bmcweb Security issue

Bruce Mitchell Bruce_Mitchell at
Thu Feb 13 09:10:34 AEDT 2020

So Vernon, you are saying it could easily be way shorter than 10 years or even 825 days, correct?

-----Original Message-----
From: Vernon Mauery [mailto:vernon.mauery at] 
Sent: Wednesday, February 12, 2020 13:34
To: Bruce Mitchell
Cc: openbmc at
Subject: Re: bmcweb Security issue

On 12-Feb-2020 05:52 PM, Bruce Mitchell wrote:
>bmcweb Security issue: according to the The CA/Browser Forum ;
>Subscriber Certificates issued after 1 March 2018 MUST have a Validity Period no greater than 825 days.
>In bmcweb's ssl_key_handler.hpp we have:
>            // Cert is valid for 10 years
>            X509_gmtime_adj(X509_get_notAfter(x509),
>                            60L * 60L * 24L * 365L * 10L);
>I believe we want this changed to the 825 days.

Self-signed certificates are not subscriber certificates.

This is a self-signed certificate, so really that is a bigger issue than 
the length of time that it is valid for. This certificate should only be 
trusted on a direct physical connection with no other machines. It is 
there only to facilitate uploading a valid key/certificate to the BMC.

It is not intended to be used for any amount of time.


More information about the openbmc mailing list