[edk2-devel] [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation
Maciej Rabeda
maciej.rabeda at linux.intel.com
Fri Oct 22 10:32:26 UTC 2021
Hi Vineel,
I do not have any problems with this patch. Before I merge, I would like
Jiaxin to look at it, since he has submitted that code.
Thanks,
Maciej
On 15-Oct-21 02:54, Vineel Kovvuri wrote:
> The current UEFI implementation of HTTPS during its TLS configuration uses
> EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per the spec
> this flag does is "to disable the match of any wildcards in the host name". So,
> certificates which are issued with wildcards(*.dm.corp.net etc) in it will fail
> the TLS host name matching. On the other hand,
> EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for hostname
> validation. Wildcards are supported and they match only in the left-most label."
> this behavior/definition is coming from openssl's X509_check_host() api
> https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html
>
> Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates issued
> with wildcards in them would fail to match while trying to communicate with
> HTTPS endpoint.
>
> BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3691
>
> Signed-off-by: Vineel Kovvuri <vineelko at microsoft.com>
> ---
> NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c
> index 7e0bf85c3c..0f28ae9447 100644
> --- a/NetworkPkg/HttpDxe/HttpsSupport.c
> +++ b/NetworkPkg/HttpDxe/HttpsSupport.c
> @@ -625,7 +625,7 @@ TlsConfigureSession (
> //
> HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
> HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;
> - HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
> + HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NONE;
> HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost;
> HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#82512): https://edk2.groups.io/g/devel/message/82512
Mute This Topic: https://groups.io/mt/86329439/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list