mTLS on bmcweb

P. K. Lee (李柏寬) P.K.Lee at quantatw.com
Mon May 4 12:27:06 AEST 2020


On May 1, 2020, at 07:39, Zhenfei Tai <ztai at google.com<mailto:ztai at google.com>> wrote:

I did more testing and found the reason why it accepts any client certification.
The error is due to the self signed certificate cannot be found in the list of trusted certificates.
Without the user defined verify callback function, it works as expected.

#define         X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT<https://docs.huihoo.com/doxygen/openssl/1.0.1c/crypto_2x509_2x509__vfy_8h.html#aa4f5a3309eae833f85dff37c36fa039d>   18

// Check if certificate is OK
int error = X509_STORE_CTX_get_error(cts);
if (error != X509_V_OK)
{
return true;
}

Yes, I also thought the key is that the self-signed certificate is not in the trusted store.
However, the self-signed CA certificate I uploaded using the Redfish API and modify the code to another "set_verify_mode" is actually useless.

On Thu, Apr 30, 2020 at 12:09 PM Zhenfei Tai <ztai at google.com<mailto:ztai at google.com>> wrote:
Also, with that change in http_connection.h, it still accepts any client certificate provided in curl.

Here's what I did:
1. Disable BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
2. Uncommented ssl_key_handler.hpp:315 and added the boost::asio::ssl::verify_fail_if_no_peer_cert

Behavior after change:
1. Rejects curl without client certificate.
2. Returns when client certificate matches the one authority directory.
3. Rejects when client sends other certificates.

The change is just for testing purposes, I guess the original intention was not to mTLS every request.

It works :D

On Thu, Apr 30, 2020 at 11:34 AM Zhenfei Tai <ztai at google.com<mailto:ztai at google.com>> wrote:
Hi P.K.

I tried the same thing.

Could you share which url you tested?
With that change, if I access the https://${bmc}/redfish/v1 url in chrome, it prompts to choose a client certificate, but will also work if no certificate is chosen.

Thanks,
Zhenfei

On Thu, Apr 30, 2020 at 6:27 AM P. K. Lee (李柏寬) <P.K.Lee at quantatw.com<mailto:P.K.Lee at quantatw.com>> wrote:
I found a way to fix this issue, but it needs to be modified to the source code. In two steps:

Step 1.
The source code "adaptor.set_verify_mode(boost::asio::ssl::verify_peer);" in http_connection.h is replaced with
"adaptor.set_verify_mode(boost::asio::ssl::verify_peer | boost::asio::ssl::verify_fail_if_no_peer_cert);"

Step 2.
AccountService->Oem->OpenBMC->AuthMethods->TLS is set. (false by default)

It will enable enforce mTLS authentication.

Best,
P.K.

> -----Original Message-----
> From: Wiktor Gołgowski <wiktor.golgowski at linux.intel.com<mailto:wiktor.golgowski at linux.intel.com>>
> Sent: Saturday, April 25, 2020 1:03 AM
> To: Richard Hanley <rhanley at google.com<mailto:rhanley at google.com>>; Zhenfei Tai <ztai at google.com<mailto:ztai at google.com>>
> Cc: openbmc at lists.ozlabs.org<mailto:openbmc at lists.ozlabs.org>; P. K. Lee (李柏寬) <P.K.Lee at quantatw.com<mailto:P.K.Lee at quantatw.com>>;
> jrey at linux.ibm.com<mailto:jrey at linux.ibm.com>; P. K. Lee (李柏寬) <P.K.Lee at quantatw.com<mailto:P.K.Lee at quantatw.com>>; Joseph
> Reynolds <jrey at linux.ibm.com<mailto:jrey at linux.ibm.com>>
> Subject: Re: mTLS on bmcweb
>
>
>
> On 4/23/20 7:35 PM, Richard Hanley wrote:
> > My guess is that somehow the root cert used to validate clients isn't installed
> correctly, and so it's defaulting to basic auth.
> >
> > At least that's my reading of this review
> > https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270
> >
>
> I think this would be the case. If the client certificate is not provided, TLS
> connection is still established, just without authenticating the client. This
> allows upper layer to provide other authentication methods (e.g. Basic Auth).
> >
> > On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai <ztai at google.com<mailto:ztai at google.com>
> <mailto:ztai at google.com<mailto:ztai at google.com>>> wrote:
> >
> >     I guess part of my question is how to configure the mTLS certs to make
> it work properly.
> >
> >     So far only https works (server side TLS).
> >
> >     Thanks,
> >     Zhenfei
> >
> >     On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds <jrey at linux.ibm.com<mailto:jrey at linux.ibm.com>
> <mailto:jrey at linux.ibm.com<mailto:jrey at linux.ibm.com>>> wrote:
> >
> >         On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote:
> >         > Hi,
> >         >
> >         > I encountered the same issue when using Redfish to replace the
> certificate.
> >         > Regardless of whether the parameters include --cert --key
> --cacert or only --cacert, the authentication can still succeed.
> >         >
> >         > Best,
> >         > P.K.
> >         >
> >         >> Date: Wed, 22 Apr 2020 14:58:06 -0700
> >         >> From: Zhenfei Tai <ztai at google.com<mailto:ztai at google.com>
> <mailto:ztai at google.com<mailto:ztai at google.com>>>
> >         >> To: openbmc at lists.ozlabs.org<mailto:openbmc at lists.ozlabs.org>
> <mailto:openbmc at lists.ozlabs.org<mailto:openbmc at lists.ozlabs.org>>
> >         >> Subject: mTLS on bmcweb
> >         >> Message-ID:
> >
> >>      <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@
> mail.g
> >         >> mail.com<http://mail.com/> <http://mail.com<http://mail.com/>>>
> >         >> Content-Type: text/plain; charset="utf-8"
> >         >>
> >         >> Hi,
> >         >>
> >         >> I'm trying out bmcweb mTLS which should be enabled by
> default by
> >         >>
> https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89
> >         >>
> >         >> In my test, I created a self signed key and certificate pair,
> stacked them
> >         >> up into server.pem in /etc/ssl/certs/https that bmcweb uses.
> >         >>
> >         >> However when I tried to curl bmcweb service, I was able to get
> response by
> >         >> only supplying the cert.
> >         >>
> >         >> curl --cacert cert.pem  https://${bmc}/redfish/v1
> >         >>
> >         >> With the mTLS enabled, I expected it should error out since no
> client
> >         >> certificate is provided.
> >         >>
>
> As mentioned, if you did not provide a client certificate, connection was
> established to allow for Basic Auth. And as the Service Root requires no
> authentication, you got a response.
>
> - Wiktor
>
> >         >> Could someone with relevant knowledge help with my
> question?
> >
> >         I'm not sure what you are asking.  Are you asking how to install
> mTLS
> >         certs into the BMC and then use them to connect?  I am still
> waiting for
> >         documentation that describes how to configure and use the mTLS
> feature.
> >
> >         I've added an entry to the security working group as a reminder to
> do
> >         this.  (I don't have the skill to document this feature.)
> >
> >         - Joseph
> >
> >         >>
> >         >> Thanks,
> >         >> Zhenfei
> >

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20200504/1e0868b7/attachment-0001.htm>


More information about the openbmc mailing list