bmcweb and certificate chains [WAS: Security working group meeting 2020-01-22]
Joseph Reynolds
jrey at linux.ibm.com
Tue Jan 28 03:03:09 AEDT 2020
On 1/24/20 11:19 AM, Alexander Tereschenko wrote:
> On 22-Jan-20 22:23, Joseph Reynolds wrote:
>> Notes from the security working group meeting 2020-01-22:
>> Highlights below; details in
>> https://github.com/openbmc/openbmc/wiki/Security-working-group
>>
>>
>> 1. Discuss BMCWeb’s site identity certificate handling, specifically
>> intermediate certificates. See
>> https://github.com/openbmc/bmcweb/#configuration
>>
>> Other web servers have directives to concatenate the intermediate
>> certificates (excluding the root CA certificates) and send that. What
>> does BMCWeb do?
>> - What is BMCWeb's default default?
>> - Need better docs, for example: How can a BMC admin replace
>> theBMCWeb site cert? Is it okay to concatenate intermediate certs?
>> Can we document this for BMCWeb?
>
> As discussed during the meeting, I've looked into that and looks like
> bmcweb doesn't support sending the cert chain at all right now. When
> loading it expects the server's cert file to have just a private key
> and certificate in a single file [1], just as we've discussed during
> the meeting, and server's init code only loads those [2]. There's an
> API in Boost.Asio that could allow loading a chain [3], but it's not
> used anywhere, so for bmcweb to support that, a patch must be created.
Thank you for finding that. I think we want to add a function to BMCWeb
to be able to handle certificate chains. Would we need to enhance the
REST APIs [4] to upload server certificates as part of this work?
[4]:
https://github.com/openbmc/phosphor-dbus-interfaces/tree/master/xyz/openbmc_project/Certs
- Joseph
> HTH,
> Alexander
>
> [1] https://github.com/openbmc/bmcweb/blob/master/http/http_server.h#L159
> [2] https://github.com/openbmc/bmcweb/blob/master/http/app.h#L158-L159
> [3]
> https://www.boost.org/doc/libs/1_71_0/doc/html/boost_asio/reference/ssl__context/use_certificate_chain_file.html
>
More information about the openbmc
mailing list