Hi Folks,

Thanks for reviewing the patch. May I know what are the next steps to get it in 
to edk2?
I have already updated the same in 
https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning

Thanks,
Vineel

-----Original Message-----
From: Wu, Jiaxin <[email protected]> 
Sent: Monday, November 1, 2021 6:15 PM
To: [email protected]; [email protected]; Rabeda, Maciej 
<[email protected]>; Yao, Jiewen <[email protected]>; Jancarlo Perez 
<[email protected]>; Mike Turner <[email protected]>; Sean Brogan 
<[email protected]>; Bret Barkelew <[email protected]>
Cc: Vineel Kovvuri <[email protected]>
Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host name matching 
in EDK2 HTTPS/TLS implementation

It's good to me change the default the verify flag.

Reviewed-by: Jiaxin Wu <[email protected]>

Thanks,
Jiaxin

> -----Original Message-----
> From: [email protected] <[email protected]> On Behalf Of Vineel 
> Kovvuri
> Sent: Friday, October 15, 2021 8:55 AM
> To: Rabeda, Maciej <[email protected]>; Yao, Jiewen 
> <[email protected]>; [email protected]; 
> [email protected]; [email protected]; 
> [email protected]; [email protected]
> Cc: Vineel Kovvuri <[email protected]>
> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in 
> EDK2 HTTPS/TLS implementation
> 
> The current UEFI implementation of HTTPS during its TLS configuration 
> uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As 
> per the spec this flag does is "to disable the match of any wildcards 
> in the host name". So, certificates which are issued with 
> wildcards(*.dm.corp.net etc) in it will fail the TLS host name 
> matching. On the other hand,
> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for 
> hostname validation. Wildcards are supported and they match only in 
> the left-most label."
> this behavior/definition is coming from openssl's X509_check_host() 
> api
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&amp;data=0
> 4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7
> C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675%7CUnkno
> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL
> CJXVCI6Mn0%3D%7C1000&amp;sdata=Ygz4XOYjA0m7JL6acQ1Jv55fxJJv6pFvE6n%2F%
> 2Bc6jwBU%3D&amp;reserved=0
> 
> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using 
> certificates issued with wildcards in them would fail to match while 
> trying to communicate with HTTPS endpoint.
> 
> BugZilla: 
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz
> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&amp;data=04%7C01%7Cvinee
> lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f988bf86f14
> 1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CTWFpbGZsb
> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%
> 7C1000&amp;sdata=q5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56gEVln2SsA%3D&am
> p;reserved=0
> 
> Signed-off-by: Vineel Kovvuri <[email protected]>
> ---
>  NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
> b/NetworkPkg/HttpDxe/HttpsSupport.c
> index 7e0bf85c3c..0f28ae9447 100644
> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
> @@ -625,7 +625,7 @@ TlsConfigureSession (
>    //
>    HttpInstance->TlsConfigData.ConnectionEnd       = EfiTlsClient;
>    HttpInstance->TlsConfigData.VerifyMethod        = EFI_TLS_VERIFY_PEER;
> -  HttpInstance->TlsConfigData.VerifyHost.Flags    =
> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
> +  HttpInstance->TlsConfigData.VerifyHost.Flags    =
> EFI_TLS_VERIFY_FLAG_NONE;
>    HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
> >RemoteHost;
>    HttpInstance->TlsConfigData.SessionState        = EfiTlsSessionNotStarted;
> 
> --
> 2.17.1
> 
> 
> 
> 
> 



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#83152): https://edk2.groups.io/g/devel/message/83152
Mute This Topic: https://groups.io/mt/86329439/21656
Group Owner: [email protected]
Unsubscribe: https://edk2.groups.io/g/devel/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-


Reply via email to