public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* Re: reg: Multiple Host Name Certificate
@ 2019-06-19 11:51 Sivaraman Nainar
  2019-06-20 10:47 ` [edk2-devel] " David Woodhouse
  0 siblings, 1 reply; 6+ messages in thread
From: Sivaraman Nainar @ 2019-06-19 11:51 UTC (permalink / raw)
  To: devel@edk2.groups.io; +Cc: jiaxin.wu@intel.com, siyuan.fu@intel.com

[-- Attachment #1: Type: text/plain, Size: 625 bytes --]

Can you please help to confirm the behavior

From: Sivaraman Nainar
Sent: Friday, June 7, 2019 2:48 PM
To: devel@edk2.groups.io
Subject: reg: Multiple Host Name Certificate

Hello:

Can someone help to confirm if EDK2 supports multiple Host Name support.

We need to have an environment where the HTTPS request should work fine for IP & Host Name based access. When we create certificates with CN as Host Name and SAN as IP TLS Handshake works only for Host Name and it provides Handshake Error when the request are IP Based.

If this question need to be raised in other forum please help to redirect.

-Siva

[-- Attachment #2: Type: text/html, Size: 3066 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [edk2-devel] reg: Multiple Host Name Certificate
  2019-06-19 11:51 reg: Multiple Host Name Certificate Sivaraman Nainar
@ 2019-06-20 10:47 ` David Woodhouse
  2019-06-20 11:27   ` Sivaraman Nainar
  0 siblings, 1 reply; 6+ messages in thread
From: David Woodhouse @ 2019-06-20 10:47 UTC (permalink / raw)
  To: devel, sivaramann; +Cc: jiaxin.wu@intel.com, siyuan.fu@intel.com

[-- Attachment #1: Type: text/plain, Size: 1209 bytes --]

On Wed, 2019-06-19 at 11:51 +0000, Sivaraman Nainar wrote:
> Can you please help to confirm the behavior
>  
> From: Sivaraman Nainar 
> Sent: Friday, June 7, 2019 2:48 PM
> To: devel@edk2.groups.io
> Subject: reg: Multiple Host Name Certificate
>  
> Hello:
>  
> Can someone help to confirm if EDK2 supports multiple Host Name
> support.
>  
> We need to have an environment where the HTTPS request should work
> fine for IP & Host Name based access. When we create certificates
> with CN as Host Name and SAN as IP TLS Handshake works only for Host
> Name and it provides Handshake Error when the request are IP Based.
>  
> If this question need to be raised in other forum please help to
> redirect.
>  


I can't actually see where we do these checks at all. OpenSSL doesn't
do them for us internally (as it doesn't even know the hostname we
happened to use to establish the connection), although it does offer
X509_check_ip() and X509_check_host() functions. 

From code inspection I'd have guessed that the code would tolerate
*any* valid certificate, even for a host other than the one it actually
attempted to connect to. Surely that can't be true? Where *is* it?



[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5174 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [edk2-devel] reg: Multiple Host Name Certificate
  2019-06-20 10:47 ` [edk2-devel] " David Woodhouse
@ 2019-06-20 11:27   ` Sivaraman Nainar
  2019-06-20 12:35     ` David Woodhouse
  0 siblings, 1 reply; 6+ messages in thread
From: Sivaraman Nainar @ 2019-06-20 11:27 UTC (permalink / raw)
  To: devel@edk2.groups.io, dwmw2@infradead.org
  Cc: jiaxin.wu@intel.com, siyuan.fu@intel.com

Hello :

This support added when we integrating "TianoCore Bug 960 (HTTPS_HostName_Validation)". This has the support for performing Host Name validation during HTTP Operations.

-Siva
-----Original Message-----
From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of David Woodhouse
Sent: Thursday, June 20, 2019 4:18 PM
To: devel@edk2.groups.io; Sivaraman Nainar
Cc: jiaxin.wu@intel.com; siyuan.fu@intel.com
Subject: Re: [edk2-devel] reg: Multiple Host Name Certificate

On Wed, 2019-06-19 at 11:51 +0000, Sivaraman Nainar wrote:
> Can you please help to confirm the behavior
>  
> From: Sivaraman Nainar 
> Sent: Friday, June 7, 2019 2:48 PM
> To: devel@edk2.groups.io
> Subject: reg: Multiple Host Name Certificate
>  
> Hello:
>  
> Can someone help to confirm if EDK2 supports multiple Host Name
> support.
>  
> We need to have an environment where the HTTPS request should work
> fine for IP & Host Name based access. When we create certificates
> with CN as Host Name and SAN as IP TLS Handshake works only for Host
> Name and it provides Handshake Error when the request are IP Based.
>  
> If this question need to be raised in other forum please help to
> redirect.
>  


I can't actually see where we do these checks at all. OpenSSL doesn't
do them for us internally (as it doesn't even know the hostname we
happened to use to establish the connection), although it does offer
X509_check_ip() and X509_check_host() functions. 

From code inspection I'd have guessed that the code would tolerate
*any* valid certificate, even for a host other than the one it actually
attempted to connect to. Surely that can't be true? Where *is* it?






^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [edk2-devel] reg: Multiple Host Name Certificate
  2019-06-20 11:27   ` Sivaraman Nainar
@ 2019-06-20 12:35     ` David Woodhouse
  2019-06-20 14:27       ` Laszlo Ersek
  0 siblings, 1 reply; 6+ messages in thread
From: David Woodhouse @ 2019-06-20 12:35 UTC (permalink / raw)
  To: Sivaraman Nainar, devel@edk2.groups.io
  Cc: jiaxin.wu@intel.com, siyuan.fu@intel.com

[-- Attachment #1: Type: text/plain, Size: 544 bytes --]

On Thu, 2019-06-20 at 11:27 +0000, Sivaraman Nainar wrote:
> This support added when we integrating "TianoCore Bug 960
> (HTTPS_HostName_Validation)". This has the support for performing
> Host Name validation during HTTP Operations.

Hm, I can't see bug 960, at least not without and account — and
bugzilla is sending its messages from an invalid address so registering
an account failed on the first attempt. I'll add it to the "known
broken senders" list and try again... in the meantime, do you have a
link to the code please? 

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5174 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [edk2-devel] reg: Multiple Host Name Certificate
  2019-06-20 12:35     ` David Woodhouse
@ 2019-06-20 14:27       ` Laszlo Ersek
  2019-06-20 15:20         ` David Woodhouse
  0 siblings, 1 reply; 6+ messages in thread
From: Laszlo Ersek @ 2019-06-20 14:27 UTC (permalink / raw)
  To: devel, dwmw2, Sivaraman Nainar; +Cc: jiaxin.wu@intel.com, siyuan.fu@intel.com

Hello David,

On 06/20/19 14:35, David Woodhouse wrote:
> On Thu, 2019-06-20 at 11:27 +0000, Sivaraman Nainar wrote:
>> This support added when we integrating "TianoCore Bug 960
>> (HTTPS_HostName_Validation)". This has the support for performing
>> Host Name validation during HTTP Operations.
> 
> Hm, I can't see bug 960, at least not without and account — and
> bugzilla is sending its messages from an invalid address so registering
> an account failed on the first attempt. I'll add it to the "known
> broken senders" list and try again... in the meantime, do you have a
> link to the code please? 

TianoCore#960 is a security BZ that I had reported on 2018-05-29.

The title of the ticket is

"server certificate with invalid domain name (CN) accepted in
HTTPS-over-IPv6 boot"

It is indeed the bug that you think it is ("From code inspection I'd
have guessed that the code would tolerate *any* valid certificate, even
for a host other than the one it actually attempted to connect to.")

There is still no CVE number assigned.

Patches exist, but have not been posted to the list yet.

--*--

Normally, my above comments (in public) would amount to breaking a live
security embargo. In reality, this is not the case. That's because the
UEFI-2.8 spec has been released meanwhile (in March/April 2019 or so),
addressing Mantis#1921 ("HTTPS hostname validation"). Fixing the edk2
problem required changes to the UEFI spec too.

If you search both UEFI-2.7 and UEFI-2.8 for the enum constant
"EfiTlsVerifyHost", you will find it only in UEFI-2.8. Therefore, the
cat had been let out of the bag when UEFI-2.8 was released. In effect,
*that* ended the embargo on TianoCore#960. The fact that TianoCore#960
is still unreadable to the public (including the attached patches) is
"merely" a technical tidbit. :/

I'm CC'ing you on the BZ now, so you can read it even before it gets
opened up.

Thanks
Laszlo

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [edk2-devel] reg: Multiple Host Name Certificate
  2019-06-20 14:27       ` Laszlo Ersek
@ 2019-06-20 15:20         ` David Woodhouse
  0 siblings, 0 replies; 6+ messages in thread
From: David Woodhouse @ 2019-06-20 15:20 UTC (permalink / raw)
  To: devel, lersek, Sivaraman Nainar; +Cc: jiaxin.wu@intel.com, siyuan.fu@intel.com

[-- Attachment #1: Type: text/plain, Size: 471 bytes --]

On Thu, 2019-06-20 at 16:27 +0200, Laszlo Ersek wrote:
> It is indeed the bug that you think it is ("From code inspection I'd
> have guessed that the code would tolerate *any* valid certificate, even
> for a host other than the one it actually attempted to connect to.")

:)

> I'm CC'ing you on the BZ now, so you can read it even before it gets
> opened up.

... and I've pointed out the problem in the implementation of
TlsSetVerifyHost(). :)

Thanks.


[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5174 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2019-06-20 15:20 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-06-19 11:51 reg: Multiple Host Name Certificate Sivaraman Nainar
2019-06-20 10:47 ` [edk2-devel] " David Woodhouse
2019-06-20 11:27   ` Sivaraman Nainar
2019-06-20 12:35     ` David Woodhouse
2019-06-20 14:27       ` Laszlo Ersek
2019-06-20 15:20         ` David Woodhouse

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox