Hi Folks, Thanks for reviewing the patch. May I know what are the next steps to get it in to edk2? I have already updated the same in https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning
Thanks, Vineel -----Original Message----- From: Wu, Jiaxin <jiaxin...@intel.com> Sent: Monday, November 1, 2021 6:15 PM To: devel@edk2.groups.io; vineel.kovv...@gmail.com; Rabeda, Maciej <maciej.rab...@intel.com>; Yao, Jiewen <jiewen....@intel.com>; Jancarlo Perez <jp...@microsoft.com>; Mike Turner <michael.tur...@microsoft.com>; Sean Brogan <sean.bro...@microsoft.com>; Bret Barkelew <bret.barke...@microsoft.com> Cc: Vineel Kovvuri <vinee...@microsoft.com> Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation It's good to me change the default the verify flag. Reviewed-by: Jiaxin Wu <jiaxin...@intel.com> Thanks, Jiaxin > -----Original Message----- > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel > Kovvuri > Sent: Friday, October 15, 2021 8:55 AM > To: Rabeda, Maciej <maciej.rab...@intel.com>; Yao, Jiewen > <jiewen....@intel.com>; jp...@microsoft.com; > michael.tur...@microsoft.com; sean.bro...@microsoft.com; > bret.barke...@microsoft.com; devel@edk2.groups.io > Cc: Vineel Kovvuri <vinee...@microsoft.com> > Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in > EDK2 HTTPS/TLS implementation > > The current UEFI implementation of HTTPS during its TLS configuration > uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As > per the spec this flag does is "to disable the match of any wildcards > in the host name". So, certificates which are issued with > wildcards(*.dm.corp.net etc) in it will fail the TLS host name > matching. On the other hand, > EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for > hostname validation. Wildcards are supported and they match only in > the left-most label." > this behavior/definition is coming from openssl's X509_check_host() > api > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww. > openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&data=0 > 4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7 > C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675%7CUnkno > wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL > CJXVCI6Mn0%3D%7C1000&sdata=Ygz4XOYjA0m7JL6acQ1Jv55fxJJv6pFvE6n%2F% > 2Bc6jwBU%3D&reserved=0 > > Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using > certificates issued with wildcards in them would fail to match while > trying to communicate with HTTPS endpoint. > > BugZilla: > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz > illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&data=04%7C01%7Cvinee > lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f988bf86f14 > 1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CTWFpbGZsb > 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D% > 7C1000&sdata=q5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56gEVln2SsA%3D&am > p;reserved=0 > > Signed-off-by: Vineel Kovvuri <vinee...@microsoft.com> > --- > NetworkPkg/HttpDxe/HttpsSupport.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c > b/NetworkPkg/HttpDxe/HttpsSupport.c > index 7e0bf85c3c..0f28ae9447 100644 > --- a/NetworkPkg/HttpDxe/HttpsSupport.c > +++ b/NetworkPkg/HttpDxe/HttpsSupport.c > @@ -625,7 +625,7 @@ TlsConfigureSession ( > // > HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient; > HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER; > - HttpInstance->TlsConfigData.VerifyHost.Flags = > EFI_TLS_VERIFY_FLAG_NO_WILDCARDS; > + HttpInstance->TlsConfigData.VerifyHost.Flags = > EFI_TLS_VERIFY_FLAG_NONE; > HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance- > >RemoteHost; > HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted; > > -- > 2.17.1 > > > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83152): https://edk2.groups.io/g/devel/message/83152 Mute This Topic: https://groups.io/mt/86329439/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
