[bmcweb] mTLS client authentication always succeeds
ztai at google.com
Thu May 7 04:19:24 AEST 2020
Thanks for your reply. I look forward to the official documentation.
The callback function returns true when preverified == false. Not sure why
it should always return true, which accepts any client certificate.
// We always return true to allow full auth flow
BMCWEB_LOG_DEBUG << this << " TLS preverification failed.";
On Wed, May 6, 2020 at 4:22 AM Zbyszek <zbigniewku at gmail.com> wrote:
> pt., 1 maj 2020 o 02:07 Zhenfei Tai <ztai at google.com> napisał(a):
> > Hi,
> > I've been testing bmcweb mTLS for a while and found the user defined
> verify callback function returns true in all cases. (
> > If client authentication is enabled in bmcweb, should it reject if
> client certificate is bad?
> No, purpose of this callback is to only extract the user name from the
> certificate and then allow to proceed with default OpenSSL
> verification flow which should finally fail if something is wrong with
> the certificate no matter what this function returned.
> The 'set_verify_callback' doesn't replace the whole verification
> procedure, it only adds a callback that is called when the default
> validator checks each certificate. The 'preverified' parameter, passed
> to it indicates if verification of the certificate succeeded or not.
> You should be able to see it in bmcweb logs.
> > Thanks,
> > Zhenfei
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openbmc