On Fri, 2019-10-11 at 02:24 +0000, Wu, Jiaxin wrote:
> Hi Laszlo & David,
> I think I have *repeated* several times that we are targeting to fix
> the HostName validation issue, not the IP or email address. *But*
> even so,  the series patches for UEFI TLS is also allowable to
> specify IP as host name for CN or dNSName of SAN in the certificate.
> That's why I said "if the CN or SAN in the certificate are set
> correctly, it should be OK to pass the verification". The failure you
> mentioned here is to set the IP in iPAddress of SAN, I agree it's the
> routine and suggested setting, *but* obviously, it's not the target
> we are supported according the implementation/description of
> TlsSetVerifyHost. We are targeting to the hostname verification, and
> meanwhile compatible with the IP in the URI (But need the *correct*
> certificate setting).
> IP addresses stored in the DNS names and CN are of cause ignored by
> X509_check_ip & X509_check_ip_asc().

I cannot coherently express how disappointed I am by this response.

The current state is that EDK2 doesn't check the subject of the
certificate at all.

We're trying to fix that, and you have expended more effort typing in
poor excuses for doing an incomplete job, than the typing it would have
taken just to get it right in the first place.

Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#48800): https://edk2.groups.io/g/devel/message/48800
Mute This Topic: https://groups.io/mt/34307578/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [arch...@mail-archive.com]

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to