From: "Vineel Kovvuri" <vineelko@microsoft.com>
To: "Wu, Jiaxin" <jiaxin.wu@intel.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>,
"vineel.kovvuri@gmail.com" <vineel.kovvuri@gmail.com>,
"Rabeda, Maciej" <maciej.rabeda@intel.com>,
"Yao, Jiewen" <jiewen.yao@intel.com>,
Jancarlo Perez <jpere@microsoft.com>,
Mike Turner <Michael.Turner@microsoft.com>,
Sean Brogan <sean.brogan@microsoft.com>,
Bret Barkelew <Bret.Barkelew@microsoft.com>
Subject: Re: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
Date: Tue, 2 Nov 2021 18:57:57 +0000 [thread overview]
Message-ID: <MW2PR2101MB1036C53E0C325865B3A5F601D88B9@MW2PR2101MB1036.namprd21.prod.outlook.com> (raw)
In-Reply-To: <DM8PR11MB565609D23F7C8F9CBF95C9E7FE8B9@DM8PR11MB5656.namprd11.prod.outlook.com>
Hi Folks,
Thanks for reviewing the patch. May I know what are the next steps to get it in to edk2?
I have already updated the same in https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning
Thanks,
Vineel
-----Original Message-----
From: Wu, Jiaxin <jiaxin.wu@intel.com>
Sent: Monday, November 1, 2021 6:15 PM
To: devel@edk2.groups.io; vineel.kovvuri@gmail.com; Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Jancarlo Perez <jpere@microsoft.com>; Mike Turner <Michael.Turner@microsoft.com>; Sean Brogan <sean.brogan@microsoft.com>; Bret Barkelew <Bret.Barkelew@microsoft.com>
Cc: Vineel Kovvuri <vineelko@microsoft.com>
Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
It's good to me change the default the verify flag.
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
Thanks,
Jiaxin
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel
> Kovvuri
> Sent: Friday, October 15, 2021 8:55 AM
> To: Rabeda, Maciej <maciej.rabeda@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; jpere@microsoft.com;
> Michael.Turner@microsoft.com; sean.brogan@microsoft.com;
> bret.barkelew@microsoft.com; devel@edk2.groups.io
> Cc: Vineel Kovvuri <vineelko@microsoft.com>
> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in
> EDK2 HTTPS/TLS implementation
>
> The current UEFI implementation of HTTPS during its TLS configuration
> uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As
> per the spec this flag does is "to disable the match of any wildcards
> in the host name". So, certificates which are issued with
> wildcards(*.dm.corp.net etc) in it will fail the TLS host name
> matching. On the other hand,
> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
> hostname validation. Wildcards are supported and they match only in
> the left-most label."
> this behavior/definition is coming from openssl's X509_check_host()
> api
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&data=0
> 4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7
> C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675%7CUnkno
> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL
> CJXVCI6Mn0%3D%7C1000&sdata=Ygz4XOYjA0m7JL6acQ1Jv55fxJJv6pFvE6n%2F%
> 2Bc6jwBU%3D&reserved=0
>
> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using
> certificates issued with wildcards in them would fail to match while
> trying to communicate with HTTPS endpoint.
>
> BugZilla:
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz
> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&data=04%7C01%7Cvinee
> lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f988bf86f14
> 1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CTWFpbGZsb
> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%
> 7C1000&sdata=q5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56gEVln2SsA%3D&am
> p;reserved=0
>
> Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
> ---
> NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
> b/NetworkPkg/HttpDxe/HttpsSupport.c
> index 7e0bf85c3c..0f28ae9447 100644
> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
> @@ -625,7 +625,7 @@ TlsConfigureSession (
> //
> HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
> HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;
> - HttpInstance->TlsConfigData.VerifyHost.Flags =
> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
> + HttpInstance->TlsConfigData.VerifyHost.Flags =
> EFI_TLS_VERIFY_FLAG_NONE;
> HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
> >RemoteHost;
> HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;
>
> --
> 2.17.1
>
>
>
>
>
next prev parent reply other threads:[~2021-11-02 19:02 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-15 0:54 [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation Vineel Kovvuri
2021-10-15 1:11 ` Yao, Jiewen
2021-10-22 10:32 ` [edk2-devel] " Maciej Rabeda
2021-11-02 1:15 ` Wu, Jiaxin
2021-11-02 18:57 ` Vineel Kovvuri [this message]
2021-11-02 19:54 ` Maciej Rabeda
[not found] ` <16B3D2D0C1325DDF.24252@groups.io>
2021-11-03 21:29 ` Maciej Rabeda
2021-11-03 21:38 ` Vineel Kovvuri
-- strict thread matches above, loose matches on Subject: below --
2021-11-02 20:19 Vineel Kovvuri
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=MW2PR2101MB1036C53E0C325865B3A5F601D88B9@MW2PR2101MB1036.namprd21.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox