Re: [edk2-devel] [PATCH 1/2] NetworkPkg/HttpDxe: provide function to disable TLS host verify

["Nickle Wang" <nicklew@nvidia.com>]

[-- Attachment #1: Type: text/plain, Size: 3958 bytes --]

Hi @Michael Brown<mailto:mcb30@ipxe.org>, @Maciej Rabeda<mailto:maciej.rabeda@linux.intel.com>, @Siyuan Fu<mailto:siyuan.fu@intel.com>,

I got an idea to handle this issue.

EFI_HTTP_SERVICE_BINDING_PROTOCOL is defined in UEFI specification for caller to create HTTP protocol on child instance. How about I propose a new service binding protocol called EFI_HTTP_NO_TLS_HOST_VERIFY_SERVICE_BINDING_PROTOCOL, and the EFI_HTTP_PROTOCOL created by this service binding protocol will not do TLS host verify during HTTPS communication.

When caller like to disable host verify on HTTPS communication, caller use this service binding protocol to create special HTTP instance. For other case, caller use regular EFI_HTTP_SERVICE_BINDING_PROTOCOL to get normal EFI_HTTP_PROTOCOL instance.

What do you think about this idea?

Thanks,
Nickle

From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Nickle Wang via groups.io
Sent: Thursday, February 2, 2023 2:35 PM
To: Michael Brown <mcb30@ipxe.org>; devel@edk2.groups.io; Maciej Rabeda <maciej.rabeda@linux.intel.com>; Siyuan Fu <siyuan.fu@intel.com>
Cc: Abner Chang <abner.chang@amd.com>; Igor Kulchytskyy <igork@ami.com>; Nick Ramirez <nramirez@nvidia.com>
Subject: Re: [edk2-devel] [PATCH 1/2] NetworkPkg/HttpDxe: provide function to disable TLS host verify

External email: Use caution opening links or attachments


Hi Michael,



Thank you very much for your feedback. PCD was my idea too, but this may have impact to other HTTPS connection. I like to only disable TLS host verify on Redfish connection between BIOS and BMC.



Hi @Maciej Rabeda<mailto:maciej.rabeda@linux.intel.com>, @Siyuan Fu<mailto:siyuan.fu@intel.com>,



May I have your comments about this challenge? I am looking for a way of passing a flag to HTTP instance and this flag will disable TLS host verification.



Thanks,

Nickle



-----Original Message-----
From: Michael Brown <mcb30@ipxe.org<mailto:mcb30@ipxe.org>>
Sent: Wednesday, February 1, 2023 7:28 PM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Nickle Wang <nicklew@nvidia.com<mailto:nicklew@nvidia.com>>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com<mailto:maciej.rabeda@linux.intel.com>>; Siyuan Fu <siyuan.fu@intel.com<mailto:siyuan.fu@intel.com>>; Abner Chang <abner.chang@amd.com<mailto:abner.chang@amd.com>>; Igor Kulchytskyy <igork@ami.com<mailto:igork@ami.com>>; Nick Ramirez <nramirez@nvidia.com<mailto:nramirez@nvidia.com>>
Subject: Re: [edk2-devel] [PATCH 1/2] NetworkPkg/HttpDxe: provide function to disable TLS host verify



External email: Use caution opening links or attachments





On 01/02/2023 11:06, Nickle Wang via groups.io wrote:

> Thanks for catching this. To prevent the change to data structure,

> would you suggest me to create new interface in EFI_HTTP_PROTOCOL and

> disable TLS host verify?



Adding an interface to EFI_HTTP_PROTOCOL would also break the ABI by changing the layout of a data structure defined in the UEFI specification, and so can't be done.



I took a quick look through Http.h and I can't immediately see any way you can convey the information you want without making a breaking change.  There are no flags fields (that could be extended with extra flags in the same memory slot), no structure version number fields (that could allow structures to be extended, subject to a version number check), and no general-purpose "additional information" extension mechanism besides the one for passing arbitrary HTTP headers.



I suspect you'll need to either make a new protocol (lots of work, very

ugly) or find some sideband mechanism you can use to work around the problem, like a PCD to globally enable/disable host verification.



It may be worth waiting for one of the HttpDxe maintainers to offer an opinion on this, since I am totally unfamiliar with this part of the codebase.



Sorry,



Michael




[-- Attachment #2: Type: text/html, Size: 9850 bytes --]