[EXTERNAL] Re: [bmcweb] mTLS client authentication always succeeds

Thu May 7 18:14:31 AEST 2020

Hi Zbyszek, 

Just a basic question, Once bmcweb is configured with -DBMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION, can it work without client cert?

It will be good to document curl APIs to enable this feature and test end to end flows. 

Thanks
Neeraj

-----Original Message-----
From: openbmc <openbmc-bounces+neladk=microsoft.com at lists.ozlabs.org> On Behalf Of Zbyszek
Sent: Thursday, May 7, 2020 12:49 AM
To: Zhenfei Tai <ztai at google.com>
Cc: OpenBMC Maillist <openbmc at lists.ozlabs.org>
Subject: [EXTERNAL] Re: [bmcweb] mTLS client authentication always succeeds

śr., 6 maj 2020 o 20:19 Zhenfei Tai <ztai at google.com> napisał(a):
>
> Hi Zbyszek,
>
> Thanks for your reply. I look forward to the official documentation.
>
> The callback function returns true when preverified == false. Not sure why it should always return true, which accepts any client certificate.

Yes, always returning true we do not break the tls handshake allowing for connection.
But user will not be authenticated anyway because its name will not be extracted from the certificate.
In such case user should receive proper http error code telling he is not authenticated.

>
> // We always return true to allow full auth flow if (!preverified) { 
> BMCWEB_LOG_DEBUG << this << " TLS preverification failed."; return 
> true; }
>
> Thanks,
> Zhenfei
>
> On Wed, May 6, 2020 at 4:22 AM Zbyszek <zbigniewku at gmail.com> wrote:
>>
>> pt., 1 maj 2020 o 02:07 Zhenfei Tai <ztai at google.com> napisał(a):
>> >
>> > Hi,
>> >
>> > I've been testing bmcweb mTLS for a while and found the user 
>> > defined verify callback function returns true in all cases. 
>> > (https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2F
>> > github.com%2Fopenbmc%2Fbmcweb%2Fblob%2Fmaster%2Fhttp%2Fhttp_connect
>> > ion.h%23L287&data=02%7C01%7Cneladk%40microsoft.com%7C8f5ff6125e
>> > db4b734c3e08d7f25b2b68%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7
>> > C637244345695157575&sdata=3E%2F%2FdxSuR5SFo9ZII%2FZAA7h6%2FDds1
>> > lHeZaCnbimciLw%3D&reserved=0)
>> >
>> > If client authentication is enabled in bmcweb, should it reject if client certificate is bad?
>>
>> No, purpose of this callback is to only extract the user name from 
>> the certificate and then allow to proceed with default OpenSSL 
>> verification flow which should finally fail if something is wrong 
>> with the certificate no matter what this function returned.
>> The 'set_verify_callback' doesn't replace the whole verification 
>> procedure, it only adds a callback that is called when the default 
>> validator checks each certificate. The 'preverified' parameter, 
>> passed to it indicates if verification of the certificate succeeded or not.
>> You should be able to see it in bmcweb logs.
>>
>> >
>> > Thanks,
>> > Zhenfei