mTLS on bmcweb
Zhenfei Tai
ztai at google.com
Fri May 1 05:09:04 AEST 2020
Also, with that change in http_connection.h, it still accepts any client
certificate provided in curl.
Here's what I did:
1. Disable BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
2. Uncommented ssl_key_handler.hpp:315 and added the
boost::asio::ssl::verify_fail_if_no_peer_cert
Behavior after change:
1. Rejects curl without client certificate.
2. Returns when client certificate matches the one authority directory.
3. Rejects when client sends other certificates.
The change is just for testing purposes, I guess the original intention was
not to mTLS every request.
On Thu, Apr 30, 2020 at 11:34 AM Zhenfei Tai <ztai at google.com> wrote:
> Hi P.K.
>
> I tried the same thing.
>
> Could you share which url you tested?
> With that change, if I access the https://${bmc}/redfish/v1 url in
> chrome, it prompts to choose a client certificate, but will also work if no
> certificate is chosen.
>
> Thanks,
> Zhenfei
>
> On Thu, Apr 30, 2020 at 6:27 AM P. K. Lee (李柏寬) <P.K.Lee at quantatw.com>
> wrote:
>
>> I found a way to fix this issue, but it needs to be modified to the
>> source code. In two steps:
>>
>> Step 1.
>> The source code "adaptor.set_verify_mode(boost::asio::ssl::verify_peer);"
>> in http_connection.h is replaced with
>> "adaptor.set_verify_mode(boost::asio::ssl::verify_peer |
>> boost::asio::ssl::verify_fail_if_no_peer_cert);"
>>
>> Step 2.
>> AccountService->Oem->OpenBMC->AuthMethods->TLS is set. (false by default)
>>
>> It will enable enforce mTLS authentication.
>>
>> Best,
>> P.K.
>>
>> > -----Original Message-----
>> > From: Wiktor Gołgowski <wiktor.golgowski at linux.intel.com>
>> > Sent: Saturday, April 25, 2020 1:03 AM
>> > To: Richard Hanley <rhanley at google.com>; Zhenfei Tai <ztai at google.com>
>> > Cc: openbmc at lists.ozlabs.org; P. K. Lee (李柏寬) <P.K.Lee at quantatw.com>;
>> > jrey at linux.ibm.com; P. K. Lee (李柏寬) <P.K.Lee at quantatw.com>; Joseph
>> > Reynolds <jrey at linux.ibm.com>
>> > Subject: Re: mTLS on bmcweb
>> >
>> >
>> >
>> > On 4/23/20 7:35 PM, Richard Hanley wrote:
>> > > My guess is that somehow the root cert used to validate clients isn't
>> installed
>> > correctly, and so it's defaulting to basic auth.
>> > >
>> > > At least that's my reading of this review
>> > > https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270
>> > >
>> >
>> > I think this would be the case. If the client certificate is not
>> provided, TLS
>> > connection is still established, just without authenticating the
>> client. This
>> > allows upper layer to provide other authentication methods (e.g. Basic
>> Auth).
>> > >
>> > > On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai <ztai at google.com
>> > <mailto:ztai at google.com>> wrote:
>> > >
>> > > I guess part of my question is how to configure the mTLS certs to
>> make
>> > it work properly.
>> > >
>> > > So far only https works (server side TLS).
>> > >
>> > > Thanks,
>> > > Zhenfei
>> > >
>> > > On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds <
>> jrey at linux.ibm.com
>> > <mailto:jrey at linux.ibm.com>> wrote:
>> > >
>> > > On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote:
>> > > > Hi,
>> > > >
>> > > > I encountered the same issue when using Redfish to replace
>> the
>> > certificate.
>> > > > Regardless of whether the parameters include --cert --key
>> > --cacert or only --cacert, the authentication can still succeed.
>> > > >
>> > > > Best,
>> > > > P.K.
>> > > >
>> > > >> Date: Wed, 22 Apr 2020 14:58:06 -0700
>> > > >> From: Zhenfei Tai <ztai at google.com
>> > <mailto:ztai at google.com>>
>> > > >> To: openbmc at lists.ozlabs.org
>> > <mailto:openbmc at lists.ozlabs.org>
>> > > >> Subject: mTLS on bmcweb
>> > > >> Message-ID:
>> > >
>> > >> <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@
>> > mail.g
>> > > >> mail.com <http://mail.com>>
>> > > >> Content-Type: text/plain; charset="utf-8"
>> > > >>
>> > > >> Hi,
>> > > >>
>> > > >> I'm trying out bmcweb mTLS which should be enabled by
>> > default by
>> > > >>
>> > https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89
>> > > >>
>> > > >> In my test, I created a self signed key and certificate
>> pair,
>> > stacked them
>> > > >> up into server.pem in /etc/ssl/certs/https that bmcweb
>> uses.
>> > > >>
>> > > >> However when I tried to curl bmcweb service, I was able to
>> get
>> > response by
>> > > >> only supplying the cert.
>> > > >>
>> > > >> curl --cacert cert.pem https://${bmc}/redfish/v1
>> > > >>
>> > > >> With the mTLS enabled, I expected it should error out
>> since no
>> > client
>> > > >> certificate is provided.
>> > > >>
>> >
>> > As mentioned, if you did not provide a client certificate, connection
>> was
>> > established to allow for Basic Auth. And as the Service Root requires no
>> > authentication, you got a response.
>> >
>> > - Wiktor
>> >
>> > > >> Could someone with relevant knowledge help with my
>> > question?
>> > >
>> > > I'm not sure what you are asking. Are you asking how to
>> install
>> > mTLS
>> > > certs into the BMC and then use them to connect? I am still
>> > waiting for
>> > > documentation that describes how to configure and use the mTLS
>> > feature.
>> > >
>> > > I've added an entry to the security working group as a
>> reminder to
>> > do
>> > > this. (I don't have the skill to document this feature.)
>> > >
>> > > - Joseph
>> > >
>> > > >>
>> > > >> Thanks,
>> > > >> Zhenfei
>> > >
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20200430/a05505aa/attachment-0001.htm>
More information about the openbmc
mailing list