mTLS on bmcweb

P. K. Lee (李柏寬) P.K.Lee at quantatw.com
Thu Apr 30 23:27:08 AEST 2020


I found a way to fix this issue, but it needs to be modified to the source code. In two steps:

Step 1.
The source code "adaptor.set_verify_mode(boost::asio::ssl::verify_peer);" in http_connection.h is replaced with 
"adaptor.set_verify_mode(boost::asio::ssl::verify_peer | boost::asio::ssl::verify_fail_if_no_peer_cert);"

Step 2.
AccountService->Oem->OpenBMC->AuthMethods->TLS is set. (false by default)

It will enable enforce mTLS authentication.

Best,
P.K.

> -----Original Message-----
> From: Wiktor Gołgowski <wiktor.golgowski at linux.intel.com>
> Sent: Saturday, April 25, 2020 1:03 AM
> To: Richard Hanley <rhanley at google.com>; Zhenfei Tai <ztai at google.com>
> Cc: openbmc at lists.ozlabs.org; P. K. Lee (李柏寬) <P.K.Lee at quantatw.com>;
> jrey at linux.ibm.com; P. K. Lee (李柏寬) <P.K.Lee at quantatw.com>; Joseph
> Reynolds <jrey at linux.ibm.com>
> Subject: Re: mTLS on bmcweb
> 
> 
> 
> On 4/23/20 7:35 PM, Richard Hanley wrote:
> > My guess is that somehow the root cert used to validate clients isn't installed
> correctly, and so it's defaulting to basic auth.
> >
> > At least that's my reading of this review
> > https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270
> >
> 
> I think this would be the case. If the client certificate is not provided, TLS
> connection is still established, just without authenticating the client. This
> allows upper layer to provide other authentication methods (e.g. Basic Auth).
> >
> > On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai <ztai at google.com
> <mailto:ztai at google.com>> wrote:
> >
> >     I guess part of my question is how to configure the mTLS certs to make
> it work properly.
> >
> >     So far only https works (server side TLS).
> >
> >     Thanks,
> >     Zhenfei
> >
> >     On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds <jrey at linux.ibm.com
> <mailto:jrey at linux.ibm.com>> wrote:
> >
> >         On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote:
> >         > Hi,
> >         >
> >         > I encountered the same issue when using Redfish to replace the
> certificate.
> >         > Regardless of whether the parameters include --cert --key
> --cacert or only --cacert, the authentication can still succeed.
> >         >
> >         > Best,
> >         > P.K.
> >         >
> >         >> Date: Wed, 22 Apr 2020 14:58:06 -0700
> >         >> From: Zhenfei Tai <ztai at google.com
> <mailto:ztai at google.com>>
> >         >> To: openbmc at lists.ozlabs.org
> <mailto:openbmc at lists.ozlabs.org>
> >         >> Subject: mTLS on bmcweb
> >         >> Message-ID:
> >
> >>      <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@
> mail.g
> >         >> mail.com <http://mail.com>>
> >         >> Content-Type: text/plain; charset="utf-8"
> >         >>
> >         >> Hi,
> >         >>
> >         >> I'm trying out bmcweb mTLS which should be enabled by
> default by
> >         >>
> https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89
> >         >>
> >         >> In my test, I created a self signed key and certificate pair,
> stacked them
> >         >> up into server.pem in /etc/ssl/certs/https that bmcweb uses.
> >         >>
> >         >> However when I tried to curl bmcweb service, I was able to get
> response by
> >         >> only supplying the cert.
> >         >>
> >         >> curl --cacert cert.pem  https://${bmc}/redfish/v1
> >         >>
> >         >> With the mTLS enabled, I expected it should error out since no
> client
> >         >> certificate is provided.
> >         >>
> 
> As mentioned, if you did not provide a client certificate, connection was
> established to allow for Basic Auth. And as the Service Root requires no
> authentication, you got a response.
> 
> - Wiktor
> 
> >         >> Could someone with relevant knowledge help with my
> question?
> >
> >         I'm not sure what you are asking.  Are you asking how to install
> mTLS
> >         certs into the BMC and then use them to connect?  I am still
> waiting for
> >         documentation that describes how to configure and use the mTLS
> feature.
> >
> >         I've added an entry to the security working group as a reminder to
> do
> >         this.  (I don't have the skill to document this feature.)
> >
> >         - Joseph
> >
> >         >>
> >         >> Thanks,
> >         >> Zhenfei
> >


More information about the openbmc mailing list