From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from na01-obe.outbound.protection.outlook.com (na01-obe.outbound.protection.outlook.com [52.101.61.27]) by mx.groups.io with SMTP id smtpd.web09.1046.1635885261158247598 for ; Tue, 02 Nov 2021 13:34:21 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@microsoft.com header.s=selector2 header.b=Gcw6dBqh; spf=pass (domain: microsoft.com, ip: 52.101.61.27, mailfrom: vineelko@microsoft.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=D7zm6evUWZs/IWwm0VZhuqOCJW4PQqbWs24LUqwi1hLdEQLu0lYYqF/SsQzj+d2dnSh8ZfINU/4U4tutA9lCZnnL//uDMCMyGgy/xIOqpLJfk7nZHUt05LmdXPhty/f1X/AG2/ZMjP/1mDGN21H/cDz7n/xaFkfspq0w2hzJyM/a668E3ZbesxS93mt3wwrVfFfGaGOHjrLj5+fQk5BAZte28jwz9/MJkNrC3l+l5Zxs2ErToWJhPJUsLi0QUovGcvxcVIO7YIVwedXLtcr05DUo9IbMCSuTJ9TFlNTtkTwTNaHd0DfmGiAE/tIOn8tj+DaJhDsJFmzyx/m8qDCH0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=nUKEvwSbryKWn27auIWIhGNYrysufSnEm4NQDoE7nQc=; b=mfjTYGRUYEX2bcBOc69+hPFBk3iQO00K+ts0eHHmxYb38Zt7niS3shvfje4yP9byKoH/XG8tF7e0fTZrei/CkDhN+ghM2+aDWRbx5fzv2UFpDqoibvmImmsk0JrG8KHaHgZ+lx4ResujLHwYHr8F78RQbI8uO40A7Lu2Y9PPF8Eh6K0j00fpc83dLTY5Hz5rrFsHx/D3yYJO8DXovgNWzzsrk98N/+3Xe7kcmZoMm2OB5DOKEW3Earpbo+Kx9uFWHk+v85bE5n/JegobPVJ4EWrhB+CZIu7klNiNUIoWH9qXJpfoVYDMHunfjNaeLf2U7lPFI3Gp/it8ugnROzx4Sg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nUKEvwSbryKWn27auIWIhGNYrysufSnEm4NQDoE7nQc=; b=Gcw6dBqh2aaaLsFWV8UBG1VVEQPsNaaubN0pfaoPLMn6A5SfiDN4Spsexfu4efVKCnTH6LxaWsFRVCzunc8QqJbNfKCgNxgVJMtvxuhv7Q6+eKuhHCS5/KiD8IBHLxnoFbQtJp7F5dqg0oPni+PcDvx0wwmEtiFymBEtXgAK5V8= Received: from MW2PR2101MB1036.namprd21.prod.outlook.com (2603:10b6:302:a::12) by MWHPR2101MB0729.namprd21.prod.outlook.com (2603:10b6:301:76::39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4690.3; Tue, 2 Nov 2021 20:19:57 +0000 Received: from MW2PR2101MB1036.namprd21.prod.outlook.com ([fe80::1156:6cd3:ec2a:59e3]) by MW2PR2101MB1036.namprd21.prod.outlook.com ([fe80::1156:6cd3:ec2a:59e3%5]) with mapi id 15.20.4669.004; Tue, 2 Nov 2021 20:19:57 +0000 From: "Vineel Kovvuri" To: "Rabeda, Maciej" , "devel@edk2.groups.io" , "Wu, Jiaxin" , "Rabeda, Maciej" , "Yao, Jiewen" , Jancarlo Perez , Mike Turner , Sean Brogan , Bret Barkelew , Vineel Kovvuri Subject: Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation Thread-Topic: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation Thread-Index: AQHX0Cb6egq6cNfPtUuPTAkRHN4yxg== Date: Tue, 2 Nov 2021 20:19:57 +0000 Message-ID: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-11-02T20:19:45.2808558Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: ff8633f7-e4e9-4792-836d-08d99e3e23b4 x-ms-traffictypediagnostic: MWHPR2101MB0729: x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:5236; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: LLkCA/uZCFsY7gwITKN2MAVs0dTaxWrisqu6fwW+mwX6Io5Vj9IWqD06AW0KWUaRPzpd6+e0hzonrFthKR9Lf7ekU4WoyuJsTBNErcgR5OtMSDRBl6PNMAU0Y8HV1MMbohVy0rEVTrI0x+Zm5EykRNuYBvxkpx9Y6m4RcAwosPBPfpkrP5AZCsPS2rfmXpSLSmjG4CbtPnkMlw0kzZIha/Dui4wCt61xor2RPocnxEAPcbqtr1VB9xtuOPTUoQcUgBCZBMHrPh1KA5r81671azxPda2mWE+0AI/5J9G+KE9qQFeHRV8JSqrjkvC61zNjTaioNWy/kXCKCUAK+NuAgldVwo/AxGlcpaqYT6Rabse8Prmk5FAVlzHBQE/QZ8M/Lz+5mHizqUSt7B/pXFp3GOqvcX3BJ+M3WevlnZ94wLvTVruHThKd7itlq1eH/DpCbIcsKTWSz4h5oxOhn/m+4msbBQNUzhCJk4NWlqJ8GTu0vSFRNLIlIyxlaI3nHDSgybw4l31tVogqLDvpaP+OMhSCqufhWz4kSZfcLHwjhtqtbs+EwLa+X7ezKgEp1enTRYcOUZJEV7nANVAsCeiB+BftMN8MTOnHF8zLP3wUQSl0LyvlqelDqPrpcwjGMe/2e/a0BFc+SNQTQTP/oIpQydrABaDta0F73XiS6bkLt5jd1FLIJPP1jwFidCl12vU0QXla4K01jXT8lBnDpJaALZrgnIFQtDHxJyJs2WtgBCGFxAz8mlTlZy24gKMYwauBqiqPtZXK4b4zv2fBIvPPQm4XiHiZJiLf+s33Mqhbsc+PV9C9dn2Gr3uCDHeq2eYxzYe1ctSEElv/DSwO7Re725hcM6XykG1qOV6xGWQBahw= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MW2PR2101MB1036.namprd21.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(366004)(508600001)(26005)(166002)(53546011)(186003)(6506007)(82960400001)(82950400001)(83380400001)(33656002)(38070700005)(921005)(8936002)(71200400001)(8990500004)(66446008)(7696005)(66476007)(66556008)(76116006)(122000001)(38100700002)(66946007)(5660300002)(10290500003)(52536014)(966005)(8676002)(55016002)(9686003)(110136005)(2906002)(86362001)(64756008)(316002);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?mEbBTN1E6hNMwLbDxYu1R5SL9XrLn7tgGIdH8hMx4ZOaZxXnlAGuda7dyt21?= =?us-ascii?Q?izPX2tsvnFPsZX6iOihnFKCZeu4MuXJZIvduBrqodMw84OkEqxfR6Basvkjp?= =?us-ascii?Q?WGxCkMgOzFAr2140pTOu1I04bVv9r5IhST0CsqnxoxT95Ix8sNKFBk4TDK/F?= =?us-ascii?Q?ItTgF+X7Kgn/eb4gKoPaleVgOyFhLymvM/JlybOy5FN/LjTNPfDTRkf7juEQ?= =?us-ascii?Q?g77CVkkTkxJdLTDXBJIJsyc6JE2fCoBOsuaIRhyATSKfw4Mx5bUqmteY4XyT?= =?us-ascii?Q?dm/fsWidIfznUDQey9VeIwaxjGH6TborSd/3mSwS5BgGsCnPlmKTnH9NC2BY?= =?us-ascii?Q?yvjXCTjsdwjDkRb/10XeBUd8xAFiR33xJ1THS11bgvTCxiTtgJSrfSNDoRAn?= =?us-ascii?Q?6luX7VC8nmC8fmRNQDIL6Qlvz0EYtiV7ye0b+ReX9uZzLlmveZPEo2dtswKZ?= =?us-ascii?Q?JjlnRl87D6pmY5GQam0fB4cQBd6xPz2KQPXV1O9aWLB2YeuRCFpAbY6a+y85?= =?us-ascii?Q?HmIUpBBuhOpxA01GX+Tqaos0W8EmElu76gAV0WfOEYNW05SY+RWoiGi3MPwQ?= =?us-ascii?Q?X9fmFBCTE7EFme/97LYX9gO172PoTLTHYtMjglQtr9ttai0IAEJ5c0lb8M6U?= =?us-ascii?Q?TJqOXbm7K+1i4hLZ82mpgwDkZG9p9jRoUy2arMHAp66tvVh1O53JMM8sOhRz?= =?us-ascii?Q?HC8lfiN3hMwb89D+n1Gs/3CC4jPikALPNio/4bNog8D+0Th554px9im0ZvYr?= =?us-ascii?Q?QBkf9sUhb549xWV5hD2JOJ7VP5/M9sUD2XKcOkVu0hBdyYwshCKrDTqhcVqE?= =?us-ascii?Q?+YoXaFt9LbVaIh6V109Ot++O2x8YOHOlCSlg5FuQHYj5m7qvVcTSHIpcYzcN?= =?us-ascii?Q?F+DRT85ucxT/cTJOHqGXTAuCzfbi88Celb5FpsyWNDEKlN710jAUl7UcPtO2?= =?us-ascii?Q?U6TdRoFZc74nOLS8UFijbqtnyDv/rUQ/z7bdsjloslPtyzF9ArOTZIpJtC9d?= =?us-ascii?Q?G2JGEJ/2in0J5LJHdXAWjbBhjLP49c6e1+LuvWyNskSPvzLCn0KuI4RnKq9u?= =?us-ascii?Q?VrC7yJSFpdYqwk/xqQvb4D7eEciYYeu7BXi30PWW/vMHVuLbjaaDz30AH2+a?= =?us-ascii?Q?htb2LmNAhst8f6sO/ROIjd6jPGjuor6Lk31ig47LzZpsG6HRfiBey5rhCM8u?= =?us-ascii?Q?zObaLvYT2NQ7423mRr5kUw/T33Qe7ocP8AeStAgNfOsRhNpBR2Qe+ifC3+wr?= =?us-ascii?Q?SyAGriknWJC4Trub8IsfivKmTBPZlnqaNHlmfZ8eTX0Wyi4otevK/3VEF867?= =?us-ascii?Q?i78SRcPXAyTSmShObBxW5dGBEPKXZ+PcPBi1hLTt+Cd+5tfbDifw/++yNDOJ?= =?us-ascii?Q?n5P4JmzGaCQwZIVkmvXKD6gU/6CG9gOTuYPtBYKk1saz1rYeOHSczUqbTMiV?= =?us-ascii?Q?yCJ2lUVcCsyan2Mb84iyadYuWz9e1VDay0AVFekgrNGQxP7sBJrjJCxlml4x?= =?us-ascii?Q?2n9Fe08qlpj1Qw+BI8MSu9w0+x/Ny05ltqvQ3kkMclLzEswXghDNgLpBIMWt?= =?us-ascii?Q?aYhrV3jocyRDr9Tzg/hdLSnoVO4lcHk+RlUC2nHW8w9CR2Hp/zSo5wxnf5Bn?= =?us-ascii?Q?QEde6Wrgok2ba4beTD2axvVbxqz9adDPgZqvc231cf13?= MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: MW2PR2101MB1036.namprd21.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: ff8633f7-e4e9-4792-836d-08d99e3e23b4 X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Nov 2021 20:19:57.3209 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: hTKntgXrASDYfBE9NeCRxWHkwGbxkv/CLIv3NOuM0kjB6nCcTz35tKDmsATG0QTULALOBCbrg7MR2n6DVYGVLw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR2101MB0729 Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_MW2PR2101MB103617DCC9822D28FA643E17D88B9MW2PR2101MB1036_" --_000_MW2PR2101MB103617DCC9822D28FA643E17D88B9MW2PR2101MB1036_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Thanks a lot Maciej. Much appreciated. ________________________________ From: Rabeda, Maciej Sent: Tuesday, November 2, 2021 12:54 PM To: devel@edk2.groups.io; vineelko@microsoft.com; Wu, Jiaxin; vineel.kovvur= i@gmail.com; Rabeda, Maciej; Yao, Jiewen; Jancarlo Perez; Mike Turner; Sean= Brogan; Bret Barkelew Subject: Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK= 2 HTTPS/TLS implementation Hi Vineel, I will integrate the change to edk2 tomorrow. For now: Reviewed-by: Maciej Rabeda Thanks, Maciej On 02-Nov-21 19:57, Vineel Kovvuri via groups.io wrote: > Hi Folks, > > Thanks for reviewing the patch. May I know what are the next steps to get= it in to edk2? > I have already updated the same in https://github.com/tianocore/tianocore= .github.io/wiki/EDK-II-Release-Planning > > Thanks, > Vineel > > -----Original Message----- > From: Wu, Jiaxin > Sent: Monday, November 1, 2021 6:15 PM > To: devel@edk2.groups.io; vineel.kovvuri@gmail.com; Rabeda, Maciej ; Yao, Jiewen ; Jancarlo Perez ; Mike Turner ; Sean Brogan= ; Bret Barkelew > Cc: Vineel Kovvuri > Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host name ma= tching in EDK2 HTTPS/TLS implementation > > It's good to me change the default the verify flag. > > Reviewed-by: Jiaxin Wu > > Thanks, > Jiaxin > >> -----Original Message----- >> From: devel@edk2.groups.io On Behalf Of Vineel >> Kovvuri >> Sent: Friday, October 15, 2021 8:55 AM >> To: Rabeda, Maciej ; Yao, Jiewen >> ; jpere@microsoft.com; >> Michael.Turner@microsoft.com; sean.brogan@microsoft.com; >> bret.barkelew@microsoft.com; devel@edk2.groups.io >> Cc: Vineel Kovvuri >> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in >> EDK2 HTTPS/TLS implementation >> >> The current UEFI implementation of HTTPS during its TLS configuration >> uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As >> per the spec this flag does is "to disable the match of any wildcards >> in the host name". So, certificates which are issued with >> wildcards(*.dm.corp.net etc) in it will fail the TLS host name >> matching. On the other hand, >> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for >> hostname validation. Wildcards are supported and they match only in >> the left-most label." >> this behavior/definition is coming from openssl's X509_check_host() >> api >> https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww. >> openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&data=3D0 >> 4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7 >> C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675%7CUnkno >> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL >> CJXVCI6Mn0%3D%7C1000&sdata=3DYgz4XOYjA0m7JL6acQ1Jv55fxJJv6pFvE6n%2F% >> 2Bc6jwBU%3D&reserved=3D0 >> >> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using >> certificates issued with wildcards in them would fail to match while >> trying to communicate with HTTPS endpoint. >> >> BugZilla: >> https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fbugz >> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&data=3D04%7C01%7Cvinee >> lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f988bf86f14 >> 1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CTWFpbGZsb >> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D% >> 7C1000&sdata=3Dq5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56gEVln2SsA%3D&am >> p;reserved=3D0 >> >> Signed-off-by: Vineel Kovvuri >> --- >> NetworkPkg/HttpDxe/HttpsSupport.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c >> b/NetworkPkg/HttpDxe/HttpsSupport.c >> index 7e0bf85c3c..0f28ae9447 100644 >> --- a/NetworkPkg/HttpDxe/HttpsSupport.c >> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c >> @@ -625,7 +625,7 @@ TlsConfigureSession ( >> // >> HttpInstance->TlsConfigData.ConnectionEnd =3D EfiTlsClient; >> HttpInstance->TlsConfigData.VerifyMethod =3D EFI_TLS_VERIFY_P= EER; >> - HttpInstance->TlsConfigData.VerifyHost.Flags =3D >> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS; >> + HttpInstance->TlsConfigData.VerifyHost.Flags =3D >> EFI_TLS_VERIFY_FLAG_NONE; >> HttpInstance->TlsConfigData.VerifyHost.HostName =3D HttpInstance- >>> RemoteHost; >> HttpInstance->TlsConfigData.SessionState =3D EfiTlsSessionNot= Started; >> >> -- >> 2.17.1 >> >> >> >> >> > > >=20 > > --_000_MW2PR2101MB103617DCC9822D28FA643E17D88B9MW2PR2101MB1036_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
Thanks a lot Maci= ej. Much appreciated.
 
From: Rabeda, Maciej <maciej.rabeda@linux.intel.com>
Sent: Tuesday, November 2, 2021 12:54 PM
To: devel@edk2.groups.io; vineelko@microsoft.com; Wu, Jiaxin; vineel= .kovvuri@gmail.com; Rabeda, Maciej; Yao, Jiewen; Jancarlo Perez; Mike Turne= r; Sean Brogan; Bret Barkelew
Subject: Re: [edk2-devel] [PATCH] Enable wildcard host name matching= in EDK2 HTTPS/TLS implementation
 
Hi Vineel,

I will integrate the change to edk2 tomorrow.

For now:
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>

Thanks,
Maciej

On 02-Nov-21 19:57, Vineel Kovvuri via groups.io wrote:
> Hi Folks,
>
> Thanks for reviewing the patch. May I know what are the next steps to = get it in to edk2?
> I have already updated the same in https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planni= ng
>
> Thanks,
> Vineel
>
> -----Original Message-----
> From: Wu, Jiaxin <jiaxin.wu@intel.com>
> Sent: Monday, November 1, 2021 6:15 PM
> To: devel@edk2.groups.io; vineel.kovvuri@gmail.com; Rabeda, Maciej <= ;maciej.rabeda@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Jan= carlo Perez <jpere@microsoft.com>; Mike Turner <Michael.Turner@mic= rosoft.com>; Sean Brogan <sean.brogan@microsoft.com>; Bret Barkelew <Bret.Barkelew@microsoft.com>
> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host name= matching in EDK2 HTTPS/TLS implementation
>
> It's good to me change the default the verify flag.
>
> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
>
> Thanks,
> Jiaxin
>
>> -----Original Message-----
>> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf = Of Vineel
>> Kovvuri
>> Sent: Friday, October 15, 2021 8:55 AM
>> To: Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen >> <jiewen.yao@intel.com>; jpere@microsoft.com;
>> Michael.Turner@microsoft.com; sean.brogan@microsoft.com;
>> bret.barkelew@microsoft.com; devel@edk2.groups.io
>> Cc: Vineel Kovvuri <vineelko@microsoft.com>
>> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching i= n
>> EDK2 HTTPS/TLS implementation
>>
>> The current UEFI implementation of HTTPS during its TLS configurat= ion
>> uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. = As
>> per the spec this flag does is "to disable the match of any w= ildcards
>> in the host name". So, certificates which are issued with
>> wildcards(*.dm.corp.net etc) in it will fail the TLS host name
>> matching. On the other hand,
>> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags= set for
>> hostname validation. Wildcards are supported and they match only i= n
>> the left-most label."
>> this behavior/definition is coming from openssl's X509_check_host(= )
>> api
>> https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fwww= .
>> openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&am= p;data=3D0
>> 4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3f= ba%7
>> C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675%7CU= nkno
>> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1ha= WwiL
>> CJXVCI6Mn0%3D%7C1000&amp;sdata=3DYgz4XOYjA0m7JL6acQ1Jv55fxJJv6= pFvE6n%2F%
>> 2Bc6jwBU%3D&amp;reserved=3D0
>>
>> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using
>> certificates issued with wildcards in them would fail to match whi= le
>> trying to communicate with HTTPS endpoint.
>>
>> BugZilla:
>> https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fbugz
>> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&amp;data=3D04%7C= 01%7Cvinee
>> lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f988bf8= 6f14
>> 1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CTWFpb= GZsb
>> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0= %3D%
>> 7C1000&amp;sdata=3Dq5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56gEVln= 2SsA%3D&am
>> p;reserved=3D0
>>
>> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
>> ---
>>   NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
>> b/NetworkPkg/HttpDxe/HttpsSupport.c
>> index 7e0bf85c3c..0f28ae9447 100644
>> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
>> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
>> @@ -625,7 +625,7 @@ TlsConfigureSession (
>>     //
>>     HttpInstance->TlsConfigData.ConnectionE= nd       =3D EfiTlsClient;
>>     HttpInstance->TlsConfigData.VerifyMetho= d        =3D EFI_TLS_VERIFY_PEER;
>> -  HttpInstance->TlsConfigData.VerifyHost.Flags  = ;  =3D
>> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
>> +  HttpInstance->TlsConfigData.VerifyHost.Flags  = ;  =3D
>> EFI_TLS_VERIFY_FLAG_NONE;
>>     HttpInstance->TlsConfigData.VerifyHost.= HostName =3D HttpInstance-
>>> RemoteHost;
>>     HttpInstance->TlsConfigData.SessionStat= e        =3D EfiTlsSessionNotStarted; >>
>> --
>> 2.17.1
>>
>>
>>
>>
>>
>
>
>
>
>

--_000_MW2PR2101MB103617DCC9822D28FA643E17D88B9MW2PR2101MB1036_--