Hi Folks, Thanks for reviewing the patch. May I know what are the next steps to get it in to edk2? I have already updated the same in https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning
Thanks, Vineel -----Original Message----- From: Wu, Jiaxin <[email protected]> Sent: Monday, November 1, 2021 6:15 PM To: [email protected]; [email protected]; Rabeda, Maciej <[email protected]>; Yao, Jiewen <[email protected]>; Jancarlo Perez <[email protected]>; Mike Turner <[email protected]>; Sean Brogan <[email protected]>; Bret Barkelew <[email protected]> Cc: Vineel Kovvuri <[email protected]> Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation It's good to me change the default the verify flag. Reviewed-by: Jiaxin Wu <[email protected]> Thanks, Jiaxin > -----Original Message----- > From: [email protected] <[email protected]> On Behalf Of Vineel > Kovvuri > Sent: Friday, October 15, 2021 8:55 AM > To: Rabeda, Maciej <[email protected]>; Yao, Jiewen > <[email protected]>; [email protected]; > [email protected]; [email protected]; > [email protected]; [email protected] > Cc: Vineel Kovvuri <[email protected]> > Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in > EDK2 HTTPS/TLS implementation > > The current UEFI implementation of HTTPS during its TLS configuration > uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As > per the spec this flag does is "to disable the match of any wildcards > in the host name". So, certificates which are issued with > wildcards(*.dm.corp.net etc) in it will fail the TLS host name > matching. On the other hand, > EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for > hostname validation. Wildcards are supported and they match only in > the left-most label." > this behavior/definition is coming from openssl's X509_check_host() > api > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww. > openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&data=0 > 4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7 > C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675%7CUnkno > wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL > CJXVCI6Mn0%3D%7C1000&sdata=Ygz4XOYjA0m7JL6acQ1Jv55fxJJv6pFvE6n%2F% > 2Bc6jwBU%3D&reserved=0 > > Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using > certificates issued with wildcards in them would fail to match while > trying to communicate with HTTPS endpoint. > > BugZilla: > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz > illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&data=04%7C01%7Cvinee > lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f988bf86f14 > 1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CTWFpbGZsb > 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D% > 7C1000&sdata=q5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56gEVln2SsA%3D&am > p;reserved=0 > > Signed-off-by: Vineel Kovvuri <[email protected]> > --- > NetworkPkg/HttpDxe/HttpsSupport.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c > b/NetworkPkg/HttpDxe/HttpsSupport.c > index 7e0bf85c3c..0f28ae9447 100644 > --- a/NetworkPkg/HttpDxe/HttpsSupport.c > +++ b/NetworkPkg/HttpDxe/HttpsSupport.c > @@ -625,7 +625,7 @@ TlsConfigureSession ( > // > HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient; > HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER; > - HttpInstance->TlsConfigData.VerifyHost.Flags = > EFI_TLS_VERIFY_FLAG_NO_WILDCARDS; > + HttpInstance->TlsConfigData.VerifyHost.Flags = > EFI_TLS_VERIFY_FLAG_NONE; > HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance- > >RemoteHost; > HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted; > > -- > 2.17.1 > > > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83152): https://edk2.groups.io/g/devel/message/83152 Mute This Topic: https://groups.io/mt/86329439/21656 Group Owner: [email protected] Unsubscribe: https://edk2.groups.io/g/devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
