On May 1, 2020, at 07:39, Zhenfei Tai <ztai@google.com> wrote:
I did more testing and found the reason why it accepts any client certification.The error is due to the self signed certificate cannot be found in the list of trusted certificates.Without the user defined verify callback function, it works as expected.
#define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT 18
// Check if certificate is OKint error = X509_STORE_CTX_get_error(cts);if (error != X509_V_OK){return true;}
Yes, I also thought the key is that the self-signed certificate is not in the trusted store.However, the self-signed CA certificate I uploaded using the Redfish API and modify the code to another "set_verify_mode" is actually useless.
On Thu, Apr 30, 2020 at 12:09 PM Zhenfei Tai <ztai@google.com> wrote:
Also, with that change in http_connection.h, it still accepts any client certificate provided in curl.
Here's what I did:1. Disable BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION2. Uncommented ssl_key_handler.hpp:315 and added the boost::asio::ssl::verify_fail_if_no_peer_cert
Behavior after change:1. Rejects curl without client certificate.2. Returns when client certificate matches the one authority directory.3. Rejects when client sends other certificates.
The change is just for testing purposes, I guess the original intention was not to mTLS every request.
It works :D
On Thu, Apr 30, 2020 at 11:34 AM Zhenfei Tai <ztai@google.com> wrote:
Hi P.K.
I tried the same thing.
Could you share which url you tested?With that change, if I access the https://${bmc}/redfish/v1 url in chrome, it prompts to choose a client certificate, but will also work if no certificate is chosen.
Thanks,Zhenfei
On Thu, Apr 30, 2020 at 6:27 AM P. K. Lee (李柏寬) <P.K.Lee@quantatw.com> wrote:
I found a way to fix this issue, but it needs to be modified to the source code. In two steps:
Step 1.
The source code "adaptor.set_verify_mode(boost::asio::ssl::verify_peer);" in http_connection.h is replaced with
"adaptor.set_verify_mode(boost::asio::ssl::verify_peer | boost::asio::ssl::verify_fail_if_no_peer_cert);"
Step 2.
AccountService->Oem->OpenBMC->AuthMethods->TLS is set. (false by default)
It will enable enforce mTLS authentication.
Best,
P.K.
> -----Original Message-----
> From: Wiktor Gołgowski <wiktor.golgowski@linux.intel.com>
> Sent: Saturday, April 25, 2020 1:03 AM
> To: Richard Hanley <rhanley@google.com>; Zhenfei Tai <ztai@google.com>
> Cc: openbmc@lists.ozlabs.org; P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>;
> jrey@linux.ibm.com; P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>; Joseph
> Reynolds <jrey@linux.ibm.com>
> Subject: Re: mTLS on bmcweb
>
>
>
> On 4/23/20 7:35 PM, Richard Hanley wrote:
> > My guess is that somehow the root cert used to validate clients isn't installed
> correctly, and so it's defaulting to basic auth.
> >
> > At least that's my reading of this review
> > https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270
> >
>
> I think this would be the case. If the client certificate is not provided, TLS
> connection is still established, just without authenticating the client. This
> allows upper layer to provide other authentication methods (e.g. Basic Auth).
> >
> > On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai <ztai@google.com
> <mailto:ztai@google.com>> wrote:
> >
> > I guess part of my question is how to configure the mTLS certs to make
> it work properly.
> >
> > So far only https works (server side TLS).
> >
> > Thanks,
> > Zhenfei
> >
> > On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds <jrey@linux.ibm.com
> <mailto:jrey@linux.ibm.com>> wrote:
> >
> > On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote:
> > > Hi,
> > >
> > > I encountered the same issue when using Redfish to replace the
> certificate.
> > > Regardless of whether the parameters include --cert --key
> --cacert or only --cacert, the authentication can still succeed.
> > >
> > > Best,
> > > P.K.
> > >
> > >> Date: Wed, 22 Apr 2020 14:58:06 -0700
> > >> From: Zhenfei Tai <ztai@google.com
> <mailto:ztai@google.com>>
> > >> To: openbmc@lists.ozlabs.org
> <mailto:openbmc@lists.ozlabs.org>
> > >> Subject: mTLS on bmcweb
> > >> Message-ID:
> >
> >> <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@
> mail.g
> > >> mail.com <http://mail.com>>
> > >> Content-Type: text/plain; charset="utf-8"
> > >>
> > >> Hi,
> > >>
> > >> I'm trying out bmcweb mTLS which should be enabled by
> default by
> > >>
> https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89
> > >>
> > >> In my test, I created a self signed key and certificate pair,
> stacked them
> > >> up into server.pem in /etc/ssl/certs/https that bmcweb uses.
> > >>
> > >> However when I tried to curl bmcweb service, I was able to get
> response by
> > >> only supplying the cert.
> > >>
> > >> curl --cacert cert.pem https://${bmc}/redfish/v1
> > >>
> > >> With the mTLS enabled, I expected it should error out since no
> client
> > >> certificate is provided.
> > >>
>
> As mentioned, if you did not provide a client certificate, connection was
> established to allow for Basic Auth. And as the Service Root requires no
> authentication, you got a response.
>
> - Wiktor
>
> > >> Could someone with relevant knowledge help with my
> question?
> >
> > I'm not sure what you are asking. Are you asking how to install
> mTLS
> > certs into the BMC and then use them to connect? I am still
> waiting for
> > documentation that describes how to configure and use the mTLS
> feature.
> >
> > I've added an entry to the security working group as a reminder to
> do
> > this. (I don't have the skill to document this feature.)
> >
> > - Joseph
> >
> > >>
> > >> Thanks,
> > >> Zhenfei
> >