[edk2-devel] [RFC v1 5/4] CryptoPkg/TlsLib: accept peer certs via both DNS names and IP addresses
Laszlo Ersek
lersek at redhat.com
Thu Oct 24 19:47:36 UTC 2019
On 10/17/19 17:49, David Woodhouse wrote:
> On Thu, 2019-10-17 at 17:35 +0200, Laszlo Ersek wrote:
>> Reference [2] advises to put the IP address in both CN and
>> SAN.iPAddress
>> for best compatibility, and that would be fine, for
>> X509_VERIFY_PARAM_set1_ip(). But the word "only" in [3] is really bad
>> for X509_VERIFY_PARAM_set1_ip().
>
> I don't believe it's true, and it conflicts with what's in [2] which
> suggests that you do it properly *and* put it in the legacy CN for the
> benefit of broken clients.
>
> None of this convinces me that EDK2 should deliberately be one of those
> "broken clients". Just fix it. Let people worry about compatibility
> with historical buggy versions of proprietary operating systems when
> they issue their certs.
I have four patches, to be inserted in the middle (between v1 patches #2
and #3).
I plan to submit a v2 series (8 patches in total) this week, after
testing. If I can't manage this week, then it'll take a longer (possibly
2+ weeks).
Jiaxin, I'm assigning the bug to myself, if that's OK with you.
Thanks
Laszlo
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#49435): https://edk2.groups.io/g/devel/message/49435
Mute This Topic: https://groups.io/mt/34551672/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list