Security Working Group meeting - this Wednesday February 19 - summary results

Patrick Williams patrick at stwcx.xyz
Fri Feb 21 03:26:33 AEDT 2020


On Wed, Feb 19, 2020 at 05:05:09PM -0600, Joseph Reynolds wrote:
> On 2/17/20 4:29 PM, Joseph Reynolds wrote:

> > 6. (Bruce via email):  BMCWeb Cert valid for 10 years -
> > https://lists.ozlabs.org/pipermail/openbmc/2020-February/020488.html 

> 
> Change BMCweb’s default self-signed cert to a maximum of 825 days. 
> Recommend 30 days.
> 
> When this is done, if BMCWeb generates a self-signed cert, and it is not
> replaced, and the BMC’s time is sane, then browsers that connect to BMCWeb
> will start to complain after 30 days.
> 
> The recovery is: The BMC admin should install a valid BMCWeb site identity
> cert, then clients can re-connect to the BMC. (This will serve the updated
> cert and make the browser happy.)
> 
> The “BMC Admin guide” should talk about installing your own cert.
> 
> See docs here: https://github.com/openbmc/bmcweb/#configuration
> 
> Ass code here: https://github.com/openbmc/bmcweb/blob/91243c3b28b1df66e682f5a3ee96341fdc516b5a/include/ssl_key_handler.hpp#L205
> 
> Will there be a warning for the BMC admin (that the BMCWeb site cert will
> expire soon)?  (And don’t rely on a warning from the browser itself.)

If I read this correctly, the side-effect of this proposed change is:

   - If I leave my BMC running for 30 days without it crashing, the
     certificate it presents will have become expired and no longer
     valid.

Is that true?  Can we put something into bmcweb to detect its own
certificate has expired and generate a new one?

I know self-signed certs aren't great, but the minute I have more than 6
systems I'm not going to want to follow some "BMC Admin Guide" to update
certificates by hand.  So we're effectively forcing everyone to develop
some kind of certificate management infrastructure, without providing
(or pointing to an existing) implementation.

-- 
Patrick Williams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20200220/ed4a3e09/attachment.sig>


More information about the openbmc mailing list