mTLS on bmcweb
P. K. Lee (李柏寬)
P.K.Lee at quantatw.com
Thu Apr 30 23:27:08 AEST 2020
I found a way to fix this issue, but it needs to be modified to the source code. In two steps:
Step 1.
The source code "adaptor.set_verify_mode(boost::asio::ssl::verify_peer);" in http_connection.h is replaced with
"adaptor.set_verify_mode(boost::asio::ssl::verify_peer | boost::asio::ssl::verify_fail_if_no_peer_cert);"
Step 2.
AccountService->Oem->OpenBMC->AuthMethods->TLS is set. (false by default)
It will enable enforce mTLS authentication.
Best,
P.K.
> -----Original Message-----
> From: Wiktor Gołgowski <wiktor.golgowski at linux.intel.com>
> Sent: Saturday, April 25, 2020 1:03 AM
> To: Richard Hanley <rhanley at google.com>; Zhenfei Tai <ztai at google.com>
> Cc: openbmc at lists.ozlabs.org; P. K. Lee (李柏寬) <P.K.Lee at quantatw.com>;
> jrey at linux.ibm.com; P. K. Lee (李柏寬) <P.K.Lee at quantatw.com>; Joseph
> Reynolds <jrey at linux.ibm.com>
> Subject: Re: mTLS on bmcweb
>
>
>
> On 4/23/20 7:35 PM, Richard Hanley wrote:
> > My guess is that somehow the root cert used to validate clients isn't installed
> correctly, and so it's defaulting to basic auth.
> >
> > At least that's my reading of this review
> > https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270
> >
>
> I think this would be the case. If the client certificate is not provided, TLS
> connection is still established, just without authenticating the client. This
> allows upper layer to provide other authentication methods (e.g. Basic Auth).
> >
> > On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai <ztai at google.com
> <mailto:ztai at google.com>> wrote:
> >
> > I guess part of my question is how to configure the mTLS certs to make
> it work properly.
> >
> > So far only https works (server side TLS).
> >
> > Thanks,
> > Zhenfei
> >
> > On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds <jrey at linux.ibm.com
> <mailto:jrey at linux.ibm.com>> wrote:
> >
> > On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote:
> > > Hi,
> > >
> > > I encountered the same issue when using Redfish to replace the
> certificate.
> > > Regardless of whether the parameters include --cert --key
> --cacert or only --cacert, the authentication can still succeed.
> > >
> > > Best,
> > > P.K.
> > >
> > >> Date: Wed, 22 Apr 2020 14:58:06 -0700
> > >> From: Zhenfei Tai <ztai at google.com
> <mailto:ztai at google.com>>
> > >> To: openbmc at lists.ozlabs.org
> <mailto:openbmc at lists.ozlabs.org>
> > >> Subject: mTLS on bmcweb
> > >> Message-ID:
> >
> >> <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@
> mail.g
> > >> mail.com <http://mail.com>>
> > >> Content-Type: text/plain; charset="utf-8"
> > >>
> > >> Hi,
> > >>
> > >> I'm trying out bmcweb mTLS which should be enabled by
> default by
> > >>
> https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89
> > >>
> > >> In my test, I created a self signed key and certificate pair,
> stacked them
> > >> up into server.pem in /etc/ssl/certs/https that bmcweb uses.
> > >>
> > >> However when I tried to curl bmcweb service, I was able to get
> response by
> > >> only supplying the cert.
> > >>
> > >> curl --cacert cert.pem https://${bmc}/redfish/v1
> > >>
> > >> With the mTLS enabled, I expected it should error out since no
> client
> > >> certificate is provided.
> > >>
>
> As mentioned, if you did not provide a client certificate, connection was
> established to allow for Basic Auth. And as the Service Root requires no
> authentication, you got a response.
>
> - Wiktor
>
> > >> Could someone with relevant knowledge help with my
> question?
> >
> > I'm not sure what you are asking. Are you asking how to install
> mTLS
> > certs into the BMC and then use them to connect? I am still
> waiting for
> > documentation that describes how to configure and use the mTLS
> feature.
> >
> > I've added an entry to the security working group as a reminder to
> do
> > this. (I don't have the skill to document this feature.)
> >
> > - Joseph
> >
> > >>
> > >> Thanks,
> > >> Zhenfei
> >
More information about the openbmc
mailing list