diff options
| author | Sebastian Witt <sebastian.witt@siemens.com> | 2024-06-04 14:34:39 +0200 |
|---|---|---|
| committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2024-06-25 21:46:50 +0000 |
| commit | 84d8eb08e15e455826ef66a4b1f1f61758cb9aba (patch) | |
| tree | 613ace6e716befc1ba44242c7eca72ff1ab6b14d | |
| parent | 10b4bb8d6d0c515ed9663691aea3684be8f7b0fc (diff) | |
| download | edk2-84d8eb08e15e455826ef66a4b1f1f61758cb9aba.tar.gz | |
CryptoPkg: Add SNI extension to TLS ClientHello
Webservers hosting multiple websites require the TLS SNI
(Server Name Indication) in the ClientHello to know which certificate
to return.
The current TLS code does not include the server name in the
ClientHello handshake, which leads to failed HTTPS boots when the
server does not return the correct certificate.
This sets the host name for SNI in TlsSetVerifyHost which receives the
host name also for verification against the certificates.
Signed-off-by: Sebastian Witt <sebastian.witt@siemens.com>
| -rw-r--r-- | CryptoPkg/Library/TlsLib/TlsConfig.c | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLib/TlsConfig.c index 29d24abdca..afbc583daf 100644 --- a/CryptoPkg/Library/TlsLib/TlsConfig.c +++ b/CryptoPkg/Library/TlsLib/TlsConfig.c @@ -500,6 +500,24 @@ TlsSetVerifyHost ( return EFI_INVALID_PARAMETER;
}
+ DEBUG ((
+ DEBUG_VERBOSE,
+ "%a:%a: SNI hostname: %a\n",
+ gEfiCallerBaseName,
+ __func__,
+ HostName
+ ));
+
+ if (!SSL_set_tlsext_host_name (TlsConn->Ssl, HostName)) {
+ DEBUG ((
+ DEBUG_ERROR,
+ "%a:%a: Could not set hostname %a for SNI\n",
+ gEfiCallerBaseName,
+ __func__,
+ HostName
+ ));
+ }
+
SSL_set_hostflags (TlsConn->Ssl, Flags);
VerifyParam = SSL_get0_param (TlsConn->Ssl);
|