Thanks a lot Maciej for merging the PR. Thanks, Vineel
On Wed, Nov 3, 2021 at 2:29 PM Rabeda, Maciej <maciej.rab...@linux.intel.com> wrote: > Changed commit title to: "NetworkPkg/HttpDxe: Enable wildcard host name > matching for HTTP+TLS." > > Patch merged. > PR: https://github.com/tianocore/edk2/pull/2168 > Commit: > > https://github.com/tianocore/edk2/commit/6f9e83f757ed7c5c78d071f475b2e72d899c2aef > > On 02-Nov-21 20:54, Maciej Rabeda wrote: > > Hi Vineel, > > > > I will integrate the change to edk2 tomorrow. > > > > For now: > > Reviewed-by: Maciej Rabeda <maciej.rab...@linux.intel.com> > > > > Thanks, > > Maciej > > > > On 02-Nov-21 19:57, Vineel Kovvuri via groups.io wrote: > >> Hi Folks, > >> > >> Thanks for reviewing the patch. May I know what are the next steps to > >> get it in to edk2? > >> I have already updated the same in > >> > https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning > >> > >> Thanks, > >> Vineel > >> > >> -----Original Message----- > >> From: Wu, Jiaxin <jiaxin...@intel.com> > >> Sent: Monday, November 1, 2021 6:15 PM > >> To: devel@edk2.groups.io; vineel.kovv...@gmail.com; Rabeda, Maciej > >> <maciej.rab...@intel.com>; Yao, Jiewen <jiewen....@intel.com>; > >> Jancarlo Perez <jp...@microsoft.com>; Mike Turner > >> <michael.tur...@microsoft.com>; Sean Brogan > >> <sean.bro...@microsoft.com>; Bret Barkelew <bret.barke...@microsoft.com > > > >> Cc: Vineel Kovvuri <vinee...@microsoft.com> > >> Subject: [EXTERNAL] RE: [edk2-devel] [PATCH] Enable wildcard host > >> name matching in EDK2 HTTPS/TLS implementation > >> > >> It's good to me change the default the verify flag. > >> > >> Reviewed-by: Jiaxin Wu <jiaxin...@intel.com> > >> > >> Thanks, > >> Jiaxin > >> > >>> -----Original Message----- > >>> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Vineel > >>> Kovvuri > >>> Sent: Friday, October 15, 2021 8:55 AM > >>> To: Rabeda, Maciej <maciej.rab...@intel.com>; Yao, Jiewen > >>> <jiewen....@intel.com>; jp...@microsoft.com; > >>> michael.tur...@microsoft.com; sean.bro...@microsoft.com; > >>> bret.barke...@microsoft.com; devel@edk2.groups.io > >>> Cc: Vineel Kovvuri <vinee...@microsoft.com> > >>> Subject: [edk2-devel] [PATCH] Enable wildcard host name matching in > >>> EDK2 HTTPS/TLS implementation > >>> > >>> The current UEFI implementation of HTTPS during its TLS configuration > >>> uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As > >>> per the spec this flag does is "to disable the match of any wildcards > >>> in the host name". So, certificates which are issued with > >>> wildcards(*.dm.corp.net etc) in it will fail the TLS host name > >>> matching. On the other hand, > >>> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for > >>> hostname validation. Wildcards are supported and they match only in > >>> the left-most label." > >>> this behavior/definition is coming from openssl's X509_check_host() > >>> api > >>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww. > >>> openssl.org%2Fdocs%2Fman1.1.0%2Fman3%2FX509_check_host.html&data=0 > >>> 4%7C01%7Cvineelko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7 > >>> C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637714125291796675%7CUnkno > >>> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL > >>> CJXVCI6Mn0%3D%7C1000&sdata=Ygz4XOYjA0m7JL6acQ1Jv55fxJJv6pFvE6n%2F% > >>> 2Bc6jwBU%3D&reserved=0 > >>> > >>> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using > >>> certificates issued with wildcards in them would fail to match while > >>> trying to communicate with HTTPS endpoint. > >>> > >>> BugZilla: > >>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz > >>> illa.tianocore.org%2Fshow_bug.cgi%3Fid%3D3691&data=04%7C01%7Cvinee > >>> lko%40microsoft.com%7C1a8a6c07efcb42e043a008d99d9e3fba%7C72f988bf86f14 > >>> 1af91ab2d7cd011db47%7C1%7C0%7C637714125291806667%7CUnknown%7CTWFpbGZsb > >>> 3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D% > >>> 7C1000&sdata=q5qkhZ5fyWdx2SBzKytPsx%2BB%2BWfvCeZp56gEVln2SsA%3D&am > >>> p;reserved=0 > >>> > >>> Signed-off-by: Vineel Kovvuri <vinee...@microsoft.com> > >>> --- > >>> NetworkPkg/HttpDxe/HttpsSupport.c | 2 +- > >>> 1 file changed, 1 insertion(+), 1 deletion(-) > >>> > >>> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c > >>> b/NetworkPkg/HttpDxe/HttpsSupport.c > >>> index 7e0bf85c3c..0f28ae9447 100644 > >>> --- a/NetworkPkg/HttpDxe/HttpsSupport.c > >>> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c > >>> @@ -625,7 +625,7 @@ TlsConfigureSession ( > >>> // > >>> HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient; > >>> HttpInstance->TlsConfigData.VerifyMethod = > >>> EFI_TLS_VERIFY_PEER; > >>> - HttpInstance->TlsConfigData.VerifyHost.Flags = > >>> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS; > >>> + HttpInstance->TlsConfigData.VerifyHost.Flags = > >>> EFI_TLS_VERIFY_FLAG_NONE; > >>> HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance- > >>>> RemoteHost; > >>> HttpInstance->TlsConfigData.SessionState = > >>> EfiTlsSessionNotStarted; > >>> > >>> -- > >>> 2.17.1 > >>> > >>> > >>> > >>> > >>> > >> > >> > >> > >> > >> > > > > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#83293): https://edk2.groups.io/g/devel/message/83293 Mute This Topic: https://groups.io/mt/86329439/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
