BMCWeb policy for HTTPS site identity certificate

Ed Tanous ed at tanous.net
Wed Jul 29 12:28:08 AEST 2020


On Tue, Jul 28, 2020 at 10:06 AM Michael Richardson <mcr at sandelman.ca> wrote:
>
>     > I'm less settled on using a certificate which is clearly expired, but it
>     > is still likely better than using a newly-generated self-signed
>     > certificate.

The original implementation just caught the
X509_V_ERR_CERT_NOT_YET_VALID error and ignored it, but your idea
would work as well.

One thing we had considered is requiring that the CERT date be at
minimum AFTER the firmware build date, under the assumption that the
build machine had a good grasp on what time it was at the time.  We
could use this for gating the upload of a new cert, but can't use it
for invalidating a cert that already exists, as we run into the
"upgrade causes denial of service" problem.


More information about the openbmc mailing list