From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by mx.groups.io with SMTP id smtpd.web10.3445.1635815722473298688 for ; Mon, 01 Nov 2021 18:15:23 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=L0Lk4trT; spf=pass (domain: intel.com, ip: 134.134.136.65, mailfrom: jiaxin.wu@intel.com) X-IronPort-AV: E=McAfee;i="6200,9189,10155"; a="231115739" X-IronPort-AV: E=Sophos;i="5.87,201,1631602800"; d="scan'208";a="231115739" Received: from orsmga008.jf.intel.com ([10.7.209.65]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Nov 2021 18:15:21 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.87,201,1631602800"; d="scan'208";a="500289299" Received: from orsmsx601.amr.corp.intel.com ([10.22.229.14]) by orsmga008.jf.intel.com with ESMTP; 01 Nov 2021 18:15:21 -0700 Received: from orsmsx611.amr.corp.intel.com (10.22.229.24) by ORSMSX601.amr.corp.intel.com (10.22.229.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12; Mon, 1 Nov 2021 18:15:21 -0700 Received: from orsmsx609.amr.corp.intel.com (10.22.229.22) by ORSMSX611.amr.corp.intel.com (10.22.229.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12; Mon, 1 Nov 2021 18:15:20 -0700 Received: from ORSEDG601.ED.cps.intel.com (10.7.248.6) by orsmsx609.amr.corp.intel.com (10.22.229.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.12 via Frontend Transport; Mon, 1 Nov 2021 18:15:20 -0700 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (104.47.57.169) by edgegateway.intel.com (134.134.137.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.12; Mon, 1 Nov 2021 18:15:20 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aeYaphUHe1F8rxN0Ug7IdNRx/AmdJ3PIqXwO2IqzADmAgj8sIaPCj4GVYL/qY71/JB1SZS9g2BE7zTQzBzRMhes7LMoN9J32Cu6EmA8dNGkVeWYOyvXO9FBbljxX1q2LnSuG8QAZ5L0gSMh5u6Y/tklHFt3vXBndxORuZ7TKTlpoVwNF6RyZiP4iOg7G+BVilHmb9U77y+ct3VvK+TvfsBgTzLX9kDKAg62YQ/+1n7+mK2hXrpHC59nDytEZcpFB1o5wTIfj+qZKokPyjDVvEl3/AUNoCwjbntmoN+y2JYYGzc2KY2qVY7MsIqnQicRnSrMmhgsZlljr3Gs1aVN6pg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=voBroA1bskHVDLLVUrkCIyF3J/BoPZEq09I0A/Oqjc8=; b=Gf6SYqpBBS+mNwdLePBgeiDb0DhACW8Q5jidm3gcsxtn45Qopjn/z5cJlSqr60dT0IZd+8Jy5D+f5O8Q0+hDH4IvEyNDvaE8Hwjbzm7g2busCQBc3bEFuSN4dFjbqgnk9yFkOjjCk500BTUlo8z+QoJxtEGSX2ul0Ry5z27GUuH8sGDyN8aA5xuhfMq3xo8eYxANCcZt4P8jcvBF0L9BsWl85O6+lFMRh9WstdRvtdPViSEUyxx830daU9VGlhReMnjRQ4KvzrB1RCfiek56WKgI9uFeABNo0p+YdwHFyTr80T49PEeMy4zqTQJqoxx+aaxgP2qybOOZ2/NOvcsErg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=voBroA1bskHVDLLVUrkCIyF3J/BoPZEq09I0A/Oqjc8=; b=L0Lk4trTNMp45GUBqS8yGAtJerU7mblObR1DhnuloDCex/ntuWBOJ/bgKHLKluMg4HmOFQASR+bOrsaVur35OtqP0YmUET85x6Mpm5Cbp3bTLvMxR2u7u63JNs0B0UiVYX3QZQtoS3Be1do7kW0x1WtIDFxQus7kKYmj232F16k= Received: from DM8PR11MB5656.namprd11.prod.outlook.com (2603:10b6:8:38::7) by DM8PR11MB5623.namprd11.prod.outlook.com (2603:10b6:8:25::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4649.15; Tue, 2 Nov 2021 01:15:19 +0000 Received: from DM8PR11MB5656.namprd11.prod.outlook.com ([fe80::2553:3a5d:adf8:8590]) by DM8PR11MB5656.namprd11.prod.outlook.com ([fe80::2553:3a5d:adf8:8590%7]) with mapi id 15.20.4649.015; Tue, 2 Nov 2021 01:15:19 +0000 From: "Wu, Jiaxin" To: "devel@edk2.groups.io" , "vineel.kovvuri@gmail.com" , "Rabeda, Maciej" , "Yao, Jiewen" , "jpere@microsoft.com" , "Michael.Turner@microsoft.com" , "sean.brogan@microsoft.com" , "bret.barkelew@microsoft.com" CC: Vineel Kovvuri Subject: Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation Thread-Topic: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation Thread-Index: AQHXwV9Bg4fPjdhOnkqdpUY5JQX/s6vvixJg Date: Tue, 2 Nov 2021 01:15:19 +0000 Message-ID: References: <3419a1fbe89d52b15f1b667b00d102500179a85f.1634236144.git.vineelko@microsoft.com> In-Reply-To: <3419a1fbe89d52b15f1b667b00d102500179a85f.1634236144.git.vineelko@microsoft.com> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.6.200.16 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 325adcb4-cae8-4587-b1e9-08d99d9e3cb4 x-ms-traffictypediagnostic: DM8PR11MB5623: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:5236; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: Gv7AyZU0U3qUmIpkAzfPCgHZBSZAQ3BowyDS/giuPatmsmC3BdBk3/I6ZvfM1WdLyEED2DeFxdU1IoVzq4tNXOH3Nr1VmS8u7g9cP1YDre6rRM8i1FMLCgxOSWsS0VZBFdiW/0l0KYY3a3S8CLX8qqF2CoaruytujhIAzavp173HcGbxl7FpX60hWCFwBSjfbXUDq9HrMCUC+AMVPCpE8pGyLrouMUUkytCQwlwzr1FnJATdvK6uh/rg8oGUjjHKtkS1q5d8UZG1bO7OyZOjmm3bGdwbseg386ZqUQ3D65ILAh1rsSScF/638De5XWCb/9TW88CbPOYPvUov0LdG6A8x0Wd00TZxO9dq61J+I0vkHEWTifV8u89HUS1fGwzRaObOJoiw0+zUSXsVBingN94eg3J4h1yQqlxUn5xOXz37A1Nry0VwTqQNhtdCyjFyUrwHKRn2lP2Pg3sqFFVxM5xbaGqLPJnXLI8E2FkAZCMtYJBy8wiyI88Cp/r3EXqEX/I8dHkB2KtslTv34gKRohews77mDyVN5ZGF3opte4TpwlKQLcoZbL/l7sVS5QoEfD2hHv97n2vGht6QV4tmAgHt7glW+fs4CVYuOS0ucRfM17K1fsX/2qYmNq/yDgkfmrNdQhdQy3Z10xiYNwx1jPjDTpDg0KWwLOM52IBetXGFd1LhmTR0u239JHmYm+acI356Os2l+ikjLMklHTzvLF5r0rj3dc0waXY9k9yn3Zv2g8kJD7QIzkXW49pDaJHeOp+4nZeGNmSduBQjBR05y07ol3yWXo38TCQjUs+/8rC09vwCrJvSTUgw+Jp3vTj9QL9rYlG+Jn+LGVfn4NQLfCzojEW9ujVTop1/GbzHNlM= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM8PR11MB5656.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(5660300002)(8676002)(7696005)(4326008)(921005)(76116006)(55016002)(66946007)(53546011)(66446008)(64756008)(66556008)(66476007)(122000001)(38100700002)(26005)(6506007)(52536014)(38070700005)(33656002)(186003)(9686003)(110136005)(82960400001)(83380400001)(71200400001)(316002)(508600001)(2906002)(86362001)(8936002)(45080400002)(966005);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?lSu72IQq5egRH8L0yRBVVf+T3q9jSUMQJgLdqG8UXUsUg+hpOQ2DlMKWxayO?= =?us-ascii?Q?Cpwkpwpqo6na2N4/deBTFMFGNw8t6EKpqTwVGY0Pwx+4d8VPpuU/Bt5ugceP?= =?us-ascii?Q?Y7PdL+UfkhBIAMd7Q4+5L7L3aqAvCg6tqa3FvEYvq+a4FzOJRajMupUhVUI4?= =?us-ascii?Q?Ol4k9c9Yq6rhoqd6qrShapGZOgQ7DRXbQc+ksSpST4adS7c+HKxatdV0h0wj?= =?us-ascii?Q?m5fpb68Gls2Qq3J6L7UklyEAkx4ZWTT3aB1oFkowDrivypcGVSnesAf2Dqtj?= =?us-ascii?Q?V1+fZyFckgMEh/OduO4sWZtSWPyBOrkxouKP91vW4pguSNF4afRK/HkmNxKm?= =?us-ascii?Q?1Ahidt/MUvn1xIYviEalF0gWKZoxcrPo5vXrpkE9v9icCKEpCe3d/wjJ5sob?= =?us-ascii?Q?kK0kYmByp7DWGV7ziIyZ35l4Wg6Qz05cYJo0WYgQkKH82A+OY7Y5lU/fBx53?= =?us-ascii?Q?AZkAxQsuL/w8nMRfiLFF7YRy07jk8Jlv8fAHk0fUKgWdEE0E5PK9M+/hUBbL?= =?us-ascii?Q?yK8DhKTMBD2ksPoYlU5XCf+iRQ+yK1fZQMLFl1Ivb5LcK9fxtYqAYw+4SIzf?= =?us-ascii?Q?q2nYuge1KO+MKvL49Is4x6kf6Zui8aPr6D/HloVR0uTirQRUZg1Vvd5Org6e?= =?us-ascii?Q?Qu4UYOyJtR6LSbtA3sF9iypTrU3GD9pNMK7ogD5CDep5vGSFnu5Hbumvj0sm?= =?us-ascii?Q?6iR4ZhQ/ItHEm6+pBV5COfZwLuH5Uy7rzu7id71rUa/Etwkcr76I8ZLJbH87?= =?us-ascii?Q?MmsB1kIwL1fF7Hj9bAmmoPCYvCJx6rxqVS/b/Mb8o64C7Tb0gDAPzNSDnI6V?= =?us-ascii?Q?cOwjBfOA8nQ5nYKQoZ+LfhudAjijG6P044/FzEOwHNAO1j33+pOZVmwcYAoh?= =?us-ascii?Q?eIcAO2i/lhEFJqmXiH6RCVQxKEzdHuDvKJSR8BrOg9LF3ke2uDcuMdE3XX5k?= =?us-ascii?Q?+yBwwGdOT/wbhK7mX/2DmKsGCt4+qT5QmO3ogsvU+5pzjf/LVDdRJAIU9RJj?= =?us-ascii?Q?O21nLLP0IZwKcEFc1D31n/ZhIlbxFo6nNmXiEFVt5zlp7g8517MHgrq0QbWK?= =?us-ascii?Q?gEG77WXZJoPeX0mmmtH/eAamdP7K9KXSx7THrihkX0g3qWXWQT95BgcQ5fPb?= =?us-ascii?Q?MpZPPQIv1KZEK1B97opD2/UouPrSiPiMcVI3QntH4t47DBvgWDOXjjcC68rG?= =?us-ascii?Q?syV+dk8Aem6E4WW26Ab52KgTy2WhOmOagJnDrxrS4N2g4ByuVfKH+L8lBLZm?= =?us-ascii?Q?eNRclUWMOThlhM7IPKBA2gg1GO/CAIjtQRdvgLHkTPcsCCvHVdUI94xL5zxP?= =?us-ascii?Q?FL5RsNqPScjDpE/MXz3/eKEy7SGKu7QitnWB9n6rWs6d7SkAK5NZm/Aio+Ws?= =?us-ascii?Q?bKyrRWTBk5AEPJynDZeG9xA5DMCeFdYYdb38ypR8KOfLYmY78Vt+frjHwH9Y?= =?us-ascii?Q?tU4Jk5gAvXeZNByY8TPc6mAVPZWi96/Pdqg+fno7TI9pCJmdzoDcOeWC//jj?= =?us-ascii?Q?CipUZ/a3VJLWCIa1MAEMhgFj9fT4J6f4cZEwRPDslql239eXoiV/kJ2X7OsQ?= =?us-ascii?Q?AA8iCBWRoYFyjH+Oq8H36yQVZrQQG8ZOzM63wRiE6GYeekiVoM/ZXdKwnRvK?= =?us-ascii?Q?Yg=3D=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM8PR11MB5656.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 325adcb4-cae8-4587-b1e9-08d99d9e3cb4 X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Nov 2021 01:15:19.7379 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: uAER9m5Kd2NfCuQskN/fQzcTNUZ6stQgkNHYAKcHgO8eog1ZYhAMEhXG2HUts7sJLW2g50FC7eAPLykEjEGDNQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM8PR11MB5623 Return-Path: jiaxin.wu@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable It's good to me change the default the verify flag. Reviewed-by: Jiaxin Wu Thanks, Jiaxin > -----Original Message----- > From: devel@edk2.groups.io On Behalf Of Vineel > Kovvuri > Sent: Friday, October 15, 2021 8:55 AM > To: Rabeda, Maciej ; Yao, Jiewen > ; jpere@microsoft.com; > Michael.Turner@microsoft.com; sean.brogan@microsoft.com; > bret.barkelew@microsoft.com; devel@edk2.groups.io > Cc: Vineel Kovvuri > Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 > HTTPS/TLS implementation >=20 > The current UEFI implementation of HTTPS during its TLS configuration use= s > EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per > the spec > this flag does is "to disable the match of any wildcards in the host name= ". So, > certificates which are issued with wildcards(*.dm.corp.net etc) in it wil= l fail > the TLS host name matching. On the other hand, > EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for > hostname > validation. Wildcards are supported and they match only in the left-most > label." > this behavior/definition is coming from openssl's X509_check_host() api > https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html >=20 > Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates > issued > with wildcards in them would fail to match while trying to communicate wi= th > HTTPS endpoint. >=20 > BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3691 >=20 > Signed-off-by: Vineel Kovvuri > --- > NetworkPkg/HttpDxe/HttpsSupport.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) >=20 > diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c > b/NetworkPkg/HttpDxe/HttpsSupport.c > index 7e0bf85c3c..0f28ae9447 100644 > --- a/NetworkPkg/HttpDxe/HttpsSupport.c > +++ b/NetworkPkg/HttpDxe/HttpsSupport.c > @@ -625,7 +625,7 @@ TlsConfigureSession ( > // > HttpInstance->TlsConfigData.ConnectionEnd =3D EfiTlsClient; > HttpInstance->TlsConfigData.VerifyMethod =3D EFI_TLS_VERIFY_PEE= R; > - HttpInstance->TlsConfigData.VerifyHost.Flags =3D > EFI_TLS_VERIFY_FLAG_NO_WILDCARDS; > + HttpInstance->TlsConfigData.VerifyHost.Flags =3D > EFI_TLS_VERIFY_FLAG_NONE; > HttpInstance->TlsConfigData.VerifyHost.HostName =3D HttpInstance- > >RemoteHost; > HttpInstance->TlsConfigData.SessionState =3D EfiTlsSessionNotSt= arted; >=20 > -- > 2.17.1 >=20 >=20 >=20 >=20 >=20