* reg: Host Name Validation with Wild Card Certificate @ 2020-03-06 6:07 Sivaraman Nainar 2020-03-07 22:40 ` [edk2-devel] " Sean 0 siblings, 1 reply; 5+ messages in thread From: Sivaraman Nainar @ 2020-03-06 6:07 UTC (permalink / raw) To: To:, Wu, Jiaxin, Fu, Siyuan Cc: Madhan B. Santharam, Arun Subramanian B, Bhuvaneshwari M R, Ramesh R., Srini Narayana [-- Attachment #1: Type: text/plain, Size: 825 bytes --] Hello all: Need a clarification on the Host Name support added in the HTTP Boot. When certificates are generated with the Wild Card in the SAN the host name validation is getting failed with the below error codes. Ex: DNS Name=*.ami.internal-test.com TlsDoHandshake SSL_HANDSHAKE_ERROR State=0x4 SSL_ERROR_SSL TlsDoHandshake ERROR 0x1416F086=L14:F16F:R86 Http Request failed. Code=Aborted If the Host verify flag is changed from HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NO_WILDCARDS; To HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NONE; Then the Http request can pass. Is the host Name support strictly not allowing Wild card support? In this case do we need to have multiple Certiricate to have each URL with exact Host Name? Thanks Siva [-- Attachment #2: Type: text/html, Size: 4050 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [edk2-devel] reg: Host Name Validation with Wild Card Certificate 2020-03-06 6:07 reg: Host Name Validation with Wild Card Certificate Sivaraman Nainar @ 2020-03-07 22:40 ` Sean 2020-03-08 8:54 ` Laszlo Ersek 0 siblings, 1 reply; 5+ messages in thread From: Sean @ 2020-03-07 22:40 UTC (permalink / raw) To: Sivaraman Nainar, devel [-- Attachment #1: Type: text/plain, Size: 798 bytes --] The name of this flag is terrible but if you read the 2.8 spec. https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_A_Feb14.pdf page 1436. Says: EFI_TLS_VERIFY_FLAG_NONE means no additional flags set for hostname validation. Wildcards are supported and they match only in the left-most label. In the HttpDxe driver we made a change to support wildcards as wildcards are pretty commonly used in web services. https://github.com/microsoft/mu_basecore/commit/931ff1a45ce13a6a8c3e296f89c6de21f23a17ed#diff-45ead71899abef9932d2697dbd1d8867 There is a lot of noise on this thread but its the best i can find. https://bugzilla.tianocore.org/show_bug.cgi?id=960 We might need to open a new bugzilla as i think 960 is resolved but is too strict for practical usage. Thanks Sean [-- Attachment #2: Type: text/html, Size: 1205 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [edk2-devel] reg: Host Name Validation with Wild Card Certificate 2020-03-07 22:40 ` [edk2-devel] " Sean @ 2020-03-08 8:54 ` Laszlo Ersek 0 siblings, 0 replies; 5+ messages in thread From: Laszlo Ersek @ 2020-03-08 8:54 UTC (permalink / raw) To: sean.brogan; +Cc: devel, Sivaraman Nainar, Jeremiah Cox On 03/07/20 23:40, Sean via Groups.Io wrote: > The name of this flag is terrible but if you read the 2.8 spec. > https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_A_Feb14.pdf > page 1436. > Says: > EFI_TLS_VERIFY_FLAG_NONE means no additional flags set for hostname validation. Wildcards are supported and they match only in the left-most label. > > In the HttpDxe driver we made a change to support wildcards as wildcards are pretty commonly used in web services. > https://github.com/microsoft/mu_basecore/commit/931ff1a45ce13a6a8c3e296f89c6de21f23a17ed#diff-45ead71899abef9932d2697dbd1d8867 > > There is a lot of noise on this thread but its the best i can find. > https://bugzilla.tianocore.org/show_bug.cgi?id=960 > > We might need to open a new bugzilla as i think 960 is resolved but is too strict for practical usage. Yes, please open a new Bugzilla ticket for investigating EFI_TLS_VERIFY_FLAG_NO_WILDCARDS vs. EFI_TLS_VERIFY_FLAG_NONE. Thanks! Laszlo ^ permalink raw reply [flat|nested] 5+ messages in thread
[parent not found: <15F9A1F7132299A3.15852@groups.io>]
* Re: reg: Host Name Validation with Wild Card Certificate [not found] <15F9A1F7132299A3.15852@groups.io> @ 2020-03-10 9:04 ` Sivaraman Nainar 2020-03-12 0:04 ` Wu, Jiaxin 0 siblings, 1 reply; 5+ messages in thread From: Sivaraman Nainar @ 2020-03-10 9:04 UTC (permalink / raw) To: devel@edk2.groups.io, Wu, Jiaxin, lersek@redhat.com Cc: Madhan B. Santharam, Arun Subramanian B, Bhuvaneshwari M R, Ramesh R., Srini Narayana, Sivaraman Nainar, Fu, Siyuan [-- Attachment #1: Type: text/plain, Size: 1562 bytes --] Hello Jiaxin: Would you please provide your comments on the below Query. -Siva From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of Sivaraman Nainar Sent: Friday, March 6, 2020 11:37 AM To: To:; Wu, Jiaxin; Fu, Siyuan Cc: Madhan B. Santharam; Arun Subramanian B; Bhuvaneshwari M R; Ramesh R.; Srini Narayana Subject: [edk2-devel] reg: Host Name Validation with Wild Card Certificate Hello all: Need a clarification on the Host Name support added in the HTTP Boot. When certificates are generated with the Wild Card in the SAN the host name validation is getting failed with the below error codes. Ex: DNS Name=*.ami.internal-test.com TlsDoHandshake SSL_HANDSHAKE_ERROR State=0x4 SSL_ERROR_SSL TlsDoHandshake ERROR 0x1416F086=L14:F16F:R86 Http Request failed. Code=Aborted If the Host verify flag is changed from HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NO_WILDCARDS; To HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NONE; Then the Http request can pass. Is the host Name support strictly not allowing Wild card support? In this case do we need to have multiple Certiricate to have each URL with exact Host Name? Thanks Siva This e-mail is intended for the use of the addressee only and may contain privileged, confidential, or proprietary information that is exempt from disclosure under law. If you have received this message in error, please inform us promptly by reply e-mail, then delete the e-mail and destroy any printed copy. Thank you. [-- Attachment #2: Type: text/html, Size: 6263 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: reg: Host Name Validation with Wild Card Certificate 2020-03-10 9:04 ` Sivaraman Nainar @ 2020-03-12 0:04 ` Wu, Jiaxin 0 siblings, 0 replies; 5+ messages in thread From: Wu, Jiaxin @ 2020-03-12 0:04 UTC (permalink / raw) To: Sivaraman Nainar, devel@edk2.groups.io, lersek@redhat.com Cc: Madhan B. Santharam, Arun Subramanian B, Bhuvaneshwari M R, Ramesh R., Srini Narayana, Fu, Siyuan [-- Attachment #1: Type: text/plain, Size: 2360 bytes --] Hi Siva, That's just my implementation to restrict the wildcards support, if you have the real usage case, please report Bugzilla to support the wildcards, it will be better to provide the usage case in the bugzilla. Thanks, Jiaxin From: Sivaraman Nainar <sivaramann@amiindia.co.in> Sent: Tuesday, March 10, 2020 5:04 PM To: devel@edk2.groups.io; Wu, Jiaxin <jiaxin.wu@intel.com>; lersek@redhat.com Cc: Madhan B. Santharam <madhans@ami.com>; Arun Subramanian B <arunsubramanianb@ami.com>; Bhuvaneshwari M R <bhuvaneshwarimr@amiindia.co.in>; Ramesh R. <rameshr@ami.com>; Srini Narayana <SriniN@ami.com>; Sivaraman Nainar <sivaramann@amiindia.co.in>; Fu, Siyuan <siyuan.fu@intel.com> Subject: RE: reg: Host Name Validation with Wild Card Certificate Hello Jiaxin: Would you please provide your comments on the below Query. -Siva From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> [mailto:devel@edk2.groups.io] On Behalf Of Sivaraman Nainar Sent: Friday, March 6, 2020 11:37 AM To: To:; Wu, Jiaxin; Fu, Siyuan Cc: Madhan B. Santharam; Arun Subramanian B; Bhuvaneshwari M R; Ramesh R.; Srini Narayana Subject: [edk2-devel] reg: Host Name Validation with Wild Card Certificate Hello all: Need a clarification on the Host Name support added in the HTTP Boot. When certificates are generated with the Wild Card in the SAN the host name validation is getting failed with the below error codes. Ex: DNS Name=*.ami.internal-test.com TlsDoHandshake SSL_HANDSHAKE_ERROR State=0x4 SSL_ERROR_SSL TlsDoHandshake ERROR 0x1416F086=L14:F16F:R86 Http Request failed. Code=Aborted If the Host verify flag is changed from HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NO_WILDCARDS; To HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NONE; Then the Http request can pass. Is the host Name support strictly not allowing Wild card support? In this case do we need to have multiple Certiricate to have each URL with exact Host Name? Thanks Siva This e-mail is intended for the use of the addressee only and may contain privileged, confidential, or proprietary information that is exempt from disclosure under law. If you have received this message in error, please inform us promptly by reply e-mail, then delete the e-mail and destroy any printed copy. Thank you. [-- Attachment #2: Type: text/html, Size: 8327 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-03-12 0:04 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-03-06 6:07 reg: Host Name Validation with Wild Card Certificate Sivaraman Nainar
2020-03-07 22:40 ` [edk2-devel] " Sean
2020-03-08 8:54 ` Laszlo Ersek
[not found] <15F9A1F7132299A3.15852@groups.io>
2020-03-10 9:04 ` Sivaraman Nainar
2020-03-12 0:04 ` Wu, Jiaxin
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox