On 10/16/19 11:40, David Woodhouse wrote:
> On Tue, 2019-10-15 at 19:34 +0200, Laszlo Ersek wrote:
>> Ehh, I failed to ask the actual question.
>>
>> Is it OK to call X509_VERIFY_PARAM_set1*() multiple times -- basically,
>> every time just before we call X509_verify_cert()?
>>
>> My concern is not
On Tue, 2019-10-15 at 19:34 +0200, Laszlo Ersek wrote:
> Ehh, I failed to ask the actual question.
>
> Is it OK to call X509_VERIFY_PARAM_set1*() multiple times -- basically,
> every time just before we call X509_verify_cert()?
>
> My concern is not with the crypto functionality, but whether we c
On 10/15/19 18:56, Laszlo Ersek wrote:
> On 10/15/19 15:54, Laszlo Ersek wrote:
>> On 10/15/19 13:03, David Woodhouse wrote:
>
>>> The "app callback" in my OpenConnect example is set on the SSL_CTX not
>>> the SSL object, and is called from the top-level
>>> ssl_verify_cert_chain() function *inste
On 10/15/19 17:57, David Woodhouse wrote:
> On Thu, 2019-10-10 at 20:03 +0200, Laszlo Ersek wrote:
>> (I can't test it easily myself, as I don't even know how to create a
>> server certificate with a SAN -- any kind of SAN, let alone GEN_IP.)
>
> I had to look it up again, but here goes...
>
> $
On 10/15/19 15:54, Laszlo Ersek wrote:
> On 10/15/19 13:03, David Woodhouse wrote:
>> The "app callback" in my OpenConnect example is set on the SSL_CTX not
>> the SSL object, and is called from the top-level
>> ssl_verify_cert_chain() function *instead* of X509_verify_cert().
>>
>> It is X509_ver
On Thu, 2019-10-10 at 20:03 +0200, Laszlo Ersek wrote:
> (I can't test it easily myself, as I don't even know how to create a
> server certificate with a SAN -- any kind of SAN, let alone GEN_IP.)
I had to look it up again, but here goes...
$ cat v3.ext
subjectAltName = @alt_names
[alt_names]
DN
On Tue, 2019-10-15 at 15:54 +0200, Laszlo Ersek wrote:
> On 10/15/19 13:03, David Woodhouse wrote:
> > On Mon, 2019-10-14 at 18:15 +0200, Laszlo Ersek wrote:
> > > My understanding is that a fix purely in edk2 -- that is, without
> > > advancing our openssl submodule reference at once -- is possibl
On 10/15/19 13:03, David Woodhouse wrote:
> On Mon, 2019-10-14 at 18:15 +0200, Laszlo Ersek wrote:
>> My understanding is that a fix purely in edk2 -- that is, without
>> advancing our openssl submodule reference at once -- is possible, based
>> on your comment
>>
>> https://bugzilla.tianocore.or
On Tue, 2019-10-15 at 12:03 +0100, David Woodhouse wrote:
>
> Something like this... and instead of calling SSL_set1_host(ssl, host)
> your own code now has to call
> SSL_set_ex_data(ssl, ssl_target_idx, strdup(host));
Here's how I tested that in the OpenSSL tree in userspace, FWIW...
diff --git
On Mon, 2019-10-14 at 18:15 +0200, Laszlo Ersek wrote:
> My understanding is that a fix purely in edk2 -- that is, without
> advancing our openssl submodule reference at once -- is possible, based
> on your comment
>
> https://bugzilla.tianocore.org/show_bug.cgi?id=960#c32
>
> Namely, edk2 comm
On Mon, 2019-10-14 at 18:15 +0200, Laszlo Ersek wrote:
> My understanding is that a fix purely in edk2 -- that is, without
> advancing our openssl submodule reference at once
Haha, I love the fact that I am hoist by my own petard on patching
OpenSSL. I evidently did such a good job of upstreaming
On 10/14/19 18:15, Laszlo Ersek wrote:
> David: another way to prevent the regression is to commit the current
> patches, but disable them with a BOOLEAN PCD, by default. (This need not
> be a feature PCD; it could even be dynamic.) Then platforms accepting
> the SAN/GEN_IP regression temporarily
On 10/11/19 18:01, David Woodhouse wrote:
> On Fri, 2019-10-11 at 17:36 +0200, Laszlo Ersek wrote:
>> On 10/11/19 13:16, David Woodhouse wrote:
>>> I first started looking at this when it was
>>> reported as such, on the list.
>>
>> I believe you. Can you somehow find that thread? I tried, but I co
On Fri, 2019-10-11 at 17:36 +0200, Laszlo Ersek wrote:
> On 10/11/19 13:16, David Woodhouse wrote:
> > I first started looking at this when it was
> > reported as such, on the list.
>
> I believe you. Can you somehow find that thread? I tried, but I couldn't
> find it. My mailbox (going back 9 yea
On 10/11/19 13:16, David Woodhouse wrote:
> On Fri, 2019-10-11 at 12:55 +0200, Laszlo Ersek wrote:
>> On 10/11/19 04:24, Wu, Jiaxin wrote:
>>> Hi Laszlo & David,
>>>
>>> I think I have *repeated* several times that we are targeting to fix the
>>> HostName validation issue, not the IP or email addr
On Fri, 2019-10-11 at 12:55 +0200, Laszlo Ersek wrote:
> On 10/11/19 04:24, Wu, Jiaxin wrote:
> > Hi Laszlo & David,
> >
> > I think I have *repeated* several times that we are targeting to fix the
> > HostName validation issue, not the IP or email address. *But* even so, the
> > series patches
thing like that. I'm only saying this patch set is good
enough for me, not that everyone should find it good enough for them.
Thanks
Laszlo
>> -----Original Message-
>> From: Laszlo Ersek
>> Sent: Friday, October 11, 2019 2:04 AM
>> To: David Woodhouse ; Wu, Ji
I'm surprising my detailed and patient explanation become a poor excuses! If
you think there is anything wrong with my explanation, please correct me
instead of blaming directly.
> > I think I have *repeated* several times that we are targeting to fix
> > the HostName validation issue, not the
On Fri, 2019-10-11 at 02:24 +, Wu, Jiaxin wrote:
> Hi Laszlo & David,
>
> I think I have *repeated* several times that we are targeting to fix
> the HostName validation issue, not the IP or email address. *But*
> even so, the series patches for UEFI TLS is also allowable to
> specify IP as ho
up the HTTPS hostname verification here.
Thanks,
Jiaxin
> -Original Message-
> From: Laszlo Ersek
> Sent: Friday, October 11, 2019 2:04 AM
> To: David Woodhouse ; Wu, Jiaxin
> ; devel@edk2.groups.io; Wang, Jian J
> ; Bret Barkelew
> Cc: Richard Levitte
> Su
On 10/10/19 17:45, David Woodhouse wrote:
> On Thu, 2019-10-10 at 10:00 +0200, Laszlo Ersek wrote:
>>> Subject: C=HU, ST=Pest, L=Budapest, O=Laszlo Ersek Home Office,
>>> OU=IPv6 cert, CN=fd33:eb1b:9b36::2
>
> Yeah, you're not actually testing the case I'm talking about. You want
> a GEN
On Thu, 2019-10-10 at 10:00 +0200, Laszlo Ersek wrote:
> > Subject: C=HU, ST=Pest, L=Budapest, O=Laszlo Ersek Home Office,
> > OU=IPv6 cert, CN=fd33:eb1b:9b36::2
Yeah, you're not actually testing the case I'm talking about. You want
a GEN_IP in the x509v3 Subject Alternative Name.
Compa
On 10/09/19 22:34, David Woodhouse wrote:
> Can you show result of 'openssl x509 -noout -text -in xx.pem' on
> your certs please.
Sure. I had thought of that actually (I could have attached the
certificates at once), but I figured, let me not share crypto stuff
unless specifically asked for :)
and David’s comments.
Jiaxin
From: David Woodhouse
Sent: Thursday, October 10, 2019 4:34 AM
To: Laszlo Ersek ; Wu, Jiaxin ;
devel@edk2.groups.io; Wang, Jian J ; Bret Barkelew
Cc: Richard Levitte
Subject: Re: [edk2-devel] [PATCH v1 0/4] Support HTTPS HostName validation
feature(CVE-2019-145
Hi Laszlo,
Thanks the comments.
Best Regards!
Jiaxin
> -Original Message-
> From: Laszlo Ersek
> Sent: Wednesday, October 9, 2019 11:55 PM
> To: devel@edk2.groups.io; Wang, Jian J ; Wu, Jiaxin
> ; David Woodhouse ; Bret
> Barkelew
> Subject: Re: [edk2-devel] [
>
> I have not tested this, but I started looking when there was a message
> on the edk2 list from someone who was reporting that it didn't work for
> IPv6 URIs, IIRC.
>
> You are using SSL_set1_host(), and I believe you're just passing in the
> bare hostname part of the URI, be it "1.2.3.4" or "
Can you show result of 'openssl x509 -noout -text -in xx.pem' on your certs
please.
Would like to check if you really have a cert for the hostname string
"192.168.124.2" or to the IP address. They are different things.
On 9 October 2019 21:24:34 BST, Laszlo Ersek wrote:
>Hi All,
>
>(multi
Hi All,
(multi-hour composition ahead...)
On 10/09/19 09:53, David Woodhouse wrote:
> On Tue, 2019-10-08 at 06:19 +, Wu, Jiaxin wrote:
>> Hi David,
>>
>> I just realized you have the comments on Bugzilla 960:
>>
>>> "...given that testing is failing and code inspection shows it
>>> would neve
On 10/01/19 01:21, Laszlo Ersek wrote:
> On 09/29/19 08:09, Wang, Jian J wrote:
>> For this patch series,
>> 1. " Contributed-under: TianoCore Contribution Agreement 1.1" is not needed
>> any more.
>> Remove it at push time and no need to send a v2.
>> 2. Since it's security patch which had been
t; Sent: Tuesday, October 1, 2019 5:02 PM
> > To: Laszlo Ersek ; devel@edk2.groups.io; Wang,
> > Jian J
> > ; Wu, Jiaxin ; Bret
> > Barkelew
> >
> > Subject: Re: [edk2-devel] [PATCH v1 0/4] Support HTTPS HostName
> > validation feature(CVE-2019-14553)
>
rsek ; devel@edk2.groups.io; Wang, Jian J
> ; Wu, Jiaxin ; Bret Barkelew
>
> Subject: Re: [edk2-devel] [PATCH v1 0/4] Support HTTPS HostName
> validation feature(CVE-2019-14553)
>
> On Tue, 2019-10-01 at 01:21 +0200, Laszlo Ersek wrote:
> > On 09/29/19 08:09, Wang, Jian J w
On Tue, 2019-10-01 at 01:21 +0200, Laszlo Ersek wrote:
> On 09/29/19 08:09, Wang, Jian J wrote:
> > For this patch series,
> > 1. " Contributed-under: TianoCore Contribution Agreement 1.1" is not needed
> > any more.
> > Remove it at push time and no need to send a v2.
> > 2. Since it's security
l Message-
>> From: devel@edk2.groups.io On Behalf Of Wu, Jiaxin
>> Sent: Friday, September 27, 2019 11:45 AM
>> To: devel@edk2.groups.io
>> Cc: Wu, Jiaxin
>> Subject: [edk2-devel] [PATCH v1 0/4] Support HTTPS HostName validation
>> feature(CVE-2019-14553)
it asap if any objections.
3. Acked-by: Jian J Wang
> -Original Message-
> From: devel@edk2.groups.io On Behalf Of Wu, Jiaxin
> Sent: Friday, September 27, 2019 11:45 AM
> To: devel@edk2.groups.io
> Cc: Wu, Jiaxin
> Subject: [edk2-devel] [PATCH v1 0/4] Support HTTPS HostN
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=960
CVE: CVE-2019-14553
The series patches are to support HTTPS hostname validation feature.
It fixes the issue exposed @
https://bugzilla.tianocore.org/show_bug.cgi?id=960.
In the patches, we add the new data type named "EfiTlsVerifyHost" and
t
35 matches
Mail list logo