[bmcweb] mTLS client authentication always succeeds

Zbyszek zbigniewku at gmail.com
Wed May 6 21:12:35 AEST 2020

pt., 1 maj 2020 o 02:07 Zhenfei Tai <ztai at google.com> napisał(a):
> Hi,
> I've been testing bmcweb mTLS for a while and found the user defined verify callback function returns true in all cases. (https://github.com/openbmc/bmcweb/blob/master/http/http_connection.h#L287)
> If client authentication is enabled in bmcweb, should it reject if client certificate is bad?

No, purpose of this callback is to only extract the user name from the
certificate and then allow to proceed with default OpenSSL
verification flow which should finally fail if something is wrong with
the certificate no matter what this function returned.
The 'set_verify_callback' doesn't replace the whole verification
procedure, it only adds a callback that is called when the default
validator checks each certificate. The 'preverified' parameter, passed
to it indicates if verification of the certificate succeeded or not.
You should be able to see it in bmcweb logs.

> Thanks,
> Zhenfei

More information about the openbmc mailing list