On Fri, 2019-10-11 at 17:36 +0200, Laszlo Ersek wrote:
> On 10/11/19 13:16, David Woodhouse wrote:
> > I first started looking at this when it was
> > reported as such, on the list.
> 
> I believe you. Can you somehow find that thread? I tried, but I couldn't
> find it. My mailbox (going back 9 years) is indexed, but my searches
> have failed. I must be using the wrong search terms. If I try "GEN_IP"
> or "Subject Alternative Name", I only get this thread.

https://www.mail-archive.com/devel@edk2.groups.io/msg03339.html

In that thread you pointed me at the bug, and I immediately pointed out
the error in the patch series:
https://bugzilla.tianocore.org/show_bug.cgi?id=960#c31

Followed by a bit more detail on how to fix it, with examples to look
at:
https://bugzilla.tianocore.org/show_bug.cgi?id=960#c32

> David: it *is* hard! It is hard for me. I wouldn't know where to begin.

I suspect this is false modesty on your part. Given the pointers and
the examples above, I have lots of confidence that if this were the
task on your plate, you would accomplish it with ease.

I would, of course, be happy to provide further pointers, and even work
with upstream OpenSSL to make this even easier. Crypto libraries should
make it hard for application developers to get things wrong, and they
often let us down in that respect.

In fact, I did that last bit already:
https://bugzilla.tianocore.org/show_bug.cgi?id=960#c33

> As always, I strongly favor "upstream first". Show us the code, please?

It's already linked from that Bugzilla comment I referenced:
https://github.com/openssl/openssl/pull/9201

Pull that into your OpenSSL tree, then make a trivial change following
the example in that PR, to do

   if (SSL_set1_ip_asc(ssl, hostname) < 0)
       SSL_set1_host(ssl, hostname);

instead of just the SSL_set1_host() call.

That way, *if* the string happens to be a valid IPv6 or Legacy IP
address, the SSL_set1_ip_asc() call will work; otherwise it's treated
as a hostname.