[EXTERNAL] Re: [bmcweb] mTLS client authentication always succeeds

Thu May 14 02:38:53 AEST 2020

Great, thanks for the update.

On Wed, May 13, 2020 at 6:24 AM Zbyszek <zbigniewku at gmail.com> wrote:

> Instruction is under review:
> https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/32234
>
> pon., 11 maj 2020 o 20:57 Neeraj Ladkani <neladk at microsoft.com>
> napisał(a):
> >
> >  "Oem": {
> >         "OpenBMC": {
> >             "@odata.type": "#OemAccountService.v1_0_0.AccountService",
> >             "AuthMethods": {
> >                 "BasicAuth": true,
> >                 "Cookie": true,
> >                 "SessionToken": true,
> >                 "TLS": true,
> >                 "XToken": true
> >             }
> >         }
> >
> > -----Original Message-----
> > From: openbmc <openbmc-bounces+neladk=microsoft.com at lists.ozlabs.org>
> On Behalf Of Neeraj Ladkani
> > Sent: Monday, May 11, 2020 11:20 AM
> > To: Zbyszek <zbigniewku at gmail.com>
> > Cc: OpenBMC Maillist <openbmc at lists.ozlabs.org>; Zhenfei Tai <
> ztai at google.com>
> > Subject: RE: [EXTERNAL] Re: [bmcweb] mTLS client authentication always
> succeeds
> >
> > I have enabled DBMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION in bmcweb  but I
> do not see TLSAuth/Certificates in redfish/v1/AccountService ?  I tried to
> upload CA cert via bmcweb but I could not make it work ( Authentication
> failing)
> >
> > I could not find documentation to enable this feature. it would be great
> if someone can send steps to enable this feature?
> >
> > Neeraj
> >
> >
> > -----Original Message-----
> > From: Zbyszek <zbigniewku at gmail.com>
> > Sent: Thursday, May 7, 2020 2:10 AM
> > To: Neeraj Ladkani <neladk at microsoft.com>
> > Cc: Zhenfei Tai <ztai at google.com>; OpenBMC Maillist <
> openbmc at lists.ozlabs.org>
> > Subject: Re: [EXTERNAL] Re: [bmcweb] mTLS client authentication always
> succeeds
> >
> > czw., 7 maj 2020 o 10:14 Neeraj Ladkani <neladk at microsoft.com>
> napisał(a):
> > >
> > > Hi Zbyszek,
> > >
> > > Just a basic question, Once bmcweb is configured with
> -DBMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION, can it work without client cert?
> >
> >
> > Yes it can, by default all authentication methods are enabled except TLS.
> > Which method is enabled can be checked via redfish service
> > AccountService->Oem->OpenBMC->AuthMethods.
> > To change these settings send PATCH to
> > https://{{bmc_ip}}/redfish/v1/AccountService.
> > For example to turn the tls use this patch body :  {"Oem": {"OpenBMC":
> > {"AuthMethods": {"TLS": true}}}}
> >
> > I think this diagram at paragraph 'Authentication Process'
> >
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenbmc%2Fdocs%2Fblob%2Fmaster%2Fdesigns%2Fredfish-tls-user-authentication.md&data=02%7C01%7Cneladk%40microsoft.com%7C35b75654ecce4c68004508d7f5d81b8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637248180841865287&sdata=OGH2hRGgB5%2FA%2FG63fiwp0hq2E%2FStoL1ka2ZPJ1zG1Tg%3D&reserved=0
> > can be useful in understanding how the authentication process flow looks
> like.
> > (now I see that some parts of this design, like paths requires updates,
> but the diagram is valid).
> >
> >
> > >
> > > It will be good to document curl APIs to enable this feature and test
> end to end flows.
> > >
> > > Thanks
> > > Neeraj
> > >
> > > -----Original Message-----
> > > From: openbmc <openbmc-bounces+neladk=microsoft.com at lists.ozlabs.org>
> > > On Behalf Of Zbyszek
> > > Sent: Thursday, May 7, 2020 12:49 AM
> > > To: Zhenfei Tai <ztai at google.com>
> > > Cc: OpenBMC Maillist <openbmc at lists.ozlabs.org>
> > > Subject: [EXTERNAL] Re: [bmcweb] mTLS client authentication always
> > > succeeds
> > >
> > > śr., 6 maj 2020 o 20:19 Zhenfei Tai <ztai at google.com> napisał(a):
> > > >
> > > > Hi Zbyszek,
> > > >
> > > > Thanks for your reply. I look forward to the official documentation.
> > > >
> > > > The callback function returns true when preverified == false. Not
> sure why it should always return true, which accepts any client certificate.
> > >
> > > Yes, always returning true we do not break the tls handshake allowing
> for connection.
> > > But user will not be authenticated anyway because its name will not be
> extracted from the certificate.
> > > In such case user should receive proper http error code telling he is
> not authenticated.
> > >
> > > >
> > > > // We always return true to allow full auth flow if (!preverified) {
> > > > BMCWEB_LOG_DEBUG << this << " TLS preverification failed."; return
> > > > true; }
> > > >
> > > > Thanks,
> > > > Zhenfei
> > > >
> > > > On Wed, May 6, 2020 at 4:22 AM Zbyszek <zbigniewku at gmail.com> wrote:
> > > >>
> > > >> pt., 1 maj 2020 o 02:07 Zhenfei Tai <ztai at google.com> napisał(a):
> > > >> >
> > > >> > Hi,
> > > >> >
> > > >> > I've been testing bmcweb mTLS for a while and found the user
> > > >> > defined verify callback function returns true in all cases.
> > > >> > (https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%
> > > >> > 25
> > > >> > 2F
> > > >> > github.com%2Fopenbmc%2Fbmcweb%2Fblob%2Fmaster%2Fhttp%2Fhttp_conne
> > > >> > ct
> > > >> > ion.h%23L287&data=02%7C01%7Cneladk%40microsoft.com%7C8f5ff612
> > > >> > 5e
> > > >> > db4b734c3e08d7f25b2b68%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0
> > > >> > %7
> > > >> > C637244345695157575&sdata=3E%2F%2FdxSuR5SFo9ZII%2FZAA7h6%2FDd
> > > >> > s1
> > > >> > lHeZaCnbimciLw%3D&reserved=0)
> > > >> >
> > > >> > If client authentication is enabled in bmcweb, should it reject
> if client certificate is bad?
> > > >>
> > > >> No, purpose of this callback is to only extract the user name from
> > > >> the certificate and then allow to proceed with default OpenSSL
> > > >> verification flow which should finally fail if something is wrong
> > > >> with the certificate no matter what this function returned.
> > > >> The 'set_verify_callback' doesn't replace the whole verification
> > > >> procedure, it only adds a callback that is called when the default
> > > >> validator checks each certificate. The 'preverified' parameter,
> > > >> passed to it indicates if verification of the certificate succeeded
> or not.
> > > >> You should be able to see it in bmcweb logs.
> > > >>
> > > >> >
> > > >> > Thanks,
> > > >> > Zhenfei
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20200513/19819ca5/attachment-0001.htm>