I'm surprising my detailed and patient explanation become a poor excuses! If you think there is anything wrong with my explanation, please correct me instead of blaming directly.
> > I think I have *repeated* several times that we are targeting to fix > > the HostName validation issue, not the IP or email address. *But* > > even so, the series patches for UEFI TLS is also allowable to > > specify IP as host name for CN or dNSName of SAN in the certificate. > > That's why I said "if the CN or SAN in the certificate are set > > correctly, it should be OK to pass the verification". The failure you > > mentioned here is to set the IP in iPAddress of SAN, I agree it's the > > routine and suggested setting, *but* obviously, it's not the target > > we are supported according the implementation/description of > > TlsSetVerifyHost. We are targeting to the hostname verification, and > > meanwhile compatible with the IP in the URI (But need the *correct* > > certificate setting). > > > > IP addresses stored in the DNS names and CN are of cause ignored by > > X509_check_ip & X509_check_ip_asc(). > > I cannot coherently express how disappointed I am by this response. > > The current state is that EDK2 doesn't check the subject of the > certificate at all. Highlight again: we do check the certificate peername in SAN & Subject CommonName (CN) instead of nothing. > > We're trying to fix that, and you have expended more effort typing in > poor excuses for doing an incomplete job, than the typing it would have > taken just to get it right in the first place. My typing is only poor excuses? I'm trying my best to explain the patch intention. I said in the previous email, "We are targeting to the hostname verification, and meanwhile compatible with the IP in the URI". I also agree your suggestion & requires is reasonable & meaning to support the IP check in the certificate. So, my friendly advice is to separate the issues you raised instead of mixing them up. Thanks, Jiaxin -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#48803): https://edk2.groups.io/g/devel/message/48803 Mute This Topic: https://groups.io/mt/34307578/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
