BMCWeb policy for HTTPS site identity certificate
Patrick Williams
patrick at stwcx.xyz
Tue Jul 28 03:32:58 AEST 2020
On Thu, Jul 23, 2020 at 10:25:40AM -0500, Joseph Reynolds wrote:
> 2. certificate is good but expired or not yet valid - Use the
> certificate and log a warning.
I suspect that "not yet valid" is a more common case than might be
assumed on the surface. I agree with the recommended action.
Many of the Facebook server designs do not have a hardware RTC available
to the BMC. We have an RTC accessible by the BIOS and we also sync with
NTP. That means there is always a period of time after we first plug in
the rack where the servers in the rack have a date that is way wrong.
It is reasonable to assume the date is just wrong and the certificate is
valid. The clients can validate a certificate which is actually out of
date.
I'm less settled on using a certificate which is clearly expired, but it
is still likely better than using a newly-generated self-signed
certificate.
--
Patrick Williams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20200727/c95cc9ee/attachment.sig>
More information about the openbmc
mailing list