mTLS on bmcweb

Richard Hanley rhanley at google.com
Fri Apr 24 03:35:55 AEST 2020


My guess is that somehow the root cert used to validate clients isn't
installed correctly, and so it's defaulting to basic auth.

At least that's my reading of this review
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270



On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai <ztai at google.com> wrote:

> I guess part of my question is how to configure the mTLS certs to make it
> work properly.
>
> So far only https works (server side TLS).
>
> Thanks,
> Zhenfei
>
> On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds <jrey at linux.ibm.com>
> wrote:
>
>> On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote:
>> > Hi,
>> >
>> > I encountered the same issue when using Redfish to replace the
>> certificate.
>> > Regardless of whether the parameters include --cert --key --cacert or
>> only --cacert, the authentication can still succeed.
>> >
>> > Best,
>> > P.K.
>> >
>> >> Date: Wed, 22 Apr 2020 14:58:06 -0700
>> >> From: Zhenfei Tai <ztai at google.com>
>> >> To: openbmc at lists.ozlabs.org
>> >> Subject: mTLS on bmcweb
>> >> Message-ID:
>> >>      <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg at mail.g
>> >> mail.com>
>> >> Content-Type: text/plain; charset="utf-8"
>> >>
>> >> Hi,
>> >>
>> >> I'm trying out bmcweb mTLS which should be enabled by default by
>> >> https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89
>> >>
>> >> In my test, I created a self signed key and certificate pair, stacked
>> them
>> >> up into server.pem in /etc/ssl/certs/https that bmcweb uses.
>> >>
>> >> However when I tried to curl bmcweb service, I was able to get
>> response by
>> >> only supplying the cert.
>> >>
>> >> curl --cacert cert.pem  https://${bmc}/redfish/v1
>> >>
>> >> With the mTLS enabled, I expected it should error out since no client
>> >> certificate is provided.
>> >>
>> >> Could someone with relevant knowledge help with my question?
>>
>> I'm not sure what you are asking.  Are you asking how to install mTLS
>> certs into the BMC and then use them to connect?  I am still waiting for
>> documentation that describes how to configure and use the mTLS feature.
>>
>> I've added an entry to the security working group as a reminder to do
>> this.  (I don't have the skill to document this feature.)
>>
>> - Joseph
>>
>> >>
>> >> Thanks,
>> >> Zhenfei
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20200423/4659e95c/attachment-0001.htm>


More information about the openbmc mailing list