summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVineel Kovvuri <vineel.kovvuri@gmail.com>2021-10-14 17:54:50 -0700
committermergify[bot] <37929162+mergify[bot]@users.noreply.github.com>2021-11-03 21:26:27 +0000
commit6f9e83f757ed7c5c78d071f475b2e72d899c2aef (patch)
tree5b869f599bfdeeedd2efdd4cf2887bd643cc08b4
parent939c2355daaf94cd7eb2018d15928b9bc471d680 (diff)
downloadedk2-6f9e83f757ed7c5c78d071f475b2e72d899c2aef.tar.gz
edk2-6f9e83f757ed7c5c78d071f475b2e72d899c2aef.tar.bz2
edk2-6f9e83f757ed7c5c78d071f475b2e72d899c2aef.zip
NetworkPkg/HttpDxe: Enable wildcard host name matching for HTTP+TLS.
The current UEFI implementation of HTTPS during its TLS configuration uses EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per the spec this flag does is "to disable the match of any wildcards in the host name". So, certificates which are issued with wildcards(*.dm.corp.net etc) in it will fail the TLS host name matching. On the other hand, EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for hostname validation. Wildcards are supported and they match only in the left-most label." this behavior/definition is coming from openssl's X509_check_host() api https://www.openssl.org/docs/man1.1.0/man3/X509_check_host.html Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates issued with wildcards in them would fail to match while trying to communicate with HTTPS endpoint. BugZilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3691 Signed-off-by: Vineel Kovvuri <vineelko@microsoft.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
-rw-r--r--NetworkPkg/HttpDxe/HttpsSupport.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c
index 7e0bf85c3c..0f28ae9447 100644
--- a/NetworkPkg/HttpDxe/HttpsSupport.c
+++ b/NetworkPkg/HttpDxe/HttpsSupport.c
@@ -625,7 +625,7 @@ TlsConfigureSession (
//
HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;
- HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NO_WILDCARDS;
+ HttpInstance->TlsConfigData.VerifyHost.Flags = EFI_TLS_VERIFY_FLAG_NONE;
HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost;
HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;