[EXTERNAL] Re: [bmcweb] mTLS client authentication always succeeds

Zbyszek zbigniewku at gmail.com
Wed May 13 23:24:25 AEST 2020 

Instruction is under review:
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/32234

pon., 11 maj 2020 o 20:57 Neeraj Ladkani <neladk at microsoft.com> napisał(a):
>
>  "Oem": {
>         "OpenBMC": {
>             "@odata.type": "#OemAccountService.v1_0_0.AccountService",
>             "AuthMethods": {
>                 "BasicAuth": true,
>                 "Cookie": true,
>                 "SessionToken": true,
>                 "TLS": true,
>                 "XToken": true
>             }
>         }
>
> -----Original Message-----
> From: openbmc <openbmc-bounces+neladk=microsoft.com at lists.ozlabs.org> On Behalf Of Neeraj Ladkani
> Sent: Monday, May 11, 2020 11:20 AM
> To: Zbyszek <zbigniewku at gmail.com>
> Cc: OpenBMC Maillist <openbmc at lists.ozlabs.org>; Zhenfei Tai <ztai at google.com>
> Subject: RE: [EXTERNAL] Re: [bmcweb] mTLS client authentication always succeeds
>
> I have enabled DBMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION in bmcweb  but I do not see TLSAuth/Certificates in redfish/v1/AccountService ?  I tried to upload CA cert via bmcweb but I could not make it work ( Authentication failing)
>
> I could not find documentation to enable this feature. it would be great if someone can send steps to enable this feature?
>
> Neeraj
>
>
> -----Original Message-----
> From: Zbyszek <zbigniewku at gmail.com>
> Sent: Thursday, May 7, 2020 2:10 AM
> To: Neeraj Ladkani <neladk at microsoft.com>
> Cc: Zhenfei Tai <ztai at google.com>; OpenBMC Maillist <openbmc at lists.ozlabs.org>
> Subject: Re: [EXTERNAL] Re: [bmcweb] mTLS client authentication always succeeds
>
> czw., 7 maj 2020 o 10:14 Neeraj Ladkani <neladk at microsoft.com> napisał(a):
> >
> > Hi Zbyszek,
> >
> > Just a basic question, Once bmcweb is configured with -DBMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION, can it work without client cert?
>
>
> Yes it can, by default all authentication methods are enabled except TLS.
> Which method is enabled can be checked via redfish service
> AccountService->Oem->OpenBMC->AuthMethods.
> To change these settings send PATCH to
> https://{{bmc_ip}}/redfish/v1/AccountService.
> For example to turn the tls use this patch body :  {"Oem": {"OpenBMC":
> {"AuthMethods": {"TLS": true}}}}
>
> I think this diagram at paragraph 'Authentication Process'
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenbmc%2Fdocs%2Fblob%2Fmaster%2Fdesigns%2Fredfish-tls-user-authentication.md&data=02%7C01%7Cneladk%40microsoft.com%7C35b75654ecce4c68004508d7f5d81b8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637248180841865287&sdata=OGH2hRGgB5%2FA%2FG63fiwp0hq2E%2FStoL1ka2ZPJ1zG1Tg%3D&reserved=0
> can be useful in understanding how the authentication process flow looks like.
> (now I see that some parts of this design, like paths requires updates, but the diagram is valid).
>
>
> >
> > It will be good to document curl APIs to enable this feature and test end to end flows.
> >
> > Thanks
> > Neeraj
> >
> > -----Original Message-----
> > From: openbmc <openbmc-bounces+neladk=microsoft.com at lists.ozlabs.org>
> > On Behalf Of Zbyszek
> > Sent: Thursday, May 7, 2020 12:49 AM
> > To: Zhenfei Tai <ztai at google.com>
> > Cc: OpenBMC Maillist <openbmc at lists.ozlabs.org>
> > Subject: [EXTERNAL] Re: [bmcweb] mTLS client authentication always
> > succeeds
> >
> > śr., 6 maj 2020 o 20:19 Zhenfei Tai <ztai at google.com> napisał(a):
> > >
> > > Hi Zbyszek,
> > >
> > > Thanks for your reply. I look forward to the official documentation.
> > >
> > > The callback function returns true when preverified == false. Not sure why it should always return true, which accepts any client certificate.
> >
> > Yes, always returning true we do not break the tls handshake allowing for connection.
> > But user will not be authenticated anyway because its name will not be extracted from the certificate.
> > In such case user should receive proper http error code telling he is not authenticated.
> >
> > >
> > > // We always return true to allow full auth flow if (!preverified) {
> > > BMCWEB_LOG_DEBUG << this << " TLS preverification failed."; return
> > > true; }
> > >
> > > Thanks,
> > > Zhenfei
> > >
> > > On Wed, May 6, 2020 at 4:22 AM Zbyszek <zbigniewku at gmail.com> wrote:
> > >>
> > >> pt., 1 maj 2020 o 02:07 Zhenfei Tai <ztai at google.com> napisał(a):
> > >> >
> > >> > Hi,
> > >> >
> > >> > I've been testing bmcweb mTLS for a while and found the user
> > >> > defined verify callback function returns true in all cases.
> > >> > (https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%
> > >> > 25
> > >> > 2F
> > >> > github.com%2Fopenbmc%2Fbmcweb%2Fblob%2Fmaster%2Fhttp%2Fhttp_conne
> > >> > ct
> > >> > ion.h%23L287&data=02%7C01%7Cneladk%40microsoft.com%7C8f5ff612
> > >> > 5e
> > >> > db4b734c3e08d7f25b2b68%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0
> > >> > %7
> > >> > C637244345695157575&sdata=3E%2F%2FdxSuR5SFo9ZII%2FZAA7h6%2FDd
> > >> > s1
> > >> > lHeZaCnbimciLw%3D&reserved=0)
> > >> >
> > >> > If client authentication is enabled in bmcweb, should it reject if client certificate is bad?
> > >>
> > >> No, purpose of this callback is to only extract the user name from
> > >> the certificate and then allow to proceed with default OpenSSL
> > >> verification flow which should finally fail if something is wrong
> > >> with the certificate no matter what this function returned.
> > >> The 'set_verify_callback' doesn't replace the whole verification
> > >> procedure, it only adds a callback that is called when the default
> > >> validator checks each certificate. The 'preverified' parameter,
> > >> passed to it indicates if verification of the certificate succeeded or not.
> > >> You should be able to see it in bmcweb logs.
> > >>
> > >> >
> > >> > Thanks,
> > >> > Zhenfei

More information about the openbmc mailing list