[edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation

Maciej Rabeda maciej.rabeda at linux.intel.com
Fri Oct 22 10:32:26 UTC 2021 

Hi Vineel,

I do not have any problems with this patch. Before I merge, I would like 
Jiaxin to look at it, since he has submitted that code.

Thanks,
Maciej

On 15-Oct-21 02:54, Vineel Kovvuri wrote:
> The current UEFI implementation of HTTPS during its TLS configuration uses
> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per the spec
> this flag does is "to disable the match of any wildcards in the host name". So,
> certificates which are issued with wildcards(*.dm.corp.net etc) in it will fail
> the TLS host name matching. On the other hand,
> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for hostname
> validation. Wildcards are supported and they match only in the left-most label."
> this behavior/definition is coming from openssl's X509_check_host() api
> https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html
>
> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates issued
> with wildcards in them would fail to match while trying to communicate with
> HTTPS endpoint.
>
> BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3691
>
> Signed-off-by: Vineel Kovvuri <vineelko at microsoft.com>
> ---
>   NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c
> index 7e0bf85c3c..0f28ae9447 100644
> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
> @@ -625,7 +625,7 @@ TlsConfigureSession (
>     //
>     HttpInstance->TlsConfigData.ConnectionEnd       = EfiTlsClient;
>     HttpInstance->TlsConfigData.VerifyMethod        = EFI_TLS_VERIFY_PEER;
> -  HttpInstance->TlsConfigData.VerifyHost.Flags    = EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
> +  HttpInstance->TlsConfigData.VerifyHost.Flags    = EFI_TLS_VERIFY_FLAG_NONE;
>     HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost;
>     HttpInstance->TlsConfigData.SessionState        = EfiTlsSessionNotStarted;
>   



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#82512): https://edk2.groups.io/g/devel/message/82512
Mute This Topic: https://groups.io/mt/86329439/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-

More information about the edk2-devel-archive mailing list