Thanks a lot Maciej. Much appreciated. ________________________________ From: Rabeda, Maciej Sent: Tuesday, November 2, 2021 12:54 PM To: devel@edk2.groups.io; vineelko@microsoft.com; Wu, Jiaxin; vineel.kovvuri@gmail.com; Rabeda, Maciej; Yao, Jiewen; Jancarlo Perez; Mike Turner; Sean Brogan; Bret Barkelew Subject: Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation Hi Vineel, I will integrate the change to edk2 tomorrow. For now: Reviewed-by: Maciej Rabeda Thanks, Maciej On 02-Nov-21 19:57, Vineel Kovvuri via groups.io wrote: > Hi Folks, > > Thanks for reviewing the patch. May I know what are the next steps to get it in to edk2? > I have already updated the same in https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning > > Thanks, > Vineel > > -----Original Message----- > From: Wu, Jiaxin > Sent: Monday, November 1, 2021 6:15 PM > To: devel@edk2.groups.io; vineel.kovvuri@gmail.com; Rabeda, Maciej ; Yao, Jiewen ; Jancarlo Perez ; Mike Turner ; Sean Brogan ; Bret Barkelew > Cc: Vineel Kovvuri > Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation > > It's good to me change the default the verify flag. > > Reviewed-by: Jiaxin Wu > > Thanks, > Jiaxin > >> -----Original Message----- >> From: devel@edk2.groups.io On Behalf Of Vineel >> Kovvuri >> Sent: Friday, October 15, 2021 8:55 AM >> To: Rabeda, Maciej ; Yao, Jiewen >> ; jpere@microsoft.com; >> Michael.Turner@microsoft.com; sean.brogan@microsoft.com; >> bret.barkelew@microsoft.com; devel@edk2.groups.io >> Cc: Vineel Kovvuri >> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in >> EDK2 HTTPS/TLS implementation >> >> The current UEFI implementation of HTTPS during its TLS configuration >> uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As >> per the spec this flag does is "to disable the match of any wildcards >> in the host name". So, certificates which are issued with >> wildcards(*.dm.corp.net etc) in it will fail the TLS host name >> matching. On the other hand, >> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for >> hostname validation. Wildcards are supported and they match only in >> the left-most label." >> this behavior/definition is coming from openssl's X509_check_host() >> api >> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww. >> openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&data=0 >> 4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7 >> C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675%7CUnkno >> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL >> CJXVCI6Mn0%3D%7C1000&sdata=Ygz4XOYjA0m7JL6acQ1Jv55fxJJv6pFvE6n%2F% >> 2Bc6jwBU%3D&reserved=0 >> >> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using >> certificates issued with wildcards in them would fail to match while >> trying to communicate with HTTPS endpoint. >> >> BugZilla: >> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz >> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&data=04%7C01%7Cvinee >> lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f988bf86f14 >> 1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CTWFpbGZsb >> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D% >> 7C1000&sdata=q5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56gEVln2SsA%3D&am >> p;reserved=0 >> >> Signed-off-by: Vineel Kovvuri >> --- >> NetworkPkg/HttpDxe/HttpsSupport.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c >> b/NetworkPkg/HttpDxe/HttpsSupport.c >> index 7e0bf85c3c..0f28ae9447 100644 >> --- a/NetworkPkg/HttpDxe/HttpsSupport.c >> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c >> @@ -625,7 +625,7 @@ TlsConfigureSession ( >> // >> HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient; >> HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER; >> - HttpInstance->TlsConfigData.VerifyHost.Flags = >> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS; >> + HttpInstance->TlsConfigData.VerifyHost.Flags = >> EFI_TLS_VERIFY_FLAG_NONE; >> HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance- >>> RemoteHost; >> HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted; >> >> -- >> 2.17.1 >> >> >> >> >> > > > > >