Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: "Wu, Jiaxin" <jiaxin.wu@intel.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>,
	"vineel.kovvuri@gmail.com" <vineel.kovvuri@gmail.com>,
	"Rabeda, Maciej" <maciej.rabeda@intel.com>,
	"Yao, Jiewen" <jiewen.yao@intel.com>,
	"jpere@microsoft.com" <jpere@microsoft.com>,
	"Michael.Turner@microsoft.com" <Michael.Turner@microsoft.com>,
	"sean.brogan@microsoft.com" <sean.brogan@microsoft.com>,
	"bret.barkelew@microsoft.com" <bret.barkelew@microsoft.com>
Cc: Vineel Kovvuri <vineelko@microsoft.com>
Subject: Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
Date: Tue, 2 Nov 2021 01:15:19 +0000	[thread overview]
Message-ID: <DM8PR11MB565609D23F7C8F9CBF95C9E7FE8B9@DM8PR11MB5656.namprd11.prod.outlook.com> (raw)
In-Reply-To: <3419a1fbe89d52b15f1b667b00d102500179a85f.1634236144.git.vineelko@microsoft.com>

It's good to me change the default the verify flag.

Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>

Thanks,
Jiaxin

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel
> Kovvuri
> Sent: Friday, October 15, 2021 8:55 AM
> To: Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; jpere@microsoft.com;
> Michael.Turner@microsoft.com; sean.brogan@microsoft.com;
> bret.barkelew@microsoft.com; devel@edk2.groups.io
> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2
> HTTPS/TLS implementation
> 
> The current UEFI implementation of HTTPS during its TLS configuration uses
> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per
> the spec
> this flag does is "to disable the match of any wildcards in the host name". So,
> certificates which are issued with wildcards(*.dm.corp.net etc) in it will fail
> the TLS host name matching. On the other hand,
> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
> hostname
> validation. Wildcards are supported and they match only in the left-most
> label."
> this behavior/definition is coming from openssl's X509_check_host() api
> https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html
> 
> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates
> issued
> with wildcards in them would fail to match while trying to communicate with
> HTTPS endpoint.
> 
> BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3691
> 
> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
> ---
>  NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
> b/NetworkPkg/HttpDxe/HttpsSupport.c
> index 7e0bf85c3c..0f28ae9447 100644
> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
> @@ -625,7 +625,7 @@ TlsConfigureSession (
>    //
>    HttpInstance->TlsConfigData.ConnectionEnd       = EfiTlsClient;
>    HttpInstance->TlsConfigData.VerifyMethod        = EFI_TLS_VERIFY_PEER;
> -  HttpInstance->TlsConfigData.VerifyHost.Flags    =
> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
> +  HttpInstance->TlsConfigData.VerifyHost.Flags    =
> EFI_TLS_VERIFY_FLAG_NONE;
>    HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
> >RemoteHost;
>    HttpInstance->TlsConfigData.SessionState        = EfiTlsSessionNotStarted;
> 
> --
> 2.17.1
> 
> 
> 
> 
>

next prev parent reply	other threads:[~2021-11-02  1:15 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-15  0:54 [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation Vineel Kovvuri
2021-10-15  1:11 ` Yao, Jiewen
2021-10-22 10:32 ` [edk2-devel] " Maciej Rabeda
2021-11-02  1:15 ` Wu, Jiaxin [this message]
2021-11-02 18:57   ` Vineel Kovvuri
2021-11-02 19:54     ` Maciej Rabeda
     [not found]     ` <16B3D2D0C1325DDF.24252@groups.io>
2021-11-03 21:29       ` Maciej Rabeda
2021-11-03 21:38         ` Vineel Kovvuri
  -- strict thread matches above, loose matches on Subject: below --
2021-11-02 20:19 Vineel Kovvuri

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DM8PR11MB565609D23F7C8F9CBF95C9E7FE8B9@DM8PR11MB5656.namprd11.prod.outlook.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox