bmcweb Security issue

James Feist james.feist at linux.intel.com
Thu Feb 13 09:15:11 AEDT 2020


On 2/12/20 2:10 PM, Bruce Mitchell wrote:
> So Vernon, you are saying it could easily be way shorter than 10 years or even 825 days, correct?
> 

The general advice is to not use a self signed certificate at all. The 
fact that you're using one in the first place heavily outweighs the 
expiration period.


> -----Original Message-----
> From: Vernon Mauery [mailto:vernon.mauery at linux.intel.com]
> Sent: Wednesday, February 12, 2020 13:34
> To: Bruce Mitchell
> Cc: openbmc at lists.ozlabs.org
> Subject: Re: bmcweb Security issue
> 
> On 12-Feb-2020 05:52 PM, Bruce Mitchell wrote:
>> bmcweb Security issue: according to the The CA/Browser Forum https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.6.7.pdf ;
>> Subscriber Certificates issued after 1 March 2018 MUST have a Validity Period no greater than 825 days.
>>
>> In bmcweb's ssl_key_handler.hpp we have:
>>             // Cert is valid for 10 years
>>             X509_gmtime_adj(X509_get_notAfter(x509),
>>                             60L * 60L * 24L * 365L * 10L);
>>
>> I believe we want this changed to the 825 days.
> 
> Self-signed certificates are not subscriber certificates.
> 
> This is a self-signed certificate, so really that is a bigger issue than
> the length of time that it is valid for. This certificate should only be
> trusted on a direct physical connection with no other machines. It is
> there only to facilitate uploading a valid key/certificate to the BMC.
> 
> It is not intended to be used for any amount of time.
> 
> --Vernon
> 


More information about the openbmc mailing list