From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [14.98.235.2]) by mx.groups.io with SMTP id smtpd.web12.7825.1583474825656787419 for ; Thu, 05 Mar 2020 22:07:06 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=none, err=SPF record not found (domain: amiindia.co.in, ip: 14.98.235.2, mailfrom: sivaramann@amiindia.co.in) Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5E3C682047; Fri, 6 Mar 2020 11:44:51 +0530 (IST) Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2A21682046; Fri, 6 Mar 2020 11:44:50 +0530 (IST) Received: from webmail.amiindia.co.in (venus2.in.megatrends.com [10.0.0.7]) by IMSVA.IN.MEGATRENDS.COM (Postfix) with ESMTPS; Fri, 6 Mar 2020 11:44:50 +0530 (IST) Received: from VENUS1.in.megatrends.com ([fe80::951:7975:6ecf:eae5]) by Venus2.in.megatrends.com ([fe80::2002:4a07:4f17:c09b%14]) with mapi id 14.03.0248.002; Fri, 6 Mar 2020 11:35:55 +0530 From: "Sivaraman Nainar" To: "To:" , "Wu, Jiaxin" , "Fu, Siyuan" CC: "Madhan B. Santharam" , "Arun Subramanian B" , Bhuvaneshwari M R , Ramesh R. , Srini Narayana Subject: reg: Host Name Validation with Wild Card Certificate Thread-Topic: reg: Host Name Validation with Wild Card Certificate Thread-Index: AdXze9fi9m5g3RwrTAW35AjbpsuUsQ== Date: Fri, 6 Mar 2020 06:07:07 +0000 Message-ID: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.0.0.226] MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-TM-AS-Product-Ver: IMSVA-9.1.0.1817-8.5.0.1020-25272.005 X-TM-AS-Result: No--15.171-5.0-31-10 X-imss-scan-details: No--15.171-5.0-31-10 X-TMASE-Version: IMSVA-9.1.0.1817-8.5.1020-25272.005 X-TMASE-Result: 10--15.171100-10.000000 X-TMASE-MatchedRID: zndDlPK4YUpYukXu/bAZ07BZAi3nrnzb4oSd18bdmwJpsnGGIgWMmb67 LxTidyGBrjyUl8kKQtz2Jzq6yZuBqZC0Ht7h6sHdqg0gbtLVIa+jXi/7W48JB8AkyHiYDAQb1Is 5GvhmGbw2ZvhXd39zJnyC5eu2BgKmiJx4642cvJb9KXlxhBAZb5hwKdlCfPk8StFk/81wIJKQM2 zg4yhfEpqEb+LwlrVjt1gVV8hFpdLvOC1QV7aBzlnAtIGDGCFo+eBf9ovw8I0j0vSXSt1uP24GP EMJeKPOJFfll7wWwfAB/+giEOsxzFy8LiE9LxheIj0zFI5DoJLAtpDNMLs81qTsE8Z/jrr+IUEc OllE7cOlFYL0oNKxPHCVOA5OEjiE0b0gTJDrX6wOsNNBnlgRWn0tCKdnhB58r10pknZXGJrPPeN 6HN6d7FdeyAYu6Pty33fj+sMArfOEbaqKQSlAZQ1WvgFAFWqR1jx0Zy08DVbKfk3zP2qdB2aVdZ aSxZ65puaxAHVA3oc= X-TMASE-SNAP-Result: 1.821001.0001-0-1-12:0,22:0,33:0,34:0-0 Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_B4DE137BDB63634BAC03BD9DE765F197029AE9C609VENUS1inmegat_" --_000_B4DE137BDB63634BAC03BD9DE765F197029AE9C609VENUS1inmegat_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hello all: Need a clarification on the Host Name support added in the HTTP Boot. When certificates are generated with the Wild Card in the SAN the host nam= e validation is getting failed with the below error codes. Ex: DNS Name=3D*.ami.internal-test.com TlsDoHandshake SSL_HANDSHAKE_ERROR State=3D0x4 SSL_ERROR_SSL TlsDoHandshake ERROR 0x1416F086=3DL14:F16F:R86 Http Request failed. Code=3DAborted If the Host verify flag is changed from HttpInstance->TlsConfigData.VerifyHost.Flags =3D EFI_TLS_VERIFY_FLAG_NO_= WILDCARDS; To HttpInstance->TlsConfigData.VerifyHost.Flags =3D EFI_TLS_VERIFY_FLAG_NO= NE; Then the Http request can pass. Is the host Name support strictly not allowing Wild card support? In this c= ase do we need to have multiple Certiricate to have each URL with exact Hos= t Name? Thanks Siva --_000_B4DE137BDB63634BAC03BD9DE765F197029AE9C609VENUS1inmegat_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hello all:

Need a clarification on the Host Name support added = in the HTTP Boot.

When certificates are generated with the Wild Card i= n the SAN the host name validation is getting failed with the below e= rror codes.

Ex: DNS Name=3D*.ami.internal-test.com

TlsDoHandshake SSL_HANDSHAKE_ERROR State=3D0x4 SSL_ERROR_S= SL

TlsDoHandshake ERROR 0x1416F086=3DL14:F16F:R86<= /span>

Http Request failed. Code=3DAborted

If th= e Host verify flag is changed from

HttpInstance->TlsConfigData.VerifyHost.Flags =3D&= nbsp;EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;

HttpInstance->TlsConfigData.VerifyHost.Flags =3D&= nbsp; EFI_TLS_VERIFY_FLAG_NONE;

Then = the Http request can pass.

Is the host Name support strictly not allowing Wild = card support? In this case do we need to have multiple Certiricate to have = each URL with exact Host Name?

Thanks

Siva

--_000_B4DE137BDB63634BAC03BD9DE765F197029AE9C609VENUS1inmegat_--