Branch: refs/heads/master
Home: https://github.com/tianocore/edk2
Commit: 6f9e83f757ed7c5c78d071f475b2e72d899c2aef
https://github.com/tianocore/edk2/commit/6f9e83f757ed7c5c78d071f475b2e72d899c2aef
Author: Vineel Kovvuri <vineel.kovv...@gmail.com>
Date: 2021-11-03 (Wed, 03 Nov 2021)
Changed paths:
M NetworkPkg/HttpDxe/HttpsSupport.c
Log Message:
-----------
NetworkPkg/HttpDxe: Enable wildcard host name matching for HTTP+TLS.
The current UEFI implementation of HTTPS during its TLS configuration
uses
EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per the
spec
this flag does is "to disable the match of any wildcards in the host
name". So,
certificates which are issued with wildcards(*.dm.corp.net etc) in it
will fail
the TLS host name matching. On the other hand,
EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
hostname
validation. Wildcards are supported and they match only in the left-most
label."
this behavior/definition is coming from openssl's X509_check_host() api
https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html
Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates
issued
with wildcards in them would fail to match while trying to communicate
with
HTTPS endpoint.
BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3691
Signed-off-by: Vineel Kovvuri <vinee...@microsoft.com>
Cc: Maciej Rabeda <maciej.rab...@linux.intel.com>
Cc: Jiaxin Wu <jiaxin...@intel.com>
Cc: Siyuan Fu <siyuan...@intel.com>
Reviewed-by: Jiewen Yao <jiewen....@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin...@intel.com>
Reviewed-by: Maciej Rabeda <maciej.rab...@linux.intel.com>
_______________________________________________
edk2-commits mailing list
edk2-commits@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-commits
