mTLS on bmcweb

P. K. Lee (李柏寬) P.K.Lee at quantatw.com
Thu Apr 23 20:47:27 AEST 2020


Hi,

I encountered the same issue when using Redfish to replace the certificate.
Regardless of whether the parameters include --cert --key --cacert or only --cacert, the authentication can still succeed.

Best,
P.K.

> Date: Wed, 22 Apr 2020 14:58:06 -0700
> From: Zhenfei Tai <ztai at google.com>
> To: openbmc at lists.ozlabs.org
> Subject: mTLS on bmcweb
> Message-ID:
> 	<CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg at mail.g
> mail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> Hi,
> 
> I'm trying out bmcweb mTLS which should be enabled by default by
> https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89
> 
> In my test, I created a self signed key and certificate pair, stacked them
> up into server.pem in /etc/ssl/certs/https that bmcweb uses.
> 
> However when I tried to curl bmcweb service, I was able to get response by
> only supplying the cert.
> 
> curl --cacert cert.pem  https://${bmc}/redfish/v1
> 
> With the mTLS enabled, I expected it should error out since no client
> certificate is provided.
> 
> Could someone with relevant knowledge help with my question?
> 
> Thanks,
> Zhenfei



More information about the openbmc mailing list