[bmcweb] mTLS client authentication always succeeds
Zbyszek
zbigniewku at gmail.com
Thu May 7 17:48:42 AEST 2020
śr., 6 maj 2020 o 20:19 Zhenfei Tai <ztai at google.com> napisał(a):
>
> Hi Zbyszek,
>
> Thanks for your reply. I look forward to the official documentation.
>
> The callback function returns true when preverified == false. Not sure why it should always return true, which accepts any client certificate.
Yes, always returning true we do not break the tls handshake allowing
for connection.
But user will not be authenticated anyway because its name will not be
extracted from the certificate.
In such case user should receive proper http error code telling he is
not authenticated.
>
> // We always return true to allow full auth flow
> if (!preverified)
> {
> BMCWEB_LOG_DEBUG << this << " TLS preverification failed.";
> return true;
> }
>
> Thanks,
> Zhenfei
>
> On Wed, May 6, 2020 at 4:22 AM Zbyszek <zbigniewku at gmail.com> wrote:
>>
>> pt., 1 maj 2020 o 02:07 Zhenfei Tai <ztai at google.com> napisał(a):
>> >
>> > Hi,
>> >
>> > I've been testing bmcweb mTLS for a while and found the user defined verify callback function returns true in all cases. (https://github.com/openbmc/bmcweb/blob/master/http/http_connection.h#L287)
>> >
>> > If client authentication is enabled in bmcweb, should it reject if client certificate is bad?
>>
>> No, purpose of this callback is to only extract the user name from the
>> certificate and then allow to proceed with default OpenSSL
>> verification flow which should finally fail if something is wrong with
>> the certificate no matter what this function returned.
>> The 'set_verify_callback' doesn't replace the whole verification
>> procedure, it only adds a callback that is called when the default
>> validator checks each certificate. The 'preverified' parameter, passed
>> to it indicates if verification of the certificate succeeded or not.
>> You should be able to see it in bmcweb logs.
>>
>> >
>> > Thanks,
>> > Zhenfei
More information about the openbmc
mailing list