[bmcweb] mTLS client authentication always succeeds

[bmcweb] mTLS client authentication always succeeds

[Zhenfei Tai]

[-- Attachment #1: Type: text/plain, Size: 315 bytes --]

Hi,

I've been testing bmcweb mTLS for a while and found the user defined verify
callback function returns true in all cases. (
https://github.com/openbmc/bmcweb/blob/master/http/http_connection.h#L287)

If client authentication is enabled in bmcweb, should it reject if client
certificate is bad?

Thanks,
Zhenfei

[-- Attachment #2: Type: text/html, Size: 512 bytes --]

Re: [bmcweb] mTLS client authentication always succeeds

[Zbyszek]

pt., 1 maj 2020 o 02:07 Zhenfei Tai <ztai@google.com> napisał(a):
>
> Hi,
>
> I've been testing bmcweb mTLS for a while and found the user defined verify callback function returns true in all cases. (https://github.com/openbmc/bmcweb/blob/master/http/http_connection.h#L287)
>
> If client authentication is enabled in bmcweb, should it reject if client certificate is bad?

No, purpose of this callback is to only extract the user name from the
certificate and then allow to proceed with default OpenSSL
verification flow which should finally fail if something is wrong with
the certificate no matter what this function returned.
The 'set_verify_callback' doesn't replace the whole verification
procedure, it only adds a callback that is called when the default
validator checks each certificate. The 'preverified' parameter, passed
to it indicates if verification of the certificate succeeded or not.
You should be able to see it in bmcweb logs.

>
> Thanks,
> Zhenfei

Re: [bmcweb] mTLS client authentication always succeeds

[Zhenfei Tai]

[-- Attachment #1: Type: text/plain, Size: 1523 bytes --]

Hi Zbyszek,

Thanks for your reply. I look forward to the official documentation.

The callback function returns true when preverified == false. Not sure why
it should always return true, which accepts any client certificate.

// We always return true to allow full auth flow
if (!preverified)
{
BMCWEB_LOG_DEBUG << this << " TLS preverification failed.";
return true;
}

Thanks,
Zhenfei

On Wed, May 6, 2020 at 4:22 AM Zbyszek <zbigniewku@gmail.com> wrote:

> pt., 1 maj 2020 o 02:07 Zhenfei Tai <ztai@google.com> napisał(a):
> >
> > Hi,
> >
> > I've been testing bmcweb mTLS for a while and found the user defined
> verify callback function returns true in all cases. (
> https://github.com/openbmc/bmcweb/blob/master/http/http_connection.h#L287)
> >
> > If client authentication is enabled in bmcweb, should it reject if
> client certificate is bad?
>
> No, purpose of this callback is to only extract the user name from the
> certificate and then allow to proceed with default OpenSSL
> verification flow which should finally fail if something is wrong with
> the certificate no matter what this function returned.
> The 'set_verify_callback' doesn't replace the whole verification
> procedure, it only adds a callback that is called when the default
> validator checks each certificate. The 'preverified' parameter, passed
> to it indicates if verification of the certificate succeeded or not.
> You should be able to see it in bmcweb logs.
>
> >
> > Thanks,
> > Zhenfei
>

[-- Attachment #2: Type: text/html, Size: 3492 bytes --]

Re: [bmcweb] mTLS client authentication always succeeds

[Zbyszek]

śr., 6 maj 2020 o 20:19 Zhenfei Tai <ztai@google.com> napisał(a):
>
> Hi Zbyszek,
>
> Thanks for your reply. I look forward to the official documentation.
>
> The callback function returns true when preverified == false. Not sure why it should always return true, which accepts any client certificate.

Yes, always returning true we do not break the tls handshake allowing
for connection.
But user will not be authenticated anyway because its name will not be
extracted from the certificate.
In such case user should receive proper http error code telling he is
not authenticated.

>
> // We always return true to allow full auth flow
> if (!preverified)
> {
> BMCWEB_LOG_DEBUG << this << " TLS preverification failed.";
> return true;
> }
>
> Thanks,
> Zhenfei
>
> On Wed, May 6, 2020 at 4:22 AM Zbyszek <zbigniewku@gmail.com> wrote:
>>
>> pt., 1 maj 2020 o 02:07 Zhenfei Tai <ztai@google.com> napisał(a):
>> >
>> > Hi,
>> >
>> > I've been testing bmcweb mTLS for a while and found the user defined verify callback function returns true in all cases. (https://github.com/openbmc/bmcweb/blob/master/http/http_connection.h#L287)
>> >
>> > If client authentication is enabled in bmcweb, should it reject if client certificate is bad?
>>
>> No, purpose of this callback is to only extract the user name from the
>> certificate and then allow to proceed with default OpenSSL
>> verification flow which should finally fail if something is wrong with
>> the certificate no matter what this function returned.
>> The 'set_verify_callback' doesn't replace the whole verification
>> procedure, it only adds a callback that is called when the default
>> validator checks each certificate. The 'preverified' parameter, passed
>> to it indicates if verification of the certificate succeeded or not.
>> You should be able to see it in bmcweb logs.
>>
>> >
>> > Thanks,
>> > Zhenfei

RE: [EXTERNAL] Re: [bmcweb] mTLS client authentication always succeeds

[Neeraj Ladkani]

Hi Zbyszek, 

Just a basic question, Once bmcweb is configured with -DBMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION, can it work without client cert?

It will be good to document curl APIs to enable this feature and test end to end flows. 

Thanks
Neeraj

-----Original Message-----
From: openbmc <openbmc-bounces+neladk=microsoft.com@lists.ozlabs.org> On Behalf Of Zbyszek
Sent: Thursday, May 7, 2020 12:49 AM
To: Zhenfei Tai <ztai@google.com>
Cc: OpenBMC Maillist <openbmc@lists.ozlabs.org>
Subject: [EXTERNAL] Re: [bmcweb] mTLS client authentication always succeeds

śr., 6 maj 2020 o 20:19 Zhenfei Tai <ztai@google.com> napisał(a):
>
> Hi Zbyszek,
>
> Thanks for your reply. I look forward to the official documentation.
>
> The callback function returns true when preverified == false. Not sure why it should always return true, which accepts any client certificate.

Yes, always returning true we do not break the tls handshake allowing for connection.
But user will not be authenticated anyway because its name will not be extracted from the certificate.
In such case user should receive proper http error code telling he is not authenticated.

>
> // We always return true to allow full auth flow if (!preverified) { 
> BMCWEB_LOG_DEBUG << this << " TLS preverification failed."; return 
> true; }
>
> Thanks,
> Zhenfei
>
> On Wed, May 6, 2020 at 4:22 AM Zbyszek <zbigniewku@gmail.com> wrote:
>>
>> pt., 1 maj 2020 o 02:07 Zhenfei Tai <ztai@google.com> napisał(a):
>> >
>> > Hi,
>> >
>> > I've been testing bmcweb mTLS for a while and found the user 
>> > defined verify callback function returns true in all cases. 
>> > (https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2F
>> > github.com%2Fopenbmc%2Fbmcweb%2Fblob%2Fmaster%2Fhttp%2Fhttp_connect
>> > ion.h%23L287&amp;data=02%7C01%7Cneladk%40microsoft.com%7C8f5ff6125e
>> > db4b734c3e08d7f25b2b68%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7
>> > C637244345695157575&amp;sdata=3E%2F%2FdxSuR5SFo9ZII%2FZAA7h6%2FDds1
>> > lHeZaCnbimciLw%3D&amp;reserved=0)
>> >
>> > If client authentication is enabled in bmcweb, should it reject if client certificate is bad?
>>
>> No, purpose of this callback is to only extract the user name from 
>> the certificate and then allow to proceed with default OpenSSL 
>> verification flow which should finally fail if something is wrong 
>> with the certificate no matter what this function returned.
>> The 'set_verify_callback' doesn't replace the whole verification 
>> procedure, it only adds a callback that is called when the default 
>> validator checks each certificate. The 'preverified' parameter, 
>> passed to it indicates if verification of the certificate succeeded or not.
>> You should be able to see it in bmcweb logs.
>>
>> >
>> > Thanks,
>> > Zhenfei

Re: [EXTERNAL] Re: [bmcweb] mTLS client authentication always succeeds

[Zbyszek]

czw., 7 maj 2020 o 10:14 Neeraj Ladkani <neladk@microsoft.com> napisał(a):
>
> Hi Zbyszek,
>
> Just a basic question, Once bmcweb is configured with -DBMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION, can it work without client cert?


Yes it can, by default all authentication methods are enabled except TLS.
Which method is enabled can be checked via redfish service
AccountService->Oem->OpenBMC->AuthMethods.
To change these settings send PATCH to
https://{{bmc_ip}}/redfish/v1/AccountService.
For example to turn the tls use this patch body :  {"Oem": {"OpenBMC":
{"AuthMethods": {"TLS": true}}}}

I think this diagram at paragraph 'Authentication Process'
https://github.com/openbmc/docs/blob/master/designs/redfish-tls-user-authentication.md
can be useful in understanding how the authentication process flow looks like.
(now I see that some parts of this design, like paths requires
updates, but the diagram is valid).


>
> It will be good to document curl APIs to enable this feature and test end to end flows.
>
> Thanks
> Neeraj
>
> -----Original Message-----
> From: openbmc <openbmc-bounces+neladk=microsoft.com@lists.ozlabs.org> On Behalf Of Zbyszek
> Sent: Thursday, May 7, 2020 12:49 AM
> To: Zhenfei Tai <ztai@google.com>
> Cc: OpenBMC Maillist <openbmc@lists.ozlabs.org>
> Subject: [EXTERNAL] Re: [bmcweb] mTLS client authentication always succeeds
>
> śr., 6 maj 2020 o 20:19 Zhenfei Tai <ztai@google.com> napisał(a):
> >
> > Hi Zbyszek,
> >
> > Thanks for your reply. I look forward to the official documentation.
> >
> > The callback function returns true when preverified == false. Not sure why it should always return true, which accepts any client certificate.
>
> Yes, always returning true we do not break the tls handshake allowing for connection.
> But user will not be authenticated anyway because its name will not be extracted from the certificate.
> In such case user should receive proper http error code telling he is not authenticated.
>
> >
> > // We always return true to allow full auth flow if (!preverified) {
> > BMCWEB_LOG_DEBUG << this << " TLS preverification failed."; return
> > true; }
> >
> > Thanks,
> > Zhenfei
> >
> > On Wed, May 6, 2020 at 4:22 AM Zbyszek <zbigniewku@gmail.com> wrote:
> >>
> >> pt., 1 maj 2020 o 02:07 Zhenfei Tai <ztai@google.com> napisał(a):
> >> >
> >> > Hi,
> >> >
> >> > I've been testing bmcweb mTLS for a while and found the user
> >> > defined verify callback function returns true in all cases.
> >> > (https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2F
> >> > github.com%2Fopenbmc%2Fbmcweb%2Fblob%2Fmaster%2Fhttp%2Fhttp_connect
> >> > ion.h%23L287&amp;data=02%7C01%7Cneladk%40microsoft.com%7C8f5ff6125e
> >> > db4b734c3e08d7f25b2b68%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7
> >> > C637244345695157575&amp;sdata=3E%2F%2FdxSuR5SFo9ZII%2FZAA7h6%2FDds1
> >> > lHeZaCnbimciLw%3D&amp;reserved=0)
> >> >
> >> > If client authentication is enabled in bmcweb, should it reject if client certificate is bad?
> >>
> >> No, purpose of this callback is to only extract the user name from
> >> the certificate and then allow to proceed with default OpenSSL
> >> verification flow which should finally fail if something is wrong
> >> with the certificate no matter what this function returned.
> >> The 'set_verify_callback' doesn't replace the whole verification
> >> procedure, it only adds a callback that is called when the default
> >> validator checks each certificate. The 'preverified' parameter,
> >> passed to it indicates if verification of the certificate succeeded or not.
> >> You should be able to see it in bmcweb logs.
> >>
> >> >
> >> > Thanks,
> >> > Zhenfei

RE: [EXTERNAL] Re: [bmcweb] mTLS client authentication always succeeds

[Neeraj Ladkani]

I have enabled DBMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION in bmcweb  but I do not see TLSAuth/Certificates in redfish/v1/AccountService ?  I tried to upload CA cert via bmcweb but I could not make it work ( Authentication failing)

I could not find documentation to enable this feature. it would be great if someone can send steps to enable this feature? 

Neeraj


-----Original Message-----
From: Zbyszek <zbigniewku@gmail.com> 
Sent: Thursday, May 7, 2020 2:10 AM
To: Neeraj Ladkani <neladk@microsoft.com>
Cc: Zhenfei Tai <ztai@google.com>; OpenBMC Maillist <openbmc@lists.ozlabs.org>
Subject: Re: [EXTERNAL] Re: [bmcweb] mTLS client authentication always succeeds

czw., 7 maj 2020 o 10:14 Neeraj Ladkani <neladk@microsoft.com> napisał(a):
>
> Hi Zbyszek,
>
> Just a basic question, Once bmcweb is configured with -DBMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION, can it work without client cert?


Yes it can, by default all authentication methods are enabled except TLS.
Which method is enabled can be checked via redfish service
AccountService->Oem->OpenBMC->AuthMethods.
To change these settings send PATCH to
https://{{bmc_ip}}/redfish/v1/AccountService.
For example to turn the tls use this patch body :  {"Oem": {"OpenBMC":
{"AuthMethods": {"TLS": true}}}}

I think this diagram at paragraph 'Authentication Process'
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenbmc%2Fdocs%2Fblob%2Fmaster%2Fdesigns%2Fredfish-tls-user-authentication.md&amp;data=02%7C01%7Cneladk%40microsoft.com%7C308885035a874c3bbe4908d7f26666e6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637244394838094013&amp;sdata=PCnXbmDuxqwiZcSw6%2BQim3cX9hqkVpFqxC5JGlPuQd8%3D&amp;reserved=0
can be useful in understanding how the authentication process flow looks like.
(now I see that some parts of this design, like paths requires updates, but the diagram is valid).


>
> It will be good to document curl APIs to enable this feature and test end to end flows.
>
> Thanks
> Neeraj
>
> -----Original Message-----
> From: openbmc <openbmc-bounces+neladk=microsoft.com@lists.ozlabs.org> 
> On Behalf Of Zbyszek
> Sent: Thursday, May 7, 2020 12:49 AM
> To: Zhenfei Tai <ztai@google.com>
> Cc: OpenBMC Maillist <openbmc@lists.ozlabs.org>
> Subject: [EXTERNAL] Re: [bmcweb] mTLS client authentication always 
> succeeds
>
> śr., 6 maj 2020 o 20:19 Zhenfei Tai <ztai@google.com> napisał(a):
> >
> > Hi Zbyszek,
> >
> > Thanks for your reply. I look forward to the official documentation.
> >
> > The callback function returns true when preverified == false. Not sure why it should always return true, which accepts any client certificate.
>
> Yes, always returning true we do not break the tls handshake allowing for connection.
> But user will not be authenticated anyway because its name will not be extracted from the certificate.
> In such case user should receive proper http error code telling he is not authenticated.
>
> >
> > // We always return true to allow full auth flow if (!preverified) { 
> > BMCWEB_LOG_DEBUG << this << " TLS preverification failed."; return 
> > true; }
> >
> > Thanks,
> > Zhenfei
> >
> > On Wed, May 6, 2020 at 4:22 AM Zbyszek <zbigniewku@gmail.com> wrote:
> >>
> >> pt., 1 maj 2020 o 02:07 Zhenfei Tai <ztai@google.com> napisał(a):
> >> >
> >> > Hi,
> >> >
> >> > I've been testing bmcweb mTLS for a while and found the user 
> >> > defined verify callback function returns true in all cases.
> >> > (https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%
> >> > 2F 
> >> > github.com%2Fopenbmc%2Fbmcweb%2Fblob%2Fmaster%2Fhttp%2Fhttp_conne
> >> > ct 
> >> > ion.h%23L287&amp;data=02%7C01%7Cneladk%40microsoft.com%7C8f5ff612
> >> > 5e
> >> > db4b734c3e08d7f25b2b68%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0
> >> > %7
> >> > C637244345695157575&amp;sdata=3E%2F%2FdxSuR5SFo9ZII%2FZAA7h6%2FDd
> >> > s1
> >> > lHeZaCnbimciLw%3D&amp;reserved=0)
> >> >
> >> > If client authentication is enabled in bmcweb, should it reject if client certificate is bad?
> >>
> >> No, purpose of this callback is to only extract the user name from 
> >> the certificate and then allow to proceed with default OpenSSL 
> >> verification flow which should finally fail if something is wrong 
> >> with the certificate no matter what this function returned.
> >> The 'set_verify_callback' doesn't replace the whole verification 
> >> procedure, it only adds a callback that is called when the default 
> >> validator checks each certificate. The 'preverified' parameter, 
> >> passed to it indicates if verification of the certificate succeeded or not.
> >> You should be able to see it in bmcweb logs.
> >>
> >> >
> >> > Thanks,
> >> > Zhenfei

RE: [EXTERNAL] Re: [bmcweb] mTLS client authentication always succeeds

[Neeraj Ladkani]

 "Oem": {
        "OpenBMC": {
            "@odata.type": "#OemAccountService.v1_0_0.AccountService",
            "AuthMethods": {
                "BasicAuth": true,
                "Cookie": true,
                "SessionToken": true,
                "TLS": true,
                "XToken": true
            }
        }

-----Original Message-----
From: openbmc <openbmc-bounces+neladk=microsoft.com@lists.ozlabs.org> On Behalf Of Neeraj Ladkani
Sent: Monday, May 11, 2020 11:20 AM
To: Zbyszek <zbigniewku@gmail.com>
Cc: OpenBMC Maillist <openbmc@lists.ozlabs.org>; Zhenfei Tai <ztai@google.com>
Subject: RE: [EXTERNAL] Re: [bmcweb] mTLS client authentication always succeeds

I have enabled DBMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION in bmcweb  but I do not see TLSAuth/Certificates in redfish/v1/AccountService ?  I tried to upload CA cert via bmcweb but I could not make it work ( Authentication failing)

I could not find documentation to enable this feature. it would be great if someone can send steps to enable this feature? 

Neeraj


-----Original Message-----
From: Zbyszek <zbigniewku@gmail.com>
Sent: Thursday, May 7, 2020 2:10 AM
To: Neeraj Ladkani <neladk@microsoft.com>
Cc: Zhenfei Tai <ztai@google.com>; OpenBMC Maillist <openbmc@lists.ozlabs.org>
Subject: Re: [EXTERNAL] Re: [bmcweb] mTLS client authentication always succeeds

czw., 7 maj 2020 o 10:14 Neeraj Ladkani <neladk@microsoft.com> napisał(a):
>
> Hi Zbyszek,
>
> Just a basic question, Once bmcweb is configured with -DBMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION, can it work without client cert?


Yes it can, by default all authentication methods are enabled except TLS.
Which method is enabled can be checked via redfish service
AccountService->Oem->OpenBMC->AuthMethods.
To change these settings send PATCH to
https://{{bmc_ip}}/redfish/v1/AccountService.
For example to turn the tls use this patch body :  {"Oem": {"OpenBMC":
{"AuthMethods": {"TLS": true}}}}

I think this diagram at paragraph 'Authentication Process'
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenbmc%2Fdocs%2Fblob%2Fmaster%2Fdesigns%2Fredfish-tls-user-authentication.md&amp;data=02%7C01%7Cneladk%40microsoft.com%7C35b75654ecce4c68004508d7f5d81b8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637248180841865287&amp;sdata=OGH2hRGgB5%2FA%2FG63fiwp0hq2E%2FStoL1ka2ZPJ1zG1Tg%3D&amp;reserved=0
can be useful in understanding how the authentication process flow looks like.
(now I see that some parts of this design, like paths requires updates, but the diagram is valid).


>
> It will be good to document curl APIs to enable this feature and test end to end flows.
>
> Thanks
> Neeraj
>
> -----Original Message-----
> From: openbmc <openbmc-bounces+neladk=microsoft.com@lists.ozlabs.org>
> On Behalf Of Zbyszek
> Sent: Thursday, May 7, 2020 12:49 AM
> To: Zhenfei Tai <ztai@google.com>
> Cc: OpenBMC Maillist <openbmc@lists.ozlabs.org>
> Subject: [EXTERNAL] Re: [bmcweb] mTLS client authentication always 
> succeeds
>
> śr., 6 maj 2020 o 20:19 Zhenfei Tai <ztai@google.com> napisał(a):
> >
> > Hi Zbyszek,
> >
> > Thanks for your reply. I look forward to the official documentation.
> >
> > The callback function returns true when preverified == false. Not sure why it should always return true, which accepts any client certificate.
>
> Yes, always returning true we do not break the tls handshake allowing for connection.
> But user will not be authenticated anyway because its name will not be extracted from the certificate.
> In such case user should receive proper http error code telling he is not authenticated.
>
> >
> > // We always return true to allow full auth flow if (!preverified) { 
> > BMCWEB_LOG_DEBUG << this << " TLS preverification failed."; return 
> > true; }
> >
> > Thanks,
> > Zhenfei
> >
> > On Wed, May 6, 2020 at 4:22 AM Zbyszek <zbigniewku@gmail.com> wrote:
> >>
> >> pt., 1 maj 2020 o 02:07 Zhenfei Tai <ztai@google.com> napisał(a):
> >> >
> >> > Hi,
> >> >
> >> > I've been testing bmcweb mTLS for a while and found the user 
> >> > defined verify callback function returns true in all cases.
> >> > (https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%
> >> > 25
> >> > 2F
> >> > github.com%2Fopenbmc%2Fbmcweb%2Fblob%2Fmaster%2Fhttp%2Fhttp_conne
> >> > ct
> >> > ion.h%23L287&amp;data=02%7C01%7Cneladk%40microsoft.com%7C8f5ff612
> >> > 5e
> >> > db4b734c3e08d7f25b2b68%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0
> >> > %7
> >> > C637244345695157575&amp;sdata=3E%2F%2FdxSuR5SFo9ZII%2FZAA7h6%2FDd
> >> > s1
> >> > lHeZaCnbimciLw%3D&amp;reserved=0)
> >> >
> >> > If client authentication is enabled in bmcweb, should it reject if client certificate is bad?
> >>
> >> No, purpose of this callback is to only extract the user name from 
> >> the certificate and then allow to proceed with default OpenSSL 
> >> verification flow which should finally fail if something is wrong 
> >> with the certificate no matter what this function returned.
> >> The 'set_verify_callback' doesn't replace the whole verification 
> >> procedure, it only adds a callback that is called when the default 
> >> validator checks each certificate. The 'preverified' parameter, 
> >> passed to it indicates if verification of the certificate succeeded or not.
> >> You should be able to see it in bmcweb logs.
> >>
> >> >
> >> > Thanks,
> >> > Zhenfei

Re: [EXTERNAL] Re: [bmcweb] mTLS client authentication always succeeds

[Zbyszek]

Instruction is under review:
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/32234

pon., 11 maj 2020 o 20:57 Neeraj Ladkani <neladk@microsoft.com> napisał(a):
>
>  "Oem": {
>         "OpenBMC": {
>             "@odata.type": "#OemAccountService.v1_0_0.AccountService",
>             "AuthMethods": {
>                 "BasicAuth": true,
>                 "Cookie": true,
>                 "SessionToken": true,
>                 "TLS": true,
>                 "XToken": true
>             }
>         }
>
> -----Original Message-----
> From: openbmc <openbmc-bounces+neladk=microsoft.com@lists.ozlabs.org> On Behalf Of Neeraj Ladkani
> Sent: Monday, May 11, 2020 11:20 AM
> To: Zbyszek <zbigniewku@gmail.com>
> Cc: OpenBMC Maillist <openbmc@lists.ozlabs.org>; Zhenfei Tai <ztai@google.com>
> Subject: RE: [EXTERNAL] Re: [bmcweb] mTLS client authentication always succeeds
>
> I have enabled DBMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION in bmcweb  but I do not see TLSAuth/Certificates in redfish/v1/AccountService ?  I tried to upload CA cert via bmcweb but I could not make it work ( Authentication failing)
>
> I could not find documentation to enable this feature. it would be great if someone can send steps to enable this feature?
>
> Neeraj
>
>
> -----Original Message-----
> From: Zbyszek <zbigniewku@gmail.com>
> Sent: Thursday, May 7, 2020 2:10 AM
> To: Neeraj Ladkani <neladk@microsoft.com>
> Cc: Zhenfei Tai <ztai@google.com>; OpenBMC Maillist <openbmc@lists.ozlabs.org>
> Subject: Re: [EXTERNAL] Re: [bmcweb] mTLS client authentication always succeeds
>
> czw., 7 maj 2020 o 10:14 Neeraj Ladkani <neladk@microsoft.com> napisał(a):
> >
> > Hi Zbyszek,
> >
> > Just a basic question, Once bmcweb is configured with -DBMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION, can it work without client cert?
>
>
> Yes it can, by default all authentication methods are enabled except TLS.
> Which method is enabled can be checked via redfish service
> AccountService->Oem->OpenBMC->AuthMethods.
> To change these settings send PATCH to
> https://{{bmc_ip}}/redfish/v1/AccountService.
> For example to turn the tls use this patch body :  {"Oem": {"OpenBMC":
> {"AuthMethods": {"TLS": true}}}}
>
> I think this diagram at paragraph 'Authentication Process'
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenbmc%2Fdocs%2Fblob%2Fmaster%2Fdesigns%2Fredfish-tls-user-authentication.md&amp;data=02%7C01%7Cneladk%40microsoft.com%7C35b75654ecce4c68004508d7f5d81b8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637248180841865287&amp;sdata=OGH2hRGgB5%2FA%2FG63fiwp0hq2E%2FStoL1ka2ZPJ1zG1Tg%3D&amp;reserved=0
> can be useful in understanding how the authentication process flow looks like.
> (now I see that some parts of this design, like paths requires updates, but the diagram is valid).
>
>
> >
> > It will be good to document curl APIs to enable this feature and test end to end flows.
> >
> > Thanks
> > Neeraj
> >
> > -----Original Message-----
> > From: openbmc <openbmc-bounces+neladk=microsoft.com@lists.ozlabs.org>
> > On Behalf Of Zbyszek
> > Sent: Thursday, May 7, 2020 12:49 AM
> > To: Zhenfei Tai <ztai@google.com>
> > Cc: OpenBMC Maillist <openbmc@lists.ozlabs.org>
> > Subject: [EXTERNAL] Re: [bmcweb] mTLS client authentication always
> > succeeds
> >
> > śr., 6 maj 2020 o 20:19 Zhenfei Tai <ztai@google.com> napisał(a):
> > >
> > > Hi Zbyszek,
> > >
> > > Thanks for your reply. I look forward to the official documentation.
> > >
> > > The callback function returns true when preverified == false. Not sure why it should always return true, which accepts any client certificate.
> >
> > Yes, always returning true we do not break the tls handshake allowing for connection.
> > But user will not be authenticated anyway because its name will not be extracted from the certificate.
> > In such case user should receive proper http error code telling he is not authenticated.
> >
> > >
> > > // We always return true to allow full auth flow if (!preverified) {
> > > BMCWEB_LOG_DEBUG << this << " TLS preverification failed."; return
> > > true; }
> > >
> > > Thanks,
> > > Zhenfei
> > >
> > > On Wed, May 6, 2020 at 4:22 AM Zbyszek <zbigniewku@gmail.com> wrote:
> > >>
> > >> pt., 1 maj 2020 o 02:07 Zhenfei Tai <ztai@google.com> napisał(a):
> > >> >
> > >> > Hi,
> > >> >
> > >> > I've been testing bmcweb mTLS for a while and found the user
> > >> > defined verify callback function returns true in all cases.
> > >> > (https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%
> > >> > 25
> > >> > 2F
> > >> > github.com%2Fopenbmc%2Fbmcweb%2Fblob%2Fmaster%2Fhttp%2Fhttp_conne
> > >> > ct
> > >> > ion.h%23L287&amp;data=02%7C01%7Cneladk%40microsoft.com%7C8f5ff612
> > >> > 5e
> > >> > db4b734c3e08d7f25b2b68%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0
> > >> > %7
> > >> > C637244345695157575&amp;sdata=3E%2F%2FdxSuR5SFo9ZII%2FZAA7h6%2FDd
> > >> > s1
> > >> > lHeZaCnbimciLw%3D&amp;reserved=0)
> > >> >
> > >> > If client authentication is enabled in bmcweb, should it reject if client certificate is bad?
> > >>
> > >> No, purpose of this callback is to only extract the user name from
> > >> the certificate and then allow to proceed with default OpenSSL
> > >> verification flow which should finally fail if something is wrong
> > >> with the certificate no matter what this function returned.
> > >> The 'set_verify_callback' doesn't replace the whole verification
> > >> procedure, it only adds a callback that is called when the default
> > >> validator checks each certificate. The 'preverified' parameter,
> > >> passed to it indicates if verification of the certificate succeeded or not.
> > >> You should be able to see it in bmcweb logs.
> > >>
> > >> >
> > >> > Thanks,
> > >> > Zhenfei

Re: [EXTERNAL] Re: [bmcweb] mTLS client authentication always succeeds

[Zhenfei Tai]

[-- Attachment #1: Type: text/plain, Size: 6314 bytes --]

Great, thanks for the update.

On Wed, May 13, 2020 at 6:24 AM Zbyszek <zbigniewku@gmail.com> wrote:

> Instruction is under review:
> https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/32234
>
> pon., 11 maj 2020 o 20:57 Neeraj Ladkani <neladk@microsoft.com>
> napisał(a):
> >
> >  "Oem": {
> >         "OpenBMC": {
> >             "@odata.type": "#OemAccountService.v1_0_0.AccountService",
> >             "AuthMethods": {
> >                 "BasicAuth": true,
> >                 "Cookie": true,
> >                 "SessionToken": true,
> >                 "TLS": true,
> >                 "XToken": true
> >             }
> >         }
> >
> > -----Original Message-----
> > From: openbmc <openbmc-bounces+neladk=microsoft.com@lists.ozlabs.org>
> On Behalf Of Neeraj Ladkani
> > Sent: Monday, May 11, 2020 11:20 AM
> > To: Zbyszek <zbigniewku@gmail.com>
> > Cc: OpenBMC Maillist <openbmc@lists.ozlabs.org>; Zhenfei Tai <
> ztai@google.com>
> > Subject: RE: [EXTERNAL] Re: [bmcweb] mTLS client authentication always
> succeeds
> >
> > I have enabled DBMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION in bmcweb  but I
> do not see TLSAuth/Certificates in redfish/v1/AccountService ?  I tried to
> upload CA cert via bmcweb but I could not make it work ( Authentication
> failing)
> >
> > I could not find documentation to enable this feature. it would be great
> if someone can send steps to enable this feature?
> >
> > Neeraj
> >
> >
> > -----Original Message-----
> > From: Zbyszek <zbigniewku@gmail.com>
> > Sent: Thursday, May 7, 2020 2:10 AM
> > To: Neeraj Ladkani <neladk@microsoft.com>
> > Cc: Zhenfei Tai <ztai@google.com>; OpenBMC Maillist <
> openbmc@lists.ozlabs.org>
> > Subject: Re: [EXTERNAL] Re: [bmcweb] mTLS client authentication always
> succeeds
> >
> > czw., 7 maj 2020 o 10:14 Neeraj Ladkani <neladk@microsoft.com>
> napisał(a):
> > >
> > > Hi Zbyszek,
> > >
> > > Just a basic question, Once bmcweb is configured with
> -DBMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION, can it work without client cert?
> >
> >
> > Yes it can, by default all authentication methods are enabled except TLS.
> > Which method is enabled can be checked via redfish service
> > AccountService->Oem->OpenBMC->AuthMethods.
> > To change these settings send PATCH to
> > https://{{bmc_ip}}/redfish/v1/AccountService.
> > For example to turn the tls use this patch body :  {"Oem": {"OpenBMC":
> > {"AuthMethods": {"TLS": true}}}}
> >
> > I think this diagram at paragraph 'Authentication Process'
> >
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenbmc%2Fdocs%2Fblob%2Fmaster%2Fdesigns%2Fredfish-tls-user-authentication.md&amp;data=02%7C01%7Cneladk%40microsoft.com%7C35b75654ecce4c68004508d7f5d81b8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637248180841865287&amp;sdata=OGH2hRGgB5%2FA%2FG63fiwp0hq2E%2FStoL1ka2ZPJ1zG1Tg%3D&amp;reserved=0
> > can be useful in understanding how the authentication process flow looks
> like.
> > (now I see that some parts of this design, like paths requires updates,
> but the diagram is valid).
> >
> >
> > >
> > > It will be good to document curl APIs to enable this feature and test
> end to end flows.
> > >
> > > Thanks
> > > Neeraj
> > >
> > > -----Original Message-----
> > > From: openbmc <openbmc-bounces+neladk=microsoft.com@lists.ozlabs.org>
> > > On Behalf Of Zbyszek
> > > Sent: Thursday, May 7, 2020 12:49 AM
> > > To: Zhenfei Tai <ztai@google.com>
> > > Cc: OpenBMC Maillist <openbmc@lists.ozlabs.org>
> > > Subject: [EXTERNAL] Re: [bmcweb] mTLS client authentication always
> > > succeeds
> > >
> > > śr., 6 maj 2020 o 20:19 Zhenfei Tai <ztai@google.com> napisał(a):
> > > >
> > > > Hi Zbyszek,
> > > >
> > > > Thanks for your reply. I look forward to the official documentation.
> > > >
> > > > The callback function returns true when preverified == false. Not
> sure why it should always return true, which accepts any client certificate.
> > >
> > > Yes, always returning true we do not break the tls handshake allowing
> for connection.
> > > But user will not be authenticated anyway because its name will not be
> extracted from the certificate.
> > > In such case user should receive proper http error code telling he is
> not authenticated.
> > >
> > > >
> > > > // We always return true to allow full auth flow if (!preverified) {
> > > > BMCWEB_LOG_DEBUG << this << " TLS preverification failed."; return
> > > > true; }
> > > >
> > > > Thanks,
> > > > Zhenfei
> > > >
> > > > On Wed, May 6, 2020 at 4:22 AM Zbyszek <zbigniewku@gmail.com> wrote:
> > > >>
> > > >> pt., 1 maj 2020 o 02:07 Zhenfei Tai <ztai@google.com> napisał(a):
> > > >> >
> > > >> > Hi,
> > > >> >
> > > >> > I've been testing bmcweb mTLS for a while and found the user
> > > >> > defined verify callback function returns true in all cases.
> > > >> > (https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%
> > > >> > 25
> > > >> > 2F
> > > >> > github.com%2Fopenbmc%2Fbmcweb%2Fblob%2Fmaster%2Fhttp%2Fhttp_conne
> > > >> > ct
> > > >> > ion.h%23L287&amp;data=02%7C01%7Cneladk%40microsoft.com%7C8f5ff612
> > > >> > 5e
> > > >> > db4b734c3e08d7f25b2b68%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0
> > > >> > %7
> > > >> > C637244345695157575&amp;sdata=3E%2F%2FdxSuR5SFo9ZII%2FZAA7h6%2FDd
> > > >> > s1
> > > >> > lHeZaCnbimciLw%3D&amp;reserved=0)
> > > >> >
> > > >> > If client authentication is enabled in bmcweb, should it reject
> if client certificate is bad?
> > > >>
> > > >> No, purpose of this callback is to only extract the user name from
> > > >> the certificate and then allow to proceed with default OpenSSL
> > > >> verification flow which should finally fail if something is wrong
> > > >> with the certificate no matter what this function returned.
> > > >> The 'set_verify_callback' doesn't replace the whole verification
> > > >> procedure, it only adds a callback that is called when the default
> > > >> validator checks each certificate. The 'preverified' parameter,
> > > >> passed to it indicates if verification of the certificate succeeded
> or not.
> > > >> You should be able to see it in bmcweb logs.
> > > >>
> > > >> >
> > > >> > Thanks,
> > > >> > Zhenfei
>

[-- Attachment #2: Type: text/html, Size: 9835 bytes --]