Requirements for crypto deprecation?

Joseph Reynolds jrey at linux.ibm.com
Wed May 13 01:48:54 AEST 2020


Ping.  Does anyone have requirements for a BMC admin to be able to 
disable cryptographic algorithms that help provide transport layer 
security (TLS) for network traffic?  For example, if 
ECDHE-ECDSA-AES256-GCM-SHA384 was broken [1], do we need a way to 
disable it for HTTPS in operational BMCs?

Note: The list of supported algorithms is compiled into the BMC's 
firmware image [2][3] and cannot be changed by an admin or shell 
commands; it requires reconfiguration of the source code and a the BMC 
be updated with a new firmware image.

Is there interest in adding this function, knowing the fallback option 
is to update the firmware?

- Joseph

[1]: I am not saying or even hinting this is broken. ;-)
[2]: 
https://github.com/openbmc/bmcweb/blob/0185c7f163a850216437be23111e2bfdd874cd11/include/ssl_key_handler.hpp#L336
[3]: Similar compile-time config for dropbear SSH server.



More information about the openbmc mailing list