERIFY_FLAG_NONE.

Thanks!
Laszlo

Re: reg: Host Name Validation with Wild Card Certificate

[Sivaraman Nainar]

[-- Attachment #1: Type: text/plain, Size: 1562 bytes --]

Hello Jiaxin:

Would you please provide your comments on the below Query.

-Siva
From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of Sivaraman Nainar
Sent: Friday, March 6, 2020 11:37 AM
To: To:; Wu, Jiaxin; Fu, Siyuan
Cc: Madhan B. Santharam; Arun Subramanian B; Bhuvaneshwari M R; Ramesh R.; Srini Narayana
Subject: [edk2-devel] reg: Host Name Validation with Wild Card Certificate

Hello all:

Need a clarification on the Host Name support added in the HTTP Boot.

When certificates are generated with the Wild Card in the SAN  the host name validation is getting failed with the below error codes.
Ex: DNS Name=*.ami.internal-test.com

TlsDoHandshake SSL_HANDSHAKE_ERROR State=0x4 SSL_ERROR_SSL
TlsDoHandshake ERROR 0x1416F086=L14:F16F:R86
Http Request failed. Code=Aborted

If the Host verify flag is changed from
HttpInstance->TlsConfigData.VerifyHost.Flags    = EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
To
HttpInstance->TlsConfigData.VerifyHost.Flags    =  EFI_TLS_VERIFY_FLAG_NONE;

Then the Http request can pass.

Is the host Name support strictly not allowing Wild card support? In this case do we need to have multiple Certiricate to have each URL with exact Host Name?

Thanks
Siva

This e-mail is intended for the use of the addressee only and may contain privileged, confidential, or proprietary information that is exempt from disclosure under law. If you have received this message in error, please inform us promptly by reply e-mail, then delete the e-mail and destroy any printed copy. Thank you.

[-- Attachment #2: Type: text/html, Size: 6263 bytes --]

Re: reg: Host Name Validation with Wild Card Certificate

[Wu, Jiaxin]

[-- Attachment #1: Type: text/plain, Size: 2360 bytes --]

Hi Siva,

That's just my implementation to restrict the wildcards support, if you have the real usage case, please report Bugzilla to support the wildcards, it will be better to provide the usage case in the bugzilla.

Thanks,
Jiaxin



From: Sivaraman Nainar <sivaramann@amiindia.co.in>
Sent: Tuesday, March 10, 2020 5:04 PM
To: devel@edk2.groups.io; Wu, Jiaxin <jiaxin.wu@intel.com>; lersek@redhat.com
Cc: Madhan B. Santharam <madhans@ami.com>; Arun Subramanian B <arunsubramanianb@ami.com>; Bhuvaneshwari M R <bhuvaneshwarimr@amiindia.co.in>; Ramesh R. <rameshr@ami.com>; Srini Narayana <SriniN@ami.com>; Sivaraman Nainar <sivaramann@amiindia.co.in>; Fu, Siyuan <siyuan.fu@intel.com>
Subject: RE: reg: Host Name Validation with Wild Card Certificate

Hello Jiaxin:

Would you please provide your comments on the below Query.

-Siva
From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> [mailto:devel@edk2.groups.io] On Behalf Of Sivaraman Nainar
Sent: Friday, March 6, 2020 11:37 AM
To: To:; Wu, Jiaxin; Fu, Siyuan
Cc: Madhan B. Santharam; Arun Subramanian B; Bhuvaneshwari M R; Ramesh R.; Srini Narayana
Subject: [edk2-devel] reg: Host Name Validation with Wild Card Certificate

Hello all:

Need a clarification on the Host Name support added in the HTTP Boot.

When certificates are generated with the Wild Card in the SAN  the host name validation is getting failed with the below error codes.
Ex: DNS Name=*.ami.internal-test.com

TlsDoHandshake SSL_HANDSHAKE_ERROR State=0x4 SSL_ERROR_SSL
TlsDoHandshake ERROR 0x1416F086=L14:F16F:R86
Http Request failed. Code=Aborted

If the Host verify flag is changed from
HttpInstance->TlsConfigData.VerifyHost.Flags    = EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
To
HttpInstance->TlsConfigData.VerifyHost.Flags    =  EFI_TLS_VERIFY_FLAG_NONE;

Then the Http request can pass.

Is the host Name support strictly not allowing Wild card support? In this case do we need to have multiple Certiricate to have each URL with exact Host Name?

Thanks
Siva

This e-mail is intended for the use of the addressee only and may contain privileged, confidential, or proprietary information that is exempt from disclosure under law. If you have received this message in error, please inform us promptly by reply e-mail, then delete the e-mail and destroy any printed copy. Thank you.

[-- Attachment #2: Type: text/html, Size: 8327 bytes --]