On 10/10/19 17:45, David Woodhouse wrote: > On Thu, 2019-10-10 at 10:00 +0200, Laszlo Ersek wrote: >>> Subject: C=HU, ST=Pest, L=Budapest, O=Laszlo Ersek Home Office, >>> OU=IPv6 cert, CN=fd33:eb1b:9b36::2 > > Yeah, you're not actually testing the case I'm talking about. You want > a GEN_IP in the x509v3 Subject Alternative Name. > > Compare with... > > $ openssl s_client -connect vpn-i-ha01.intel.com:443 2>/dev/null | openssl > x509 -noout -text | grep -A1 Alternative > X509v3 Subject Alternative Name: > DNS:vpn-int.intel.com, DNS:scsidcint01-a.intel.com, IP > Address:134.191.232.101 > > $ curl https://134.191.232.101/ >
OK, thank you. I can imagine two failure modes, with the patches applied. (1) Edk2 ignores the GEN_IP in the SAN, and rejects a matching server certificate. (2) Edk2 is confused by the GEN_IP in the SAN, and accepts an invalid (mismatched) server certificate. Can we tell which failure mode applies? (I can't test it easily myself, as I don't even know how to create a server certificate with a SAN -- any kind of SAN, let alone GEN_IP.) Case (2) is clearly bad, and it would be a sign that the patch series does not fully fix the issue. Case (1) would be tolerable, in my opinion. I assume a GEN_IP SAN is pretty rare in practice. Thus regressing it (perhaps temporarily) should be an acceptable trade-off for fixing the current gaping hole (= subject name not checked at all). Thanks Laszlo -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#48751): https://edk2.groups.io/g/devel/message/48751 Mute This Topic: https://groups.io/mt/34307578/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
