mTLS on bmcweb

Zhenfei Tai ztai at google.com
Fri May 1 04:34:05 AEST 2020


Hi P.K.

I tried the same thing.

Could you share which url you tested?
With that change, if I access the https://${bmc}/redfish/v1 url in chrome,
it prompts to choose a client certificate, but will also work if no
certificate is chosen.

Thanks,
Zhenfei

On Thu, Apr 30, 2020 at 6:27 AM P. K. Lee (李柏寬) <P.K.Lee at quantatw.com>
wrote:

> I found a way to fix this issue, but it needs to be modified to the source
> code. In two steps:
>
> Step 1.
> The source code "adaptor.set_verify_mode(boost::asio::ssl::verify_peer);"
> in http_connection.h is replaced with
> "adaptor.set_verify_mode(boost::asio::ssl::verify_peer |
> boost::asio::ssl::verify_fail_if_no_peer_cert);"
>
> Step 2.
> AccountService->Oem->OpenBMC->AuthMethods->TLS is set. (false by default)
>
> It will enable enforce mTLS authentication.
>
> Best,
> P.K.
>
> > -----Original Message-----
> > From: Wiktor Gołgowski <wiktor.golgowski at linux.intel.com>
> > Sent: Saturday, April 25, 2020 1:03 AM
> > To: Richard Hanley <rhanley at google.com>; Zhenfei Tai <ztai at google.com>
> > Cc: openbmc at lists.ozlabs.org; P. K. Lee (李柏寬) <P.K.Lee at quantatw.com>;
> > jrey at linux.ibm.com; P. K. Lee (李柏寬) <P.K.Lee at quantatw.com>; Joseph
> > Reynolds <jrey at linux.ibm.com>
> > Subject: Re: mTLS on bmcweb
> >
> >
> >
> > On 4/23/20 7:35 PM, Richard Hanley wrote:
> > > My guess is that somehow the root cert used to validate clients isn't
> installed
> > correctly, and so it's defaulting to basic auth.
> > >
> > > At least that's my reading of this review
> > > https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270
> > >
> >
> > I think this would be the case. If the client certificate is not
> provided, TLS
> > connection is still established, just without authenticating the client.
> This
> > allows upper layer to provide other authentication methods (e.g. Basic
> Auth).
> > >
> > > On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai <ztai at google.com
> > <mailto:ztai at google.com>> wrote:
> > >
> > >     I guess part of my question is how to configure the mTLS certs to
> make
> > it work properly.
> > >
> > >     So far only https works (server side TLS).
> > >
> > >     Thanks,
> > >     Zhenfei
> > >
> > >     On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds <
> jrey at linux.ibm.com
> > <mailto:jrey at linux.ibm.com>> wrote:
> > >
> > >         On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote:
> > >         > Hi,
> > >         >
> > >         > I encountered the same issue when using Redfish to replace
> the
> > certificate.
> > >         > Regardless of whether the parameters include --cert --key
> > --cacert or only --cacert, the authentication can still succeed.
> > >         >
> > >         > Best,
> > >         > P.K.
> > >         >
> > >         >> Date: Wed, 22 Apr 2020 14:58:06 -0700
> > >         >> From: Zhenfei Tai <ztai at google.com
> > <mailto:ztai at google.com>>
> > >         >> To: openbmc at lists.ozlabs.org
> > <mailto:openbmc at lists.ozlabs.org>
> > >         >> Subject: mTLS on bmcweb
> > >         >> Message-ID:
> > >
> > >>      <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@
> > mail.g
> > >         >> mail.com <http://mail.com>>
> > >         >> Content-Type: text/plain; charset="utf-8"
> > >         >>
> > >         >> Hi,
> > >         >>
> > >         >> I'm trying out bmcweb mTLS which should be enabled by
> > default by
> > >         >>
> > https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89
> > >         >>
> > >         >> In my test, I created a self signed key and certificate
> pair,
> > stacked them
> > >         >> up into server.pem in /etc/ssl/certs/https that bmcweb uses.
> > >         >>
> > >         >> However when I tried to curl bmcweb service, I was able to
> get
> > response by
> > >         >> only supplying the cert.
> > >         >>
> > >         >> curl --cacert cert.pem  https://${bmc}/redfish/v1
> > >         >>
> > >         >> With the mTLS enabled, I expected it should error out since
> no
> > client
> > >         >> certificate is provided.
> > >         >>
> >
> > As mentioned, if you did not provide a client certificate, connection was
> > established to allow for Basic Auth. And as the Service Root requires no
> > authentication, you got a response.
> >
> > - Wiktor
> >
> > >         >> Could someone with relevant knowledge help with my
> > question?
> > >
> > >         I'm not sure what you are asking.  Are you asking how to
> install
> > mTLS
> > >         certs into the BMC and then use them to connect?  I am still
> > waiting for
> > >         documentation that describes how to configure and use the mTLS
> > feature.
> > >
> > >         I've added an entry to the security working group as a
> reminder to
> > do
> > >         this.  (I don't have the skill to document this feature.)
> > >
> > >         - Joseph
> > >
> > >         >>
> > >         >> Thanks,
> > >         >> Zhenfei
> > >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20200430/d1581552/attachment.htm>


More information about the openbmc mailing list