tyler.durden/audk
1
0
Fork 0
mirror of https://github.com/acidanthera/audk.git synced 2025-04-08 17:05:09 +02:00
Code Issues Packages Projects Releases Wiki Activity

CryptoPkg: Add SNI extension to TLS ClientHello

Browse Source 
Webservers hosting multiple websites require the TLS SNI
(Server Name Indication) in the ClientHello to know which certificate
to return.
The current TLS code does not include the server name in the
ClientHello handshake, which leads to failed HTTPS boots when the
server does not return the correct certificate.

This sets the host name for SNI in TlsSetVerifyHost which receives the
host name also for verification against the certificates.

Signed-off-by: Sebastian Witt <sebastian.witt@siemens.com>
This commit is contained in:
Sebastian Witt 2024-06-04 14:34:39 +02:00 committed by mergify[bot]
parent 10b4bb8d6d
commit 84d8eb08e1
1 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
CryptoPkg/Library/TlsLib/TlsConfig.c
View File

@ -500,6 +500,24 @@ TlsSetVerifyHost (
return EFI_INVALID_PARAMETER;
}
DEBUG ((
DEBUG_VERBOSE,
"%a:%a: SNI hostname: %a\n",
gEfiCallerBaseName,
__func__,
HostName
));
if (!SSL_set_tlsext_host_name (TlsConn->Ssl, HostName)) {
DEBUG ((
DEBUG_ERROR,
"%a:%a: Could not set hostname %a for SNI\n",
gEfiCallerBaseName,
__func__,
HostName
));
}
SSL_set_hostflags (TlsConn->Ssl, Flags);
VerifyParam = SSL_get0_param (TlsConn->Ssl);