On Fri, 2019-10-11 at 02:24 +0000, Wu, Jiaxin wrote: > Hi Laszlo & David, > > I think I have *repeated* several times that we are targeting to fix > the HostName validation issue, not the IP or email address. *But* > even so, the series patches for UEFI TLS is also allowable to > specify IP as host name for CN or dNSName of SAN in the certificate. > That's why I said "if the CN or SAN in the certificate are set > correctly, it should be OK to pass the verification". The failure you > mentioned here is to set the IP in iPAddress of SAN, I agree it's the > routine and suggested setting, *but* obviously, it's not the target > we are supported according the implementation/description of > TlsSetVerifyHost. We are targeting to the hostname verification, and > meanwhile compatible with the IP in the URI (But need the *correct* > certificate setting). > > IP addresses stored in the DNS names and CN are of cause ignored by > X509_check_ip & X509_check_ip_asc().
I cannot coherently express how disappointed I am by this response. The current state is that EDK2 doesn't check the subject of the certificate at all. We're trying to fix that, and you have expended more effort typing in poor excuses for doing an incomplete job, than the typing it would have taken just to get it right in the first place. -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#48800): https://edk2.groups.io/g/devel/message/48800 Mute This Topic: https://groups.io/mt/34307578/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Description: S/MIME cryptographic signature