BMCWeb policy for HTTPS site identity certificate

Bruce Mitchell Bruce_Mitchell at phoenix.com
Tue Jul 28 01:15:18 AEST 2020 


> -----Original Message-----
> From: openbmc [mailto:openbmc-
> bounces+bruce_mitchell=phoenix.com at lists.ozlabs.org] On Behalf Of
> Michael Richardson
> Sent: Sunday, July 26, 2020 13:35
> To: openbmc
> Subject: Re: BMCWeb policy for HTTPS site identity certificate
> 
> 
> Joseph Reynolds <jrey at linux.ibm.com> wrote:
>     > Problem:
>     > BMCWeb apparently treats certificates that are either expired or not
> valid
>     > until a future date as unusable (investigation needed).  And BMCWeb
> deletes
>     > unusable certificates.  This can confuse the administrator, especially
>     > considering the BMC's time-of-day clock may not be set as expected.
> 
>     > Proposal:
>     > What certificate management policy should BMCWeb use?  Here is an
> initial
>     > proposal:
>     > 1. certificate is perfectly good - Use the certificate.
> 
> okay.
> 
>     > 2. certificate is good but expired or not yet valid - Use the certificate
> and
>     > log a warning.
> 
> very good.
> 
>     > 3. certificate is missing or bad format or algorithm too old - Use
> another
>     > certificate or self-generate a certificate (and log that action).
>     > In no case should BMCWeb should delete any certificate.
> 
> I think that there is a problem in 3.
> 
> "certificate is missing" is pretty much unambiguous.
> "bad format" depends a bit upon evolution of libraries.
> In particular, a new version of libssl might support some new algorithm,
> and then should the firmware be rolled back, it will "bad format".
> 
> So I suggest that the certificate+keypair is never deleted, but may be
> renamed.
> I think that we could have a debate about getting telemetry about bad
> certificates back via HTTP.
> 
> I think that there are some operational considerations relating to
> determining root cause that may trump some security issues relating to
> telling bad actors whether they have succeeded in damaging a certificate.

One more thing is for 3 is that the incident must be logged.

> 
> --
> ]               Never tell me the odds!                 | ipv6 mesh
> networks [
> ]   Michael Richardson, Sandelman Software Works        |    IoT
> architect   [
> ]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on
> rails    [
> 
> 
>

More information about the openbmc mailing list