<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">
<div><br class="">
</div>
<div>
<blockquote type="cite" class="">
<div class="">On May 1, 2020, at 07:39, Zhenfei Tai <<a href="mailto:ztai@google.com" class="">ztai@google.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div dir="ltr" class="">I did more testing and found the reason why it accepts any client certification.
<div class="">The error is due to the self signed certificate cannot be found in the list of trusted certificates.</div>
<div class="">Without the user defined verify callback function, it works as expected.</div>
<div class=""><br class="">
<table class="gmail-memberdecls" style="font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; font-size: 14px; line-height: 19px; font-family: Roboto, sans-serif; border-spacing: 0px; padding: 0px;">
<tbody class="">
<tr class="gmail-memitem:aa4f5a3309eae833f85dff37c36fa039d">
<td class="gmail-memItemLeft" align="right" valign="top" style="background-color:rgb(249,250,252);border:none;margin:4px;padding:1px 0px 0px 8px;white-space:nowrap">
#define </td>
<td class="gmail-memItemRight" valign="bottom" style="background-color:rgb(249,250,252);border:none;margin:4px;padding:1px 0px 0px 8px;width:1338px">
<a class="el" href="https://docs.huihoo.com/doxygen/openssl/1.0.1c/crypto_2x509_2x509__vfy_8h.html#aa4f5a3309eae833f85dff37c36fa039d" style="color:rgb(70,101,162);font-weight:bold">X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT</a> 18</td>
</tr>
</tbody>
</table>
<div class=""><br class="">
</div>
<div class="">
<div style="color:rgb(212,212,212);background-color:rgb(30,30,30);font-family:Menlo,Monaco,"Courier New",monospace;font-size:12px;line-height:18px;white-space:pre" class="">
<div class=""><span style="color:rgb(106,153,85)" class="">// Check if certificate is OK</span></div>
<div class=""><span style="color:rgb(86,156,214)" class="">int</span> error = <span style="color:rgb(220,220,170)" class="">
X509_STORE_CTX_get_error</span>(cts);</div>
<div class=""><span style="color:rgb(197,134,192)" class="">if</span> (error != X509_V_OK)</div>
<div class="">{</div>
<div class=""><span style="color:rgb(197,134,192)" class="">return</span> <span style="color:rgb(86,156,214)" class="">
true</span>;</div>
<div class="">}</div>
</div>
</div>
</div>
</div>
<br class="">
</div>
</blockquote>
<div>
<div>Yes, I also thought the key is that the self-signed certificate is not in the trusted store. </div>
<div>However, the self-signed CA certificate I uploaded using the Redfish API and modify the code to another "set_verify_mode" is actually useless.</div>
</div>
<br class="">
<blockquote type="cite" class="">
<div class="">
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Apr 30, 2020 at 12:09 PM Zhenfei Tai <<a href="mailto:ztai@google.com" class="">ztai@google.com</a>> wrote:<br class="">
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr" class="">Also, with that change in http_connection.h, it still accepts any client certificate provided in curl.
<div class=""><br class="">
</div>
<div class="">Here's what I did:</div>
<div class="">1. Disable BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION</div>
<div class="">2. Uncommented ssl_key_handler.hpp:315 and added the boost::asio::ssl::verify_fail_if_no_peer_cert</div>
<div class=""><br class="">
</div>
<div class="">Behavior after change:</div>
<div class="">1. Rejects curl without client certificate.</div>
<div class="">2. Returns when client certificate matches the one authority directory.</div>
<div class="">3. Rejects when client sends other certificates. </div>
<div class=""><br class="">
</div>
<div class="">The change is just for testing purposes, I guess the original intention was not to mTLS every request.</div>
</div>
<br class="">
</blockquote>
</div>
</div>
</blockquote>
<div>It works :D</div>
<br class="">
<blockquote type="cite" class="">
<div class="">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Apr 30, 2020 at 11:34 AM Zhenfei Tai <<a href="mailto:ztai@google.com" target="_blank" class="">ztai@google.com</a>> wrote:<br class="">
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr" class="">Hi P.K.
<div class=""><br class="">
</div>
<div class="">I tried the same thing. </div>
<div class=""><br class="">
</div>
<div class="">Could you share which url you tested?</div>
<div class="">With that change, if I access the <a href="https://${bmc}/redfish/v1" class="">
https://${bmc}/redfish/v1</a> url in chrome, it prompts to choose a client certificate, but will also work if no certificate is chosen.</div>
<div class=""><br class="">
Thanks,</div>
<div class="">Zhenfei</div>
</div>
<br class="">
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Apr 30, 2020 at 6:27 AM P. K. Lee (李柏寬) <<a href="mailto:P.K.Lee@quantatw.com" target="_blank" class="">P.K.Lee@quantatw.com</a>> wrote:<br class="">
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
I found a way to fix this issue, but it needs to be modified to the source code. In two steps:<br class="">
<br class="">
Step 1.<br class="">
The source code "adaptor.set_verify_mode(boost::asio::ssl::verify_peer);" in http_connection.h is replaced with
<br class="">
"adaptor.set_verify_mode(boost::asio::ssl::verify_peer | boost::asio::ssl::verify_fail_if_no_peer_cert);"<br class="">
<br class="">
Step 2.<br class="">
AccountService->Oem->OpenBMC->AuthMethods->TLS is set. (false by default)<br class="">
<br class="">
It will enable enforce mTLS authentication.<br class="">
<br class="">
Best,<br class="">
P.K.<br class="">
<br class="">
> -----Original Message-----<br class="">
> From: Wiktor Gołgowski <<a href="mailto:wiktor.golgowski@linux.intel.com" target="_blank" class="">wiktor.golgowski@linux.intel.com</a>><br class="">
> Sent: Saturday, April 25, 2020 1:03 AM<br class="">
> To: Richard Hanley <<a href="mailto:rhanley@google.com" target="_blank" class="">rhanley@google.com</a>>; Zhenfei Tai <<a href="mailto:ztai@google.com" target="_blank" class="">ztai@google.com</a>><br class="">
> Cc: <a href="mailto:openbmc@lists.ozlabs.org" target="_blank" class="">openbmc@lists.ozlabs.org</a>; P. K. Lee (李柏寬) <<a href="mailto:P.K.Lee@quantatw.com" target="_blank" class="">P.K.Lee@quantatw.com</a>>;<br class="">
> <a href="mailto:jrey@linux.ibm.com" target="_blank" class="">jrey@linux.ibm.com</a>; P. K. Lee (李柏寬) <<a href="mailto:P.K.Lee@quantatw.com" target="_blank" class="">P.K.Lee@quantatw.com</a>>; Joseph<br class="">
> Reynolds <<a href="mailto:jrey@linux.ibm.com" target="_blank" class="">jrey@linux.ibm.com</a>><br class="">
> Subject: Re: mTLS on bmcweb<br class="">
> <br class="">
> <br class="">
> <br class="">
> On 4/23/20 7:35 PM, Richard Hanley wrote:<br class="">
> > My guess is that somehow the root cert used to validate clients isn't installed<br class="">
> correctly, and so it's defaulting to basic auth.<br class="">
> ><br class="">
> > At least that's my reading of this review<br class="">
> > <a href="https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270" rel="noreferrer" target="_blank" class="">
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270</a><br class="">
> ><br class="">
> <br class="">
> I think this would be the case. If the client certificate is not provided, TLS<br class="">
> connection is still established, just without authenticating the client. This<br class="">
> allows upper layer to provide other authentication methods (e.g. Basic Auth).<br class="">
> ><br class="">
> > On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai <<a href="mailto:ztai@google.com" target="_blank" class="">ztai@google.com</a><br class="">
> <mailto:<a href="mailto:ztai@google.com" target="_blank" class="">ztai@google.com</a>>> wrote:<br class="">
> ><br class="">
> > I guess part of my question is how to configure the mTLS certs to make<br class="">
> it work properly.<br class="">
> ><br class="">
> > So far only https works (server side TLS).<br class="">
> ><br class="">
> > Thanks,<br class="">
> > Zhenfei<br class="">
> ><br class="">
> > On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds <<a href="mailto:jrey@linux.ibm.com" target="_blank" class="">jrey@linux.ibm.com</a><br class="">
> <mailto:<a href="mailto:jrey@linux.ibm.com" target="_blank" class="">jrey@linux.ibm.com</a>>> wrote:<br class="">
> ><br class="">
> > On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote:<br class="">
> > > Hi,<br class="">
> > ><br class="">
> > > I encountered the same issue when using Redfish to replace the<br class="">
> certificate.<br class="">
> > > Regardless of whether the parameters include --cert --key<br class="">
> --cacert or only --cacert, the authentication can still succeed.<br class="">
> > ><br class="">
> > > Best,<br class="">
> > > P.K.<br class="">
> > ><br class="">
> > >> Date: Wed, 22 Apr 2020 14:58:06 -0700<br class="">
> > >> From: Zhenfei Tai <<a href="mailto:ztai@google.com" target="_blank" class="">ztai@google.com</a><br class="">
> <mailto:<a href="mailto:ztai@google.com" target="_blank" class="">ztai@google.com</a>>><br class="">
> > >> To: <a href="mailto:openbmc@lists.ozlabs.org" target="_blank" class="">
openbmc@lists.ozlabs.org</a><br class="">
> <mailto:<a href="mailto:openbmc@lists.ozlabs.org" target="_blank" class="">openbmc@lists.ozlabs.org</a>><br class="">
> > >> Subject: mTLS on bmcweb<br class="">
> > >> Message-ID:<br class="">
> ><br class="">
> >> <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@<br class="">
> mail.g<br class="">
> > >> <a href="http://mail.com/" rel="noreferrer" target="_blank" class="">
mail.com</a> <<a href="http://mail.com/" rel="noreferrer" target="_blank" class="">http://mail.com</a>>><br class="">
> > >> Content-Type: text/plain; charset="utf-8"<br class="">
> > >><br class="">
> > >> Hi,<br class="">
> > >><br class="">
> > >> I'm trying out bmcweb mTLS which should be enabled by<br class="">
> default by<br class="">
> > >><br class="">
> <a href="https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89" rel="noreferrer" target="_blank" class="">
https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89</a><br class="">
> > >><br class="">
> > >> In my test, I created a self signed key and certificate pair,<br class="">
> stacked them<br class="">
> > >> up into server.pem in /etc/ssl/certs/https that bmcweb uses.<br class="">
> > >><br class="">
> > >> However when I tried to curl bmcweb service, I was able to get<br class="">
> response by<br class="">
> > >> only supplying the cert.<br class="">
> > >><br class="">
> > >> curl --cacert cert.pem <a href="https://${bmc}/redfish/v1" class="">
https://${bmc}/redfish/v1</a><br class="">
> > >><br class="">
> > >> With the mTLS enabled, I expected it should error out since no<br class="">
> client<br class="">
> > >> certificate is provided.<br class="">
> > >><br class="">
> <br class="">
> As mentioned, if you did not provide a client certificate, connection was<br class="">
> established to allow for Basic Auth. And as the Service Root requires no<br class="">
> authentication, you got a response.<br class="">
> <br class="">
> - Wiktor<br class="">
> <br class="">
> > >> Could someone with relevant knowledge help with my<br class="">
> question?<br class="">
> ><br class="">
> > I'm not sure what you are asking. Are you asking how to install<br class="">
> mTLS<br class="">
> > certs into the BMC and then use them to connect? I am still<br class="">
> waiting for<br class="">
> > documentation that describes how to configure and use the mTLS<br class="">
> feature.<br class="">
> ><br class="">
> > I've added an entry to the security working group as a reminder to<br class="">
> do<br class="">
> > this. (I don't have the skill to document this feature.)<br class="">
> ><br class="">
> > - Joseph<br class="">
> ><br class="">
> > >><br class="">
> > >> Thanks,<br class="">
> > >> Zhenfei<br class="">
> ><br class="">
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
<br class="">
</body>
</html>