Re: [edk2-devel] [PATCH 1/2] NetworkPkg/HttpDxe: provide function to disable TLS host verify

Tue, 07 Mar 2023 02:19:11 -0800 

On 07/03/2023 08:21, Nickle Wang via groups.io wrote:

I got an idea to handle this issue.
EFI_HTTP_SERVICE_BINDING_PROTOCOL is defined in UEFI specification for caller to create HTTP protocol on child instance. How about I propose a new service binding protocol called EFI_HTTP_*NO_TLS_HOST_VERIFY*_SERVICE_BINDING_PROTOCOL, and the EFI_HTTP_PROTOCOL created by this service binding protocol will not do TLS host verify during HTTPS communication.
When caller like to disable host verify on HTTPS communication, caller use this service binding protocol to create special HTTP instance. For other case, caller use regular EFI_HTTP_SERVICE_BINDING_PROTOCOL to get normal EFI_HTTP_PROTOCOL instance.
That seems very hacky, and does not help to address the general problem of being able to more flexibly configure HTTP connections.
From a quick look through the UEFI spec, it looks as though EFI_TLS_PROTOCOL.SetSessionData() should already allow you to set EfiTlsVerifyMethod with a value of EFI_TLS_VERIFY_NONE.
The implementation of HttpDxe makes it very messy to gain access to the EFI_TLS_PROTOCOL instance, since it will be created only when EFI_HTTP_PROTOCOL.Request() is called. I think you may have to use gBS->RegisterProtocolNotify() in order to intercept the point at which EFI_TLS_PROTOCOL is installed. In your notification event callback, you would then check to see if the handle is a child of the EFI_HTTP_PROTOCOL handle and, if so, call EFI_TLS_PROTOCOL.SetSessionData() to disable host verification.
You would need to be using a newly created EFI_HTTP_PROTOCOL instance, so that you could be sure that there was no existing EFI_TLS_PROTOCOL instance already in place.
I haven't tested any of the above, but it looks as though it should work and allow you to disable host verification for a single EFI_HTTP_PROTOCOL instance, without any specification changes. 

Michael



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#100798): https://edk2.groups.io/g/devel/message/100798
Mute This Topic: https://groups.io/mt/96669380/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to