mTLS on bmcweb

Wiktor Gołgowski wiktor.golgowski at linux.intel.com
Sat Apr 25 03:03:19 AEST 2020 


On 4/23/20 7:35 PM, Richard Hanley wrote:
> My guess is that somehow the root cert used to validate clients isn't installed correctly, and so it's defaulting to basic auth.
> 
> At least that's my reading of this review https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270
> 

I think this would be the case. If the client certificate is not provided, TLS connection is 
still established, just without authenticating the client. This allows upper layer to provide
other authentication methods (e.g. Basic Auth).
>  
> On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai <ztai at google.com <mailto:ztai at google.com>> wrote:
> 
>     I guess part of my question is how to configure the mTLS certs to make it work properly.
> 
>     So far only https works (server side TLS).
> 
>     Thanks,
>     Zhenfei
> 
>     On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds <jrey at linux.ibm.com <mailto:jrey at linux.ibm.com>> wrote:
> 
>         On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote:
>         > Hi,
>         >
>         > I encountered the same issue when using Redfish to replace the certificate.
>         > Regardless of whether the parameters include --cert --key --cacert or only --cacert, the authentication can still succeed.
>         >
>         > Best,
>         > P.K.
>         >
>         >> Date: Wed, 22 Apr 2020 14:58:06 -0700
>         >> From: Zhenfei Tai <ztai at google.com <mailto:ztai at google.com>>
>         >> To: openbmc at lists.ozlabs.org <mailto:openbmc at lists.ozlabs.org>
>         >> Subject: mTLS on bmcweb
>         >> Message-ID:
>         >>      <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg at mail.g
>         >> mail.com <http://mail.com>>
>         >> Content-Type: text/plain; charset="utf-8"
>         >>
>         >> Hi,
>         >>
>         >> I'm trying out bmcweb mTLS which should be enabled by default by
>         >> https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89
>         >>
>         >> In my test, I created a self signed key and certificate pair, stacked them
>         >> up into server.pem in /etc/ssl/certs/https that bmcweb uses.
>         >>
>         >> However when I tried to curl bmcweb service, I was able to get response by
>         >> only supplying the cert.
>         >>
>         >> curl --cacert cert.pem  https://${bmc}/redfish/v1
>         >>
>         >> With the mTLS enabled, I expected it should error out since no client
>         >> certificate is provided.
>         >>

As mentioned, if you did not provide a client certificate, connection was established to
allow for Basic Auth. And as the Service Root requires no authentication, you got
a response.

- Wiktor

>         >> Could someone with relevant knowledge help with my question?
> 
>         I'm not sure what you are asking.  Are you asking how to install mTLS
>         certs into the BMC and then use them to connect?  I am still waiting for
>         documentation that describes how to configure and use the mTLS feature.
> 
>         I've added an entry to the security working group as a reminder to do
>         this.  (I don't have the skill to document this feature.)
> 
>         - Joseph
> 
>         >>
>         >> Thanks,
>         >> Zhenfei
>

More information about the openbmc mailing list