mTLS on bmcweb
P. K. Lee (李柏寬)
P.K.Lee at quantatw.com
Thu Apr 23 20:47:27 AEST 2020
Hi,
I encountered the same issue when using Redfish to replace the certificate.
Regardless of whether the parameters include --cert --key --cacert or only --cacert, the authentication can still succeed.
Best,
P.K.
> Date: Wed, 22 Apr 2020 14:58:06 -0700
> From: Zhenfei Tai <ztai at google.com>
> To: openbmc at lists.ozlabs.org
> Subject: mTLS on bmcweb
> Message-ID:
> <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg at mail.g
> mail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>
> I'm trying out bmcweb mTLS which should be enabled by default by
> https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89
>
> In my test, I created a self signed key and certificate pair, stacked them
> up into server.pem in /etc/ssl/certs/https that bmcweb uses.
>
> However when I tried to curl bmcweb service, I was able to get response by
> only supplying the cert.
>
> curl --cacert cert.pem https://${bmc}/redfish/v1
>
> With the mTLS enabled, I expected it should error out since no client
> certificate is provided.
>
> Could someone with relevant knowledge help with my question?
>
> Thanks,
> Zhenfei
More information about the openbmc
mailing list