[edk2-devel] reg: Multiple Host Name Certificate
Sivaraman Nainar
sivaramann at amiindia.co.in
Thu Jun 20 11:27:16 UTC 2019
Hello :
This support added when we integrating "TianoCore Bug 960 (HTTPS_HostName_Validation)". This has the support for performing Host Name validation during HTTP Operations.
-Siva
-----Original Message-----
From: devel at edk2.groups.io [mailto:devel at edk2.groups.io] On Behalf Of David Woodhouse
Sent: Thursday, June 20, 2019 4:18 PM
To: devel at edk2.groups.io; Sivaraman Nainar
Cc: jiaxin.wu at intel.com; siyuan.fu at intel.com
Subject: Re: [edk2-devel] reg: Multiple Host Name Certificate
On Wed, 2019-06-19 at 11:51 +0000, Sivaraman Nainar wrote:
> Can you please help to confirm the behavior
>
> From: Sivaraman Nainar
> Sent: Friday, June 7, 2019 2:48 PM
> To: devel at edk2.groups.io
> Subject: reg: Multiple Host Name Certificate
>
> Hello:
>
> Can someone help to confirm if EDK2 supports multiple Host Name
> support.
>
> We need to have an environment where the HTTPS request should work
> fine for IP & Host Name based access. When we create certificates
> with CN as Host Name and SAN as IP TLS Handshake works only for Host
> Name and it provides Handshake Error when the request are IP Based.
>
> If this question need to be raised in other forum please help to
> redirect.
>
I can't actually see where we do these checks at all. OpenSSL doesn't
do them for us internally (as it doesn't even know the hostname we
happened to use to establish the connection), although it does offer
X509_check_ip() and X509_check_host() functions.
>From code inspection I'd have guessed that the code would tolerate
*any* valid certificate, even for a host other than the one it actually
attempted to connect to. Surely that can't be true? Where *is* it?
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#42636): https://edk2.groups.io/g/devel/message/42636
Mute This Topic: https://groups.io/mt/31972894/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list