Re: mTLS on bmcweb

[Zbyszek <zbigniewku@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 7529 bytes --]

Hi, proper documentation that describes how to configure and use the mTLS
feature is in progress and soon will appear in OpenBmc docs.
Thanks for your patience :)


pon., 4 maj 2020 o 04:29 P. K. Lee (李柏寬) <P.K.Lee@quantatw.com> napisał(a):

>
> On May 1, 2020, at 07:39, Zhenfei Tai <ztai@google.com> wrote:
>
> I did more testing and found the reason why it accepts any client
> certification.
> The error is due to the self signed certificate cannot be found in the
> list of trusted certificates.
> Without the user defined verify callback function, it works as expected.
>
> #define  X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
> <https://docs.huihoo.com/doxygen/openssl/1.0.1c/crypto_2x509_2x509__vfy_8h.html#aa4f5a3309eae833f85dff37c36fa039d>
>    18
>
> // Check if certificate is OK
> int error = X509_STORE_CTX_get_error(cts);
> if (error != X509_V_OK)
> {
> return true;
> }
>
> Yes, I also thought the key is that the self-signed certificate is not in
> the trusted store.
> However, the self-signed CA certificate I uploaded using the Redfish API
> and modify the code to another "set_verify_mode" is actually useless.
>
> On Thu, Apr 30, 2020 at 12:09 PM Zhenfei Tai <ztai@google.com> wrote:
>
>> Also, with that change in http_connection.h, it still accepts any client
>> certificate provided in curl.
>>
>> Here's what I did:
>> 1. Disable BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
>> 2. Uncommented ssl_key_handler.hpp:315 and added the
>> boost::asio::ssl::verify_fail_if_no_peer_cert
>>
>> Behavior after change:
>> 1. Rejects curl without client certificate.
>> 2. Returns when client certificate matches the one authority directory.
>> 3. Rejects when client sends other certificates.
>>
>> The change is just for testing purposes, I guess the original intention
>> was not to mTLS every request.
>>
>> It works :D
>
> On Thu, Apr 30, 2020 at 11:34 AM Zhenfei Tai <ztai@google.com> wrote:
>>
>>> Hi P.K.
>>>
>>> I tried the same thing.
>>>
>>> Could you share which url you tested?
>>> With that change, if I access the https://${bmc}/redfish/v1 url in
>>> chrome, it prompts to choose a client certificate, but will also work if no
>>> certificate is chosen.
>>>
>>> Thanks,
>>> Zhenfei
>>>
>>> On Thu, Apr 30, 2020 at 6:27 AM P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>
>>> wrote:
>>>
>>>> I found a way to fix this issue, but it needs to be modified to the
>>>> source code. In two steps:
>>>>
>>>> Step 1.
>>>> The source code
>>>> "adaptor.set_verify_mode(boost::asio::ssl::verify_peer);" in
>>>> http_connection.h is replaced with
>>>> "adaptor.set_verify_mode(boost::asio::ssl::verify_peer |
>>>> boost::asio::ssl::verify_fail_if_no_peer_cert);"
>>>>
>>>> Step 2.
>>>> AccountService->Oem->OpenBMC->AuthMethods->TLS is set. (false by
>>>> default)
>>>>
>>>> It will enable enforce mTLS authentication.
>>>>
>>>> Best,
>>>> P.K.
>>>>
>>>> > -----Original Message-----
>>>> > From: Wiktor Gołgowski <wiktor.golgowski@linux.intel.com>
>>>> > Sent: Saturday, April 25, 2020 1:03 AM
>>>> > To: Richard Hanley <rhanley@google.com>; Zhenfei Tai <ztai@google.com
>>>> >
>>>> > Cc: openbmc@lists.ozlabs.org; P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>;
>>>> > jrey@linux.ibm.com; P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>; Joseph
>>>> > Reynolds <jrey@linux.ibm.com>
>>>> > Subject: Re: mTLS on bmcweb
>>>> >
>>>> >
>>>> >
>>>> > On 4/23/20 7:35 PM, Richard Hanley wrote:
>>>> > > My guess is that somehow the root cert used to validate clients
>>>> isn't installed
>>>> > correctly, and so it's defaulting to basic auth.
>>>> > >
>>>> > > At least that's my reading of this review
>>>> > > https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270
>>>> > >
>>>> >
>>>> > I think this would be the case. If the client certificate is not
>>>> provided, TLS
>>>> > connection is still established, just without authenticating the
>>>> client. This
>>>> > allows upper layer to provide other authentication methods (e.g.
>>>> Basic Auth).
>>>> > >
>>>> > > On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai <ztai@google.com
>>>> > <mailto:ztai@google.com>> wrote:
>>>> > >
>>>> > >     I guess part of my question is how to configure the mTLS certs
>>>> to make
>>>> > it work properly.
>>>> > >
>>>> > >     So far only https works (server side TLS).
>>>> > >
>>>> > >     Thanks,
>>>> > >     Zhenfei
>>>> > >
>>>> > >     On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds <
>>>> jrey@linux.ibm.com
>>>> > <mailto:jrey@linux.ibm.com>> wrote:
>>>> > >
>>>> > >         On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote:
>>>> > >         > Hi,
>>>> > >         >
>>>> > >         > I encountered the same issue when using Redfish to
>>>> replace the
>>>> > certificate.
>>>> > >         > Regardless of whether the parameters include --cert --key
>>>> > --cacert or only --cacert, the authentication can still succeed.
>>>> > >         >
>>>> > >         > Best,
>>>> > >         > P.K.
>>>> > >         >
>>>> > >         >> Date: Wed, 22 Apr 2020 14:58:06 -0700
>>>> > >         >> From: Zhenfei Tai <ztai@google.com
>>>> > <mailto:ztai@google.com>>
>>>> > >         >> To: openbmc@lists.ozlabs.org
>>>> > <mailto:openbmc@lists.ozlabs.org>
>>>> > >         >> Subject: mTLS on bmcweb
>>>> > >         >> Message-ID:
>>>> > >
>>>> > >>      <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@
>>>> > mail.g
>>>> > >         >> mail.com <http://mail.com>>
>>>> > >         >> Content-Type: text/plain; charset="utf-8"
>>>> > >         >>
>>>> > >         >> Hi,
>>>> > >         >>
>>>> > >         >> I'm trying out bmcweb mTLS which should be enabled by
>>>> > default by
>>>> > >         >>
>>>> > https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89
>>>> > >         >>
>>>> > >         >> In my test, I created a self signed key and certificate
>>>> pair,
>>>> > stacked them
>>>> > >         >> up into server.pem in /etc/ssl/certs/https that bmcweb
>>>> uses.
>>>> > >         >>
>>>> > >         >> However when I tried to curl bmcweb service, I was able
>>>> to get
>>>> > response by
>>>> > >         >> only supplying the cert.
>>>> > >         >>
>>>> > >         >> curl --cacert cert.pem  https://${bmc}/redfish/v1
>>>> > >         >>
>>>> > >         >> With the mTLS enabled, I expected it should error out
>>>> since no
>>>> > client
>>>> > >         >> certificate is provided.
>>>> > >         >>
>>>> >
>>>> > As mentioned, if you did not provide a client certificate, connection
>>>> was
>>>> > established to allow for Basic Auth. And as the Service Root requires
>>>> no
>>>> > authentication, you got a response.
>>>> >
>>>> > - Wiktor
>>>> >
>>>> > >         >> Could someone with relevant knowledge help with my
>>>> > question?
>>>> > >
>>>> > >         I'm not sure what you are asking.  Are you asking how to
>>>> install
>>>> > mTLS
>>>> > >         certs into the BMC and then use them to connect?  I am still
>>>> > waiting for
>>>> > >         documentation that describes how to configure and use the
>>>> mTLS
>>>> > feature.
>>>> > >
>>>> > >         I've added an entry to the security working group as a
>>>> reminder to
>>>> > do
>>>> > >         this.  (I don't have the skill to document this feature.)
>>>> > >
>>>> > >         - Joseph
>>>> > >
>>>> > >         >>
>>>> > >         >> Thanks,
>>>> > >         >> Zhenfei
>>>> > >
>>>>
>>>
>

[-- Attachment #2: Type: text/html, Size: 12869 bytes --]