Re: [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS implementation

Yao, Jiewen

Reviewed-by: Jiewen Yao <>

Since this (networkpkg) is separated from (cryptopkg), I will handle those two separately.
I will only help merge 3679, and I would expect networkpkg maintainer handle 3691.

Since this impacts the security policy, after NetworkPkg maintainer review, I recommend we wait for longer time (1~2 WW) to see if any other people has comment for this one.

Thank you
Yao Jiewen

-----Original Message-----
From: Vineel Kovvuri <>
Sent: Friday, October 15, 2021 8:55 AM
To: Rabeda, Maciej <>; Yao, Jiewen
Cc: Vineel Kovvuri <>
Subject: [PATCH] Enable wildcard host name matching in EDK2 HTTPS/TLS

The current UEFI implementation of HTTPS during its TLS configuration uses
EFI_TLS_VERIFY_FLAG_NO_WILDCARDS for host name verification. As per the
this flag does is "to disable the match of any wildcards in the host name". So,
certificates which are issued with wildcards(* etc) in it will fail
the TLS host name matching. On the other hand,
EFI_TLS_VERIFY_FLAG_NONE(misnomer) means "no additional flags set for
validation. Wildcards are supported and they match only in the left-most label."
this behavior/definition is coming from openssl's X509_check_host() api

Without EFI_TLS_VERIFY_FLAG_NONE any UEFI application using certificates
with wildcards in them would fail to match while trying to communicate with
HTTPS endpoint.


Signed-off-by: Vineel Kovvuri <>
NetworkPkg/HttpDxe/HttpsSupport.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c
index 7e0bf85c3c..0f28ae9447 100644
--- a/NetworkPkg/HttpDxe/HttpsSupport.c
+++ b/NetworkPkg/HttpDxe/HttpsSupport.c
@@ -625,7 +625,7 @@ TlsConfigureSession (
HttpInstance->TlsConfigData.ConnectionEnd = EfiTlsClient;
HttpInstance->TlsConfigData.VerifyMethod = EFI_TLS_VERIFY_PEER;
- HttpInstance->TlsConfigData.VerifyHost.Flags =
+ HttpInstance->TlsConfigData.VerifyHost.Flags =
HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance-
HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;


Join to automatically receive all group messages.