[EXTERNAL] Re: [bmcweb] mTLS client authentication always succeeds

Zbyszek zbigniewku at gmail.com
Thu May 7 19:09:40 AEST 2020 

czw., 7 maj 2020 o 10:14 Neeraj Ladkani <neladk at microsoft.com> napisał(a):
>
> Hi Zbyszek,
>
> Just a basic question, Once bmcweb is configured with -DBMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION, can it work without client cert?


Yes it can, by default all authentication methods are enabled except TLS.
Which method is enabled can be checked via redfish service
AccountService->Oem->OpenBMC->AuthMethods.
To change these settings send PATCH to
https://{{bmc_ip}}/redfish/v1/AccountService.
For example to turn the tls use this patch body :  {"Oem": {"OpenBMC":
{"AuthMethods": {"TLS": true}}}}

I think this diagram at paragraph 'Authentication Process'
https://github.com/openbmc/docs/blob/master/designs/redfish-tls-user-authentication.md
can be useful in understanding how the authentication process flow looks like.
(now I see that some parts of this design, like paths requires
updates, but the diagram is valid).


>
> It will be good to document curl APIs to enable this feature and test end to end flows.
>
> Thanks
> Neeraj
>
> -----Original Message-----
> From: openbmc <openbmc-bounces+neladk=microsoft.com at lists.ozlabs.org> On Behalf Of Zbyszek
> Sent: Thursday, May 7, 2020 12:49 AM
> To: Zhenfei Tai <ztai at google.com>
> Cc: OpenBMC Maillist <openbmc at lists.ozlabs.org>
> Subject: [EXTERNAL] Re: [bmcweb] mTLS client authentication always succeeds
>
> śr., 6 maj 2020 o 20:19 Zhenfei Tai <ztai at google.com> napisał(a):
> >
> > Hi Zbyszek,
> >
> > Thanks for your reply. I look forward to the official documentation.
> >
> > The callback function returns true when preverified == false. Not sure why it should always return true, which accepts any client certificate.
>
> Yes, always returning true we do not break the tls handshake allowing for connection.
> But user will not be authenticated anyway because its name will not be extracted from the certificate.
> In such case user should receive proper http error code telling he is not authenticated.
>
> >
> > // We always return true to allow full auth flow if (!preverified) {
> > BMCWEB_LOG_DEBUG << this << " TLS preverification failed."; return
> > true; }
> >
> > Thanks,
> > Zhenfei
> >
> > On Wed, May 6, 2020 at 4:22 AM Zbyszek <zbigniewku at gmail.com> wrote:
> >>
> >> pt., 1 maj 2020 o 02:07 Zhenfei Tai <ztai at google.com> napisał(a):
> >> >
> >> > Hi,
> >> >
> >> > I've been testing bmcweb mTLS for a while and found the user
> >> > defined verify callback function returns true in all cases.
> >> > (https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2F
> >> > github.com%2Fopenbmc%2Fbmcweb%2Fblob%2Fmaster%2Fhttp%2Fhttp_connect
> >> > ion.h%23L287&data=02%7C01%7Cneladk%40microsoft.com%7C8f5ff6125e
> >> > db4b734c3e08d7f25b2b68%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7
> >> > C637244345695157575&sdata=3E%2F%2FdxSuR5SFo9ZII%2FZAA7h6%2FDds1
> >> > lHeZaCnbimciLw%3D&reserved=0)
> >> >
> >> > If client authentication is enabled in bmcweb, should it reject if client certificate is bad?
> >>
> >> No, purpose of this callback is to only extract the user name from
> >> the certificate and then allow to proceed with default OpenSSL
> >> verification flow which should finally fail if something is wrong
> >> with the certificate no matter what this function returned.
> >> The 'set_verify_callback' doesn't replace the whole verification
> >> procedure, it only adds a callback that is called when the default
> >> validator checks each certificate. The 'preverified' parameter,
> >> passed to it indicates if verification of the certificate succeeded or not.
> >> You should be able to see it in bmcweb logs.
> >>
> >> >
> >> > Thanks,
> >> > Zhenfei

More information about the openbmc mailing list