bmcweb and certificate chains [WAS: Security working group meeting 2020-01-22]

Alexander Tereschenko aleksandr.v.tereschenko at linux.intel.com
Sat Jan 25 04:19:07 AEDT 2020


On 22-Jan-20 22:23, Joseph Reynolds wrote:
> Notes from the security working group meeting 2020-01-22:
> Highlights below; details in 
> https://github.com/openbmc/openbmc/wiki/Security-working-group
>
>
> 1. Discuss BMCWeb’s site identity certificate handling, specifically 
> intermediate certificates.  See 
> https://github.com/openbmc/bmcweb/#configuration 

>
> Other web servers have directives to concatenate the intermediate 
> certificates (excluding the root CA certificates) and send that. What 
> does BMCWeb do?

>  - What is BMCWeb's default default?
>  - Need better docs, for example: How can a BMC admin replace 
> theBMCWeb site cert?  Is it okay to concatenate intermediate certs? 
> Can we document this for BMCWeb?

As discussed during the meeting, I've looked into that and looks like 
bmcweb doesn't support sending the cert chain at all right now. When 
loading it expects the server's cert file to have just a private key and 
certificate in a single file [1], just as we've discussed during the 
meeting, and server's init code only loads those [2]. There's an API in 
Boost.Asio that could allow loading a chain [3], but it's not used 
anywhere, so for bmcweb to support that, a patch must be created.

HTH,
Alexander

[1] https://github.com/openbmc/bmcweb/blob/master/http/http_server.h#L159
[2] https://github.com/openbmc/bmcweb/blob/master/http/app.h#L158-L159
[3] 
https://www.boost.org/doc/libs/1_71_0/doc/html/boost_asio/reference/ssl__context/use_certificate_chain_file.html



More information about the openbmc mailing list