From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [14.98.235.2]) by mx.groups.io with SMTP id smtpd.web12.1767.1583831038234896094 for ; Tue, 10 Mar 2020 02:03:59 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=none, err=SPF record not found (domain: amiindia.co.in, ip: 14.98.235.2, mailfrom: sivaramann@amiindia.co.in) Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [127.0.0.1]) by IMSVA (Postfix) with ESMTP id F174B82067; Tue, 10 Mar 2020 14:41:45 +0530 (IST) Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CE58882066; Tue, 10 Mar 2020 14:41:45 +0530 (IST) Received: from webmail.amiindia.co.in (venus2.in.megatrends.com [10.0.0.7]) by IMSVA.IN.MEGATRENDS.COM (Postfix) with ESMTPS; Tue, 10 Mar 2020 14:41:45 +0530 (IST) Received: from VENUS1.in.megatrends.com ([fe80::951:7975:6ecf:eae5]) by Venus2.in.megatrends.com ([fe80::2002:4a07:4f17:c09b%14]) with mapi id 14.03.0248.002; Tue, 10 Mar 2020 14:33:36 +0530 From: "Sivaraman Nainar" To: "devel@edk2.groups.io" , "Wu, Jiaxin" , "lersek@redhat.com" CC: "Madhan B. Santharam" , "Arun Subramanian B" , Bhuvaneshwari M R , Ramesh R. , Srini Narayana , Sivaraman Nainar , "Fu, Siyuan" Subject: Re: reg: Host Name Validation with Wild Card Certificate Thread-Topic: reg: Host Name Validation with Wild Card Certificate Thread-Index: AdXze9fi9m5g3RwrTAW35AjbpsuUsQDPqFmQ Date: Tue, 10 Mar 2020 09:04:01 +0000 Message-ID: References: <15F9A1F7132299A3.15852@groups.io> In-Reply-To: <15F9A1F7132299A3.15852@groups.io> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.0.0.226] MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-TM-AS-Product-Ver: IMSVA-9.1.0.1817-8.5.0.1020-25280.006 X-TM-AS-Result: No--24.399-5.0-31-10 X-imss-scan-details: No--24.399-5.0-31-10 X-TMASE-Version: IMSVA-9.1.0.1817-8.5.1020-25280.006 X-TMASE-Result: 10--24.399300-10.000000 X-TMASE-MatchedRID: JorHcieTUsk7iuZ/mdYYthQr3/CdlBOILIHZB0nMVDF0dohlEITcxhqY 8vdG07WNqybRKSu3vNcnTBdLg83j/7+bXcGnGRJ6AvkRGmGzmNnO/T5SZgJlw1mtJm/fZa5svZL ctNfuqT9pohtqEp6dF6o2fOuRT7aaO8XR0zqlRv4HT/9zVlNcjO7vUz7Ske6oYAuqIPqt7rKs4c d79EiYewUKfnD5eilYzNIobH2DzGF3G1bsm5zfjMXa6Xq+xbpka0IEkYOsokWGsnlHOiGwocjdt jHY+jGWs1RWeqLGIw4wo+sXt0rnszH+T3YvtHy2P/mlMDR9HNS7+r627MDAzAdnH3FQrCBXRfz7 IWB2L9su+/ZxS0sr+1MV11xUs7fNZaWoKfR05a/MEmMJ+LiV/Q05t9LK+kfyfuQW+l720Km7fjw ZEcnD7OzhkZcJwPyQ71Wx2uUbPLdDr8MVm6DK3bv81BNUjUj5jNLxrcxKViUth87d3SbqHb8tQ+ d++9tXIh+tykRVOgmBFNZJ/RfzGSY6ALX8FNLOvGAx/1ATZ5v/RWw03+xdxabN5Xxnq7eXf9krI FPI8jVu7xCoxCPC8oDcpVWyPxAMqAn+yHbzwCcwMfxyID/dnX9rwbumNaX9IoALBmt6oJpNmHbZ fvaSSly8LiE9LxheIj0zFI5DoJLAtpDNMLs81qTsE8Z/jrr+q53bbaX6zrf/oJYIO0yI2BuOie4 QoudC0b0gTJDrX6x05zsoB1UKTr/x/ZudoDvrUJoXCtuJyr7ppvXmg9tOeKmyngkxQzmqguzJyb /w33qXBXaJoB9JZxRFJJyf5BJeyJ1gFgOMhOnQBQ8SBUzMXyKDmlJlXxLz33fj+sMArfOEbaqKQ SlAZdXnqSZ+6VaXt0xl57I9DG4j9EfBd4V9AH5GvheW2+qen5US3W0QFE0= X-TMASE-SNAP-Result: 1.821001.0001-0-1-12:0,22:0,33:0,34:0-0 Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_B4DE137BDB63634BAC03BD9DE765F197029AE9E334VENUS1inmegat_" --_000_B4DE137BDB63634BAC03BD9DE765F197029AE9E334VENUS1inmegat_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hello Jiaxin: Would you please provide your comments on the below Query. -Siva From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of Siva= raman Nainar Sent: Friday, March 6, 2020 11:37 AM To: To:; Wu, Jiaxin; Fu, Siyuan Cc: Madhan B. Santharam; Arun Subramanian B; Bhuvaneshwari M R; Ramesh R.;= Srini Narayana Subject: [edk2-devel] reg: Host Name Validation with Wild Card Certificate Hello all: Need a clarification on the Host Name support added in the HTTP Boot. When certificates are generated with the Wild Card in the SAN the host na= me validation is getting failed with the below error codes. Ex: DNS Name=3D*.ami.internal-test.com TlsDoHandshake SSL_HANDSHAKE_ERROR State=3D0x4 SSL_ERROR_SSL TlsDoHandshake ERROR 0x1416F086=3DL14:F16F:R86 Http Request failed. Code=3DAborted If the Host verify flag is changed from HttpInstance->TlsConfigData.VerifyHost.Flags =3D EFI_TLS_VERIFY_FLAG_NO= _WILDCARDS; To HttpInstance->TlsConfigData.VerifyHost.Flags =3D EFI_TLS_VERIFY_FLAG_N= ONE; Then the Http request can pass. Is the host Name support strictly not allowing Wild card support? In this = case do we need to have multiple Certiricate to have each URL with exact Ho= st Name? Thanks Siva This e-mail is intended for the use of the addressee only and may contain = privileged, confidential, or proprietary information that is exempt from di= sclosure under law. If you have received this message in error, please info= rm us promptly by reply e-mail, then delete the e-mail and destroy any prin= ted copy. Thank you. --_000_B4DE137BDB63634BAC03BD9DE765F197029AE9E334VENUS1inmegat_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hello Jiaxin:

 

Would you please prov= ide your comments on the below Query.

 

-Siva

From: devel@edk2.groups.io [mailto:devel@edk= 2.groups.io] On Behalf Of Sivaraman Nainar
Sent: Friday, March 6, 2020 11:37 AM
To: To:; Wu, Jiaxin; Fu, Siyuan
Cc: Madhan B. Santharam; Arun Subramanian B; Bhuvaneshwari M R; Ram= esh R.; Srini Narayana
Subject: [edk2-devel] reg: Host Name Validation with Wild Card Cert= ificate

 

Hello all:

 

Need a clarification on the Host Name support added= in the HTTP Boot.

 

When certificates are generated with the Wild Card = in the SAN  the host name validation is getting failed with the below = error codes.

Ex: DNS Name=3D*.ami.internal-test.com

 

Tls= DoHandshake SSL_HANDSHAKE_ERROR State=3D0x4 SSL_ERROR_SSL=

Tls= DoHandshake ERROR 0x1416F086=3DL14:F16F:R86

Htt= p Request failed. Code=3DAborted

 

If t= he Host verify flag is changed from

HttpInstance->TlsConfigData.VerifyHost.Flags    =3D=  EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;

To

HttpInstance->TlsConfigData.VerifyHost.Flags    =3D=   EFI_TLS_VERIFY_FLAG_NONE;

&nbs= p;

Then= the Http request can pass.

 

Is the host Name support strictly not allowing Wild= card support? In this case do we need to have multiple Certiricate to have= each URL with exact Host Name?

 

Thanks

Siva

This e-mail is intended for the use= of the addressee only and may contain privileged, confidential, or proprie= tary information that is exempt from disclosure under law. If you have received this message in error, please inform us promptly by = reply e-mail, then delete the e-mail and destroy any printed copy. Thank yo= u.

--_000_B4DE137BDB63634BAC03BD9DE765F197029AE9E334VENUS1inmegat_--