]> git.proxmox.com Git - mirror_edk2.git/commit
projects / mirror_edk2.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 939c235) | patch
NetworkPkg/HttpDxe: Enable wildcard host name matching for HTTP+TLS.
authorVineel Kovvuri <vineel.kovvuri@gmail.com>
Fri, 15 Oct 2021 00:54:50 +0000 (17:54 -0700)
committermergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Wed, 3 Nov 2021 21:26:27 +0000 (21:26 +0000)
commit6f9e83f757ed7c5c78d071f475b2e72d899c2aef
tree5b869f599bfdeeedd2efdd4cf2887bd643cc08b4tree
parent939c2355daaf94cd7eb2018d15928b9bc471d680commit | diff
NetworkPkg/HttpDxe: Enable wildcard host name matching for HTTP+TLS.

The current UEFI implementation of HTTPS during its TLS configuration
uses
EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per the
spec
this flag does is "to disable the match of any wildcards in the host
name". So,
certificates which are issued with wildcards(*.dm.corp.net etc) in it
will fail
the TLS host name matching. On the other hand,
EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
hostname
validation. Wildcards are supported and they match only in the left-most
label."
this behavior/definition is coming from openssl's X509_check_host() api
https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html

Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates
issued
with wildcards in them would fail to match while trying to communicate
with
HTTPS endpoint.

BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3691

Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
NetworkPkg/HttpDxe/HttpsSupport.c diff | blob | blame | history
EFI Development Kit II mirror for PVE