Reviewed-by: Jiewen Yao <jiewen....@intel.com> Since this https://bugzilla.tianocore.org/show_bug.cgi?id=3691 (networkpkg) is separated from https://bugzilla.tianocore.org/show_bug.cgi?id=3679 (cryptopkg), I will handle those two separately. I will only help merge 3679, and I would expect networkpkg maintainer handle 3691.
Since this impacts the security policy, after NetworkPkg maintainer review, I recommend we wait for longer time (1~2 WW) to see if any other people has comment for this one. Thank you Yao Jiewen > -----Original Message----- > From: Vineel Kovvuri <vineel.kovv...@gmail.com> > Sent: Friday, October 15, 2021 8:55 AM > To: Rabeda, Maciej <maciej.rab...@intel.com>; Yao, Jiewen > <jiewen....@intel.com>; jp...@microsoft.com; > michael.tur...@microsoft.com; sean.bro...@microsoft.com; > bret.barke...@microsoft.com; devel@edk2.groups.io > Cc: Vineel Kovvuri <vinee...@microsoft.com> > Subject: [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS > implementation > > The current UEFI implementation of HTTPS during its TLS configuration uses > EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per the > spec > this flag does is "to disable the match of any wildcards in the host name". > So, > certificates which are issued with wildcards(*.dm.corp.net etc) in it will > fail > the TLS host name matching. On the other hand, > EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for > hostname > validation. Wildcards are supported and they match only in the left-most > label." > this behavior/definition is coming from openssl's X509_check_host() api > https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html > > Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates > issued > with wildcards in them would fail to match while trying to communicate with > HTTPS endpoint. > > BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3691 > > Signed-off-by: Vineel Kovvuri <vinee...@microsoft.com> > --- > NetworkPkg/HttpDxe/HttpsSupport.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c > b/NetworkPkg/HttpDxe/HttpsSupport.c > index 7e0bf85c3c..0f28ae9447 100644 > --- a/NetworkPkg/HttpDxe/HttpsSupport.c > +++ b/NetworkPkg/HttpDxe/HttpsSupport.c > @@ -625,7 +625,7 @@ TlsConfigureSession ( > // > HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient; > HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER; > - HttpInstance->TlsConfigData.VerifyHost.Flags = > EFI_TLS_VERIFY_FLAG_NO_WILDCARDS; > + HttpInstance->TlsConfigData.VerifyHost.Flags = > EFI_TLS_VERIFY_FLAG_NONE; > HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance- > >RemoteHost; > HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted; > > -- > 2.17.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#82068): https://edk2.groups.io/g/devel/message/82068 Mute This Topic: https://groups.io/mt/86329439/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
