* Re: reg: Multiple Host Name Certificate @ 2019-06-19 11:51 Sivaraman Nainar 2019-06-20 10:47 ` [edk2-devel] " David Woodhouse 0 siblings, 1 reply; 6+ messages in thread From: Sivaraman Nainar @ 2019-06-19 11:51 UTC (permalink / raw) To: devel@edk2.groups.io; +Cc: jiaxin.wu@intel.com, siyuan.fu@intel.com [-- Attachment #1: Type: text/plain, Size: 625 bytes --] Can you please help to confirm the behavior From: Sivaraman Nainar Sent: Friday, June 7, 2019 2:48 PM To: devel@edk2.groups.io Subject: reg: Multiple Host Name Certificate Hello: Can someone help to confirm if EDK2 supports multiple Host Name support. We need to have an environment where the HTTPS request should work fine for IP & Host Name based access. When we create certificates with CN as Host Name and SAN as IP TLS Handshake works only for Host Name and it provides Handshake Error when the request are IP Based. If this question need to be raised in other forum please help to redirect. -Siva [-- Attachment #2: Type: text/html, Size: 3066 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [edk2-devel] reg: Multiple Host Name Certificate 2019-06-19 11:51 reg: Multiple Host Name Certificate Sivaraman Nainar @ 2019-06-20 10:47 ` David Woodhouse 2019-06-20 11:27 ` Sivaraman Nainar 0 siblings, 1 reply; 6+ messages in thread From: David Woodhouse @ 2019-06-20 10:47 UTC (permalink / raw) To: devel, sivaramann; +Cc: jiaxin.wu@intel.com, siyuan.fu@intel.com [-- Attachment #1: Type: text/plain, Size: 1209 bytes --] On Wed, 2019-06-19 at 11:51 +0000, Sivaraman Nainar wrote: > Can you please help to confirm the behavior > > From: Sivaraman Nainar > Sent: Friday, June 7, 2019 2:48 PM > To: devel@edk2.groups.io > Subject: reg: Multiple Host Name Certificate > > Hello: > > Can someone help to confirm if EDK2 supports multiple Host Name > support. > > We need to have an environment where the HTTPS request should work > fine for IP & Host Name based access. When we create certificates > with CN as Host Name and SAN as IP TLS Handshake works only for Host > Name and it provides Handshake Error when the request are IP Based. > > If this question need to be raised in other forum please help to > redirect. > I can't actually see where we do these checks at all. OpenSSL doesn't do them for us internally (as it doesn't even know the hostname we happened to use to establish the connection), although it does offer X509_check_ip() and X509_check_host() functions. From code inspection I'd have guessed that the code would tolerate *any* valid certificate, even for a host other than the one it actually attempted to connect to. Surely that can't be true? Where *is* it? [-- Attachment #2: smime.p7s --] [-- Type: application/x-pkcs7-signature, Size: 5174 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [edk2-devel] reg: Multiple Host Name Certificate 2019-06-20 10:47 ` [edk2-devel] " David Woodhouse @ 2019-06-20 11:27 ` Sivaraman Nainar 2019-06-20 12:35 ` David Woodhouse 0 siblings, 1 reply; 6+ messages in thread From: Sivaraman Nainar @ 2019-06-20 11:27 UTC (permalink / raw) To: devel@edk2.groups.io, dwmw2@infradead.org Cc: jiaxin.wu@intel.com, siyuan.fu@intel.com Hello : This support added when we integrating "TianoCore Bug 960 (HTTPS_HostName_Validation)". This has the support for performing Host Name validation during HTTP Operations. -Siva -----Original Message----- From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of David Woodhouse Sent: Thursday, June 20, 2019 4:18 PM To: devel@edk2.groups.io; Sivaraman Nainar Cc: jiaxin.wu@intel.com; siyuan.fu@intel.com Subject: Re: [edk2-devel] reg: Multiple Host Name Certificate On Wed, 2019-06-19 at 11:51 +0000, Sivaraman Nainar wrote: > Can you please help to confirm the behavior > > From: Sivaraman Nainar > Sent: Friday, June 7, 2019 2:48 PM > To: devel@edk2.groups.io > Subject: reg: Multiple Host Name Certificate > > Hello: > > Can someone help to confirm if EDK2 supports multiple Host Name > support. > > We need to have an environment where the HTTPS request should work > fine for IP & Host Name based access. When we create certificates > with CN as Host Name and SAN as IP TLS Handshake works only for Host > Name and it provides Handshake Error when the request are IP Based. > > If this question need to be raised in other forum please help to > redirect. > I can't actually see where we do these checks at all. OpenSSL doesn't do them for us internally (as it doesn't even know the hostname we happened to use to establish the connection), although it does offer X509_check_ip() and X509_check_host() functions. From code inspection I'd have guessed that the code would tolerate *any* valid certificate, even for a host other than the one it actually attempted to connect to. Surely that can't be true? Where *is* it? ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [edk2-devel] reg: Multiple Host Name Certificate 2019-06-20 11:27 ` Sivaraman Nainar @ 2019-06-20 12:35 ` David Woodhouse 2019-06-20 14:27 ` Laszlo Ersek 0 siblings, 1 reply; 6+ messages in thread From: David Woodhouse @ 2019-06-20 12:35 UTC (permalink / raw) To: Sivaraman Nainar, devel@edk2.groups.io Cc: jiaxin.wu@intel.com, siyuan.fu@intel.com [-- Attachment #1: Type: text/plain, Size: 544 bytes --] On Thu, 2019-06-20 at 11:27 +0000, Sivaraman Nainar wrote: > This support added when we integrating "TianoCore Bug 960 > (HTTPS_HostName_Validation)". This has the support for performing > Host Name validation during HTTP Operations. Hm, I can't see bug 960, at least not without and account — and bugzilla is sending its messages from an invalid address so registering an account failed on the first attempt. I'll add it to the "known broken senders" list and try again... in the meantime, do you have a link to the code please? [-- Attachment #2: smime.p7s --] [-- Type: application/x-pkcs7-signature, Size: 5174 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [edk2-devel] reg: Multiple Host Name Certificate 2019-06-20 12:35 ` David Woodhouse @ 2019-06-20 14:27 ` Laszlo Ersek 2019-06-20 15:20 ` David Woodhouse 0 siblings, 1 reply; 6+ messages in thread From: Laszlo Ersek @ 2019-06-20 14:27 UTC (permalink / raw) To: devel, dwmw2, Sivaraman Nainar; +Cc: jiaxin.wu@intel.com, siyuan.fu@intel.com Hello David, On 06/20/19 14:35, David Woodhouse wrote: > On Thu, 2019-06-20 at 11:27 +0000, Sivaraman Nainar wrote: >> This support added when we integrating "TianoCore Bug 960 >> (HTTPS_HostName_Validation)". This has the support for performing >> Host Name validation during HTTP Operations. > > Hm, I can't see bug 960, at least not without and account — and > bugzilla is sending its messages from an invalid address so registering > an account failed on the first attempt. I'll add it to the "known > broken senders" list and try again... in the meantime, do you have a > link to the code please? TianoCore#960 is a security BZ that I had reported on 2018-05-29. The title of the ticket is "server certificate with invalid domain name (CN) accepted in HTTPS-over-IPv6 boot" It is indeed the bug that you think it is ("From code inspection I'd have guessed that the code would tolerate *any* valid certificate, even for a host other than the one it actually attempted to connect to.") There is still no CVE number assigned. Patches exist, but have not been posted to the list yet. --*-- Normally, my above comments (in public) would amount to breaking a live security embargo. In reality, this is not the case. That's because the UEFI-2.8 spec has been released meanwhile (in March/April 2019 or so), addressing Mantis#1921 ("HTTPS hostname validation"). Fixing the edk2 problem required changes to the UEFI spec too. If you search both UEFI-2.7 and UEFI-2.8 for the enum constant "EfiTlsVerifyHost", you will find it only in UEFI-2.8. Therefore, the cat had been let out of the bag when UEFI-2.8 was released. In effect, *that* ended the embargo on TianoCore#960. The fact that TianoCore#960 is still unreadable to the public (including the attached patches) is "merely" a technical tidbit. :/ I'm CC'ing you on the BZ now, so you can read it even before it gets opened up. Thanks Laszlo ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [edk2-devel] reg: Multiple Host Name Certificate 2019-06-20 14:27 ` Laszlo Ersek @ 2019-06-20 15:20 ` David Woodhouse 0 siblings, 0 replies; 6+ messages in thread From: David Woodhouse @ 2019-06-20 15:20 UTC (permalink / raw) To: devel, lersek, Sivaraman Nainar; +Cc: jiaxin.wu@intel.com, siyuan.fu@intel.com [-- Attachment #1: Type: text/plain, Size: 471 bytes --] On Thu, 2019-06-20 at 16:27 +0200, Laszlo Ersek wrote: > It is indeed the bug that you think it is ("From code inspection I'd > have guessed that the code would tolerate *any* valid certificate, even > for a host other than the one it actually attempted to connect to.") :) > I'm CC'ing you on the BZ now, so you can read it even before it gets > opened up. ... and I've pointed out the problem in the implementation of TlsSetVerifyHost(). :) Thanks. [-- Attachment #2: smime.p7s --] [-- Type: application/x-pkcs7-signature, Size: 5174 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-06-20 15:20 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2019-06-19 11:51 reg: Multiple Host Name Certificate Sivaraman Nainar 2019-06-20 10:47 ` [edk2-devel] " David Woodhouse 2019-06-20 11:27 ` Sivaraman Nainar 2019-06-20 12:35 ` David Woodhouse 2019-06-20 14:27 ` Laszlo Ersek 2019-06-20 15:20 ` David Woodhouse
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox