Re: [PATCH v1 0/4] Support HTTPS HostName validation feature(CVE-2019-14553)

Wu, Jiaxin

I'm surprising my detailed and patient explanation become a poor excuses! If you think there is anything wrong with my explanation, please correct me instead of blaming directly.

I think I have *repeated* several times that we are targeting to fix
the HostName validation issue, not the IP or email address. *But*
even so, the series patches for UEFI TLS is also allowable to
specify IP as host name for CN or dNSName of SAN in the certificate.
That's why I said "if the CN or SAN in the certificate are set
correctly, it should be OK to pass the verification". The failure you
mentioned here is to set the IP in iPAddress of SAN, I agree it's the
routine and suggested setting, *but* obviously, it's not the target
we are supported according the implementation/description of
TlsSetVerifyHost. We are targeting to the hostname verification, and
meanwhile compatible with the IP in the URI (But need the *correct*
certificate setting).

IP addresses stored in the DNS names and CN are of cause ignored by
X509_check_ip & X509_check_ip_asc().
I cannot coherently express how disappointed I am by this response.

The current state is that EDK2 doesn't check the subject of the
certificate at all.
Highlight again: we do check the certificate peername in SAN & Subject CommonName (CN) instead of nothing.

We're trying to fix that, and you have expended more effort typing in
poor excuses for doing an incomplete job, than the typing it would have
taken just to get it right in the first place.
My typing is only poor excuses? I'm trying my best to explain the patch intention. I said in the previous email, "We are targeting to the hostname verification, and meanwhile compatible with the IP in the URI". I also agree your suggestion & requires is reasonable & meaning to support the IP check in the certificate. So, my friendly advice is to separate the issues you raised instead of mixing them up.


Join to automatically receive all group messages.