mTLS on bmcweb

Joseph Reynolds jrey at linux.ibm.com
Fri Apr 24 01:50:05 AEST 2020


On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote:
> Hi,
>
> I encountered the same issue when using Redfish to replace the certificate.
> Regardless of whether the parameters include --cert --key --cacert or only --cacert, the authentication can still succeed.
>
> Best,
> P.K.
>
>> Date: Wed, 22 Apr 2020 14:58:06 -0700
>> From: Zhenfei Tai <ztai at google.com>
>> To: openbmc at lists.ozlabs.org
>> Subject: mTLS on bmcweb
>> Message-ID:
>> 	<CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg at mail.g
>> mail.com>
>> Content-Type: text/plain; charset="utf-8"
>>
>> Hi,
>>
>> I'm trying out bmcweb mTLS which should be enabled by default by
>> https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89
>>
>> In my test, I created a self signed key and certificate pair, stacked them
>> up into server.pem in /etc/ssl/certs/https that bmcweb uses.
>>
>> However when I tried to curl bmcweb service, I was able to get response by
>> only supplying the cert.
>>
>> curl --cacert cert.pem  https://${bmc}/redfish/v1
>>
>> With the mTLS enabled, I expected it should error out since no client
>> certificate is provided.
>>
>> Could someone with relevant knowledge help with my question?

I'm not sure what you are asking.  Are you asking how to install mTLS 
certs into the BMC and then use them to connect?  I am still waiting for 
documentation that describes how to configure and use the mTLS feature.

I've added an entry to the security working group as a reminder to do 
this.  (I don't have the skill to document this feature.)

- Joseph

>>
>> Thanks,
>> Zhenfei



More information about the openbmc mailing list