On 10/10/19 17:45, David Woodhouse wrote:
> On Thu, 2019-10-10 at 10:00 +0200, Laszlo Ersek wrote:
>>>          Subject: C=HU, ST=Pest, L=Budapest, O=Laszlo Ersek Home Office, 
>>> OU=IPv6 cert, CN=fd33:eb1b:9b36::2
> Yeah, you're not actually testing the case I'm talking about. You want
> a GEN_IP in the x509v3 Subject Alternative Name.
> Compare with...
> $ openssl s_client  -connect vpn-i-ha01.intel.com:443 2>/dev/null | openssl 
> x509 -noout -text  | grep -A1 Alternative
>             X509v3 Subject Alternative Name: 
>                 DNS:vpn-int.intel.com, DNS:scsidcint01-a.intel.com, IP 
> Address:
> $ curl

OK, thank you.

I can imagine two failure modes, with the patches applied.

(1) Edk2 ignores the GEN_IP in the SAN, and rejects a matching server

(2) Edk2 is confused by the GEN_IP in the SAN, and accepts an invalid
(mismatched) server certificate.

Can we tell which failure mode applies?

(I can't test it easily myself, as I don't even know how to create a
server certificate with a SAN -- any kind of SAN, let alone GEN_IP.)

Case (2) is clearly bad, and it would be a sign that the patch series
does not fully fix the issue.

Case (1) would be tolerable, in my opinion. I assume a GEN_IP SAN is
pretty rare in practice. Thus regressing it (perhaps temporarily) should
be an acceptable trade-off for fixing the current gaping hole (= subject
name not checked at all).


Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#48751): https://edk2.groups.io/g/devel/message/48751
Mute This Topic: https://groups.io/mt/34307578/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [arch...@mail-archive.com]

Reply via email to