[bmcweb] mTLS client authentication always succeeds

Zhenfei Tai ztai at google.com
Thu May 7 04:19:24 AEST 2020


Hi Zbyszek,

Thanks for your reply. I look forward to the official documentation.

The callback function returns true when preverified == false. Not sure why
it should always return true, which accepts any client certificate.

// We always return true to allow full auth flow
if (!preverified)
{
BMCWEB_LOG_DEBUG << this << " TLS preverification failed.";
return true;
}

Thanks,
Zhenfei

On Wed, May 6, 2020 at 4:22 AM Zbyszek <zbigniewku at gmail.com> wrote:

> pt., 1 maj 2020 o 02:07 Zhenfei Tai <ztai at google.com> napisał(a):
> >
> > Hi,
> >
> > I've been testing bmcweb mTLS for a while and found the user defined
> verify callback function returns true in all cases. (
> https://github.com/openbmc/bmcweb/blob/master/http/http_connection.h#L287)
> >
> > If client authentication is enabled in bmcweb, should it reject if
> client certificate is bad?
>
> No, purpose of this callback is to only extract the user name from the
> certificate and then allow to proceed with default OpenSSL
> verification flow which should finally fail if something is wrong with
> the certificate no matter what this function returned.
> The 'set_verify_callback' doesn't replace the whole verification
> procedure, it only adds a callback that is called when the default
> validator checks each certificate. The 'preverified' parameter, passed
> to it indicates if verification of the certificate succeeded or not.
> You should be able to see it in bmcweb logs.
>
> >
> > Thanks,
> > Zhenfei
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20200506/c7af53ff/attachment-0001.htm>


More information about the openbmc mailing list