mTLS on bmcweb

Fri May 1 09:39:30 AEST 2020

I did more testing and found the reason why it accepts any client
certification.
The error is due to the self signed certificate cannot be found in the list
of trusted certificates.
Without the user defined verify callback function, it works as expected.

#define  X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
<https://docs.huihoo.com/doxygen/openssl/1.0.1c/crypto_2x509_2x509__vfy_8h.html#aa4f5a3309eae833f85dff37c36fa039d>
   18

// Check if certificate is OK
int error = X509_STORE_CTX_get_error(cts);
if (error != X509_V_OK)
{
return true;
}

On Thu, Apr 30, 2020 at 12:09 PM Zhenfei Tai <ztai at google.com> wrote:

> Also, with that change in http_connection.h, it still accepts any client
> certificate provided in curl.
>
> Here's what I did:
> 1. Disable BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
> 2. Uncommented ssl_key_handler.hpp:315 and added the
> boost::asio::ssl::verify_fail_if_no_peer_cert
>
> Behavior after change:
> 1. Rejects curl without client certificate.
> 2. Returns when client certificate matches the one authority directory.
> 3. Rejects when client sends other certificates.
>
> The change is just for testing purposes, I guess the original intention
> was not to mTLS every request.
>
> On Thu, Apr 30, 2020 at 11:34 AM Zhenfei Tai <ztai at google.com> wrote:
>
>> Hi P.K.
>>
>> I tried the same thing.
>>
>> Could you share which url you tested?
>> With that change, if I access the https://${bmc}/redfish/v1 url in
>> chrome, it prompts to choose a client certificate, but will also work if no
>> certificate is chosen.
>>
>> Thanks,
>> Zhenfei
>>
>> On Thu, Apr 30, 2020 at 6:27 AM P. K. Lee (李柏寬) <P.K.Lee at quantatw.com>
>> wrote:
>>
>>> I found a way to fix this issue, but it needs to be modified to the
>>> source code. In two steps:
>>>
>>> Step 1.
>>> The source code
>>> "adaptor.set_verify_mode(boost::asio::ssl::verify_peer);" in
>>> http_connection.h is replaced with
>>> "adaptor.set_verify_mode(boost::asio::ssl::verify_peer |
>>> boost::asio::ssl::verify_fail_if_no_peer_cert);"
>>>
>>> Step 2.
>>> AccountService->Oem->OpenBMC->AuthMethods->TLS is set. (false by default)
>>>
>>> It will enable enforce mTLS authentication.
>>>
>>> Best,
>>> P.K.
>>>
>>> > -----Original Message-----
>>> > From: Wiktor Gołgowski <wiktor.golgowski at linux.intel.com>
>>> > Sent: Saturday, April 25, 2020 1:03 AM
>>> > To: Richard Hanley <rhanley at google.com>; Zhenfei Tai <ztai at google.com>
>>> > Cc: openbmc at lists.ozlabs.org; P. K. Lee (李柏寬) <P.K.Lee at quantatw.com>;
>>> > jrey at linux.ibm.com; P. K. Lee (李柏寬) <P.K.Lee at quantatw.com>; Joseph
>>> > Reynolds <jrey at linux.ibm.com>
>>> > Subject: Re: mTLS on bmcweb
>>> >
>>> >
>>> >
>>> > On 4/23/20 7:35 PM, Richard Hanley wrote:
>>> > > My guess is that somehow the root cert used to validate clients
>>> isn't installed
>>> > correctly, and so it's defaulting to basic auth.
>>> > >
>>> > > At least that's my reading of this review
>>> > > https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270
>>> > >
>>> >
>>> > I think this would be the case. If the client certificate is not
>>> provided, TLS
>>> > connection is still established, just without authenticating the
>>> client. This
>>> > allows upper layer to provide other authentication methods (e.g. Basic
>>> Auth).
>>> > >
>>> > > On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai <ztai at google.com
>>> > <mailto:ztai at google.com>> wrote:
>>> > >
>>> > >     I guess part of my question is how to configure the mTLS certs
>>> to make
>>> > it work properly.
>>> > >
>>> > >     So far only https works (server side TLS).
>>> > >
>>> > >     Thanks,
>>> > >     Zhenfei
>>> > >
>>> > >     On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds <
>>> jrey at linux.ibm.com
>>> > <mailto:jrey at linux.ibm.com>> wrote:
>>> > >
>>> > >         On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote:
>>> > >         > Hi,
>>> > >         >
>>> > >         > I encountered the same issue when using Redfish to replace
>>> the
>>> > certificate.
>>> > >         > Regardless of whether the parameters include --cert --key
>>> > --cacert or only --cacert, the authentication can still succeed.
>>> > >         >
>>> > >         > Best,
>>> > >         > P.K.
>>> > >         >
>>> > >         >> Date: Wed, 22 Apr 2020 14:58:06 -0700
>>> > >         >> From: Zhenfei Tai <ztai at google.com
>>> > <mailto:ztai at google.com>>
>>> > >         >> To: openbmc at lists.ozlabs.org
>>> > <mailto:openbmc at lists.ozlabs.org>
>>> > >         >> Subject: mTLS on bmcweb
>>> > >         >> Message-ID:
>>> > >
>>> > >>      <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@
>>> > mail.g
>>> > >         >> mail.com <http://mail.com>>
>>> > >         >> Content-Type: text/plain; charset="utf-8"
>>> > >         >>
>>> > >         >> Hi,
>>> > >         >>
>>> > >         >> I'm trying out bmcweb mTLS which should be enabled by
>>> > default by
>>> > >         >>
>>> > https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89
>>> > >         >>
>>> > >         >> In my test, I created a self signed key and certificate
>>> pair,
>>> > stacked them
>>> > >         >> up into server.pem in /etc/ssl/certs/https that bmcweb
>>> uses.
>>> > >         >>
>>> > >         >> However when I tried to curl bmcweb service, I was able
>>> to get
>>> > response by
>>> > >         >> only supplying the cert.
>>> > >         >>
>>> > >         >> curl --cacert cert.pem  https://${bmc}/redfish/v1
>>> > >         >>
>>> > >         >> With the mTLS enabled, I expected it should error out
>>> since no
>>> > client
>>> > >         >> certificate is provided.
>>> > >         >>
>>> >
>>> > As mentioned, if you did not provide a client certificate, connection
>>> was
>>> > established to allow for Basic Auth. And as the Service Root requires
>>> no
>>> > authentication, you got a response.
>>> >
>>> > - Wiktor
>>> >
>>> > >         >> Could someone with relevant knowledge help with my
>>> > question?
>>> > >
>>> > >         I'm not sure what you are asking.  Are you asking how to
>>> install
>>> > mTLS
>>> > >         certs into the BMC and then use them to connect?  I am still
>>> > waiting for
>>> > >         documentation that describes how to configure and use the
>>> mTLS
>>> > feature.
>>> > >
>>> > >         I've added an entry to the security working group as a
>>> reminder to
>>> > do
>>> > >         this.  (I don't have the skill to document this feature.)
>>> > >
>>> > >         - Joseph
>>> > >
>>> > >         >>
>>> > >         >> Thanks,
>>> > >         >> Zhenfei
>>> > >
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20200430/d8ed9a51/attachment.htm>