* What is OpenBMC server software
@ 2021-04-17 8:27 Thang Nguyen OS
2021-04-21 1:50 ` Joseph Reynolds
0 siblings, 1 reply; 2+ messages in thread
From: Thang Nguyen OS @ 2021-04-17 8:27 UTC (permalink / raw)
To: openbmc
Hi,
The Mozilla firefox SSL configuration, https://ssl-config.mozilla.org,
provide suggestion for Web server software to use secure config by
selecting the right Web server software, version and OpenSSL version.
However, I can't find what Web server software and version that OpenBMC
is using. How can I find the information and check if OpenBMC is using
the best secure configuration?
Best Regards,
Thang Q. Nguyen -
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: What is OpenBMC server software
2021-04-17 8:27 What is OpenBMC server software Thang Nguyen OS
@ 2021-04-21 1:50 ` Joseph Reynolds
0 siblings, 0 replies; 2+ messages in thread
From: Joseph Reynolds @ 2021-04-21 1:50 UTC (permalink / raw)
To: Thang Nguyen OS, openbmc
On 4/17/21 3:27 AM, Thang Nguyen OS wrote:
> Hi,
>
> The Mozilla firefox SSL configuration, https://ssl-config.mozilla.org,
> provide suggestion for Web server software to use secure config by
> selecting the right Web server software, version and OpenSSL version.
>
> However, I can't find what Web server software and version that
> OpenBMC is using. How can I find the information and check if OpenBMC
> is using the best secure configuration?
Thang,
I had the same questions a while ago: When given a specific version of
OpenBMC, how do I know which versions of open source packages are pulled
in? This is useful for both license compliance and to understand if
specific vulnerabilities are in your code. I think I have some partial
answers.
Note that OpenBMC releases are shown here
https://github.com/openbmc/openbmc/wiki/Releases
but OpenBMC versions are often identified by a git commit. You can find
the OpenBMC version like this:
- If you are in your source tree, `git log -1` will show the commit number.
- If you have access to the BMC's file system, see file /etc/os-release.
The bitbake build process can produce license information; this also has
the exact source package versions used. For example, it can reliably
tell you which version of OpenSSL your build used. For details, refer
to the Yocto project `license.bbclass` and the Yocto project development
manual section titled "Maintaining Open Source License Compliance During
Your Product's Lifecycle". I believe OpenBMC produces this data by
default, which means the build process writes license manifest data to
files under build/tmp/deploy/licenses/{your-image-name}/.
If you are interested in how the source package versions are configured
in the OpenBMC source tree, you need to study the Yocto documentation.
Here are some specifics for component parts of an OpenBMC image
including the Linux kernel and OpenSSL:
1. You can find the Linux kernel version from your source, like this:
https://github.com/openbmc/openbmc/blob/master/meta-aspeed/recipes-kernel/linux/linux-aspeed_git.bb
2. You can find the OpenSSL recipe under:
https://github.com/openbmc/openbmc/tree/master/poky/meta/recipes-connectivity/openssl
You can find OpenBMC's SSL transport layer security configurations here:
- For the Web/REST API server SSL configuration, see hard-coded values
here:
https://github.com/openbmc/bmcweb/blob/master/include/ssl_key_handler.hpp
- For the SSH server SSL configuration (if using the dropbear server),
see compile time options here:
https://github.com/openbmc/openbmc/blob/master/meta-phosphor/recipes-core/dropbear/dropbear/options.patch
Finally, I've added this explanation to the OpenBMC project
configuration guide:
https://github.com/openbmc/openbmc/wiki/Configuration-guide
Thanks for asking!
- Joseph
>
> Best Regards,
>
> Thang Q. Nguyen -
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-04-21 1:51 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-17 8:27 What is OpenBMC server software Thang Nguyen OS
2021-04-21 1:50 ` Joseph Reynolds
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.