From: Zbyszek <zbigniewku@gmail.com>
Cc: OpenBMC Maillist <openbmc@lists.ozlabs.org>
Subject: Re: [bmcweb] mTLS client authentication always succeeds
Date: Wed, 6 May 2020 13:12:35 +0200 [thread overview]
Message-ID: <CAB_SOc5tEo7xRg65aMfBOWyY_yXkb6+mLmRhf8hifNhHDWGVgQ@mail.gmail.com> (raw)
In-Reply-To: <CAMXw96Mnk8Hf4wAB_Ot=XEqp9yecspPfMGB6oF_LSgjRFMNHvw@mail.gmail.com>
pt., 1 maj 2020 o 02:07 Zhenfei Tai <ztai@google.com> napisał(a):
>
> Hi,
>
> I've been testing bmcweb mTLS for a while and found the user defined verify callback function returns true in all cases. (https://github.com/openbmc/bmcweb/blob/master/http/http_connection.h#L287)
>
> If client authentication is enabled in bmcweb, should it reject if client certificate is bad?
No, purpose of this callback is to only extract the user name from the
certificate and then allow to proceed with default OpenSSL
verification flow which should finally fail if something is wrong with
the certificate no matter what this function returned.
The 'set_verify_callback' doesn't replace the whole verification
procedure, it only adds a callback that is called when the default
validator checks each certificate. The 'preverified' parameter, passed
to it indicates if verification of the certificate succeeded or not.
You should be able to see it in bmcweb logs.
>
> Thanks,
> Zhenfei
next prev parent reply other threads:[~2020-05-06 11:19 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-01 0:06 [bmcweb] mTLS client authentication always succeeds Zhenfei Tai
2020-05-06 11:12 ` Zbyszek [this message]
2020-05-06 18:19 ` Zhenfei Tai
2020-05-07 7:48 ` Zbyszek
2020-05-07 8:14 ` [EXTERNAL] " Neeraj Ladkani
2020-05-07 9:09 ` Zbyszek
2020-05-11 18:20 ` Neeraj Ladkani
2020-05-11 18:57 ` Neeraj Ladkani
2020-05-13 13:24 ` Zbyszek
2020-05-13 16:38 ` Zhenfei Tai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAB_SOc5tEo7xRg65aMfBOWyY_yXkb6+mLmRhf8hifNhHDWGVgQ@mail.gmail.com \
--to=zbigniewku@gmail.com \
--cc=openbmc@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.