bmcweb and certificate chains [WAS: Security working group meeting 2020-01-22]
Alexander Tereschenko
aleksandr.v.tereschenko at linux.intel.com
Sat Jan 25 04:19:07 AEDT 2020
On 22-Jan-20 22:23, Joseph Reynolds wrote:
> Notes from the security working group meeting 2020-01-22:
> Highlights below; details in
> https://github.com/openbmc/openbmc/wiki/Security-working-group
>
>
> 1. Discuss BMCWeb’s site identity certificate handling, specifically
> intermediate certificates. See
> https://github.com/openbmc/bmcweb/#configuration
>
> Other web servers have directives to concatenate the intermediate
> certificates (excluding the root CA certificates) and send that. What
> does BMCWeb do?
> - What is BMCWeb's default default?
> - Need better docs, for example: How can a BMC admin replace
> theBMCWeb site cert? Is it okay to concatenate intermediate certs?
> Can we document this for BMCWeb?
As discussed during the meeting, I've looked into that and looks like
bmcweb doesn't support sending the cert chain at all right now. When
loading it expects the server's cert file to have just a private key and
certificate in a single file [1], just as we've discussed during the
meeting, and server's init code only loads those [2]. There's an API in
Boost.Asio that could allow loading a chain [3], but it's not used
anywhere, so for bmcweb to support that, a patch must be created.
HTH,
Alexander
[1] https://github.com/openbmc/bmcweb/blob/master/http/http_server.h#L159
[2] https://github.com/openbmc/bmcweb/blob/master/http/app.h#L158-L159
[3]
https://www.boost.org/doc/libs/1_71_0/doc/html/boost_asio/reference/ssl__context/use_certificate_chain_file.html
More information about the openbmc
mailing list