From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=gmail.com (client-ip=2607:f8b0:4864:20::529; helo=mail-pg1-x529.google.com; envelope-from=zbigniewku@gmail.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=IQEpigpm; dkim-atps=neutral Received: from mail-pg1-x529.google.com (mail-pg1-x529.google.com [IPv6:2607:f8b0:4864:20::529]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 49HDW141JZzDqlF for ; Wed, 6 May 2020 21:14:05 +1000 (AEST) Received: by mail-pg1-x529.google.com with SMTP id l12so631963pgr.10 for ; Wed, 06 May 2020 04:14:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=NnOdgHgJQkk98iEbqcBohXV+W2oZG6g3KgG/Tx9FL5I=; b=IQEpigpmYVm4J6oFxd7wGAmQ5MWW6kxBTJjBZn/+SmBKpm5V9baHG1450BwLmL4smt 7VJa7ZKH1ibtLbSpMJYAL3U5dYx/DBj4fKdPQHft+lrs4EoE+ilAwcsxvzfxkyoMS2wI sc6t1wMUuwfFNowskVsdOvfVQOkdhzqEoI7PZDPMb33itVeAntgkkto4icYZT45fT+46 wb7OqnNU2IjHWD7x13B2GeB5hA663Utw413SZ4egrgeZTdBtP5pcjMM4BWu7eSXXCfAW TeTlGYpOdgdSNHBQ4P+a1f0FVK/rHtWnIp6RaunHWCAdAxvHBFDYZ49qR/s5+CfLPIUW bCxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=NnOdgHgJQkk98iEbqcBohXV+W2oZG6g3KgG/Tx9FL5I=; b=JujmQpkUU7zx+69KDPJInoUGQV1EUsZCdEUeN4pD6/k22mw8B1Rmb6+oMW5Drc+jPf 46MmAE8nBaFMeyLiUiL4ri2lW+EYRpVdgb5ZDl+zhspfuKGD0JMeRItR7Vt2LscSUyEx 0sAfV55OqXLrw/SO6c0DxhLLs39zaVuWN/rCzpbjZdJyVtg+hii7690DP17DY2CasBQQ jhlTzZxtHp9h5AVKuuv/4Nljyf0bwwMlY2sg7aBxwBcYq8/PY7vYmkeAOGkG3IIif/5m N6vFRv0QY3075P3mumuITqJz3AZ+MOniXCx6WILxPARv7kykX4HICBtwIhqCUsWdXyLb ovIQ== X-Gm-Message-State: AGi0PuaUegUnTTqaynyMTmyxZFcDmAMJVc+9DLvyi7qcuFvEcbcWDOzR 5tWNZGfwRXIDFwmXWTqtVWUmicMdRIHsDR4TyHhZ6YYJ X-Google-Smtp-Source: APiQypL7yY7TMXxt3HFtU6WDtukV0iSawuh5aBPctm7w88YzY66zSLUKZ4KVmFlPr32wEYWDd17Cm9w2qxOcO4YO1dU= X-Received: by 2002:a62:3383:: with SMTP id z125mr7400382pfz.271.1588763641607; Wed, 06 May 2020 04:14:01 -0700 (PDT) MIME-Version: 1.0 References: <1DF7E55B-29E9-43A2-9981-F67521B2B3E2@quantatw.com> <1251a083-2d63-aa7e-32f4-cf876dde8e4e@linux.intel.com> <894c0142737c45d891953801468135d1@quantatw.com> In-Reply-To: From: Zbyszek Date: Wed, 6 May 2020 13:13:50 +0200 Message-ID: Subject: Re: mTLS on bmcweb To: "openbmc@lists.ozlabs.org" Content-Type: multipart/alternative; boundary="0000000000007d7bf705a4f8dc66" X-BeenThere: openbmc@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development list for OpenBMC List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 May 2020 11:14:06 -0000 --0000000000007d7bf705a4f8dc66 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, proper documentation that describes how to configure and use the mTLS feature is in progress and soon will appear in OpenBmc docs. Thanks for your patience :) pon., 4 maj 2020 o 04:29 P. K. Lee (=E6=9D=8E=E6=9F=8F=E5=AF=AC) napisa=C5=82(a): > > On May 1, 2020, at 07:39, Zhenfei Tai wrote: > > I did more testing and found the reason why it accepts any client > certification. > The error is due to the self signed certificate cannot be found in the > list of trusted certificates. > Without the user defined verify callback function, it works as expected. > > #define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT > > 18 > > // Check if certificate is OK > int error =3D X509_STORE_CTX_get_error(cts); > if (error !=3D X509_V_OK) > { > return true; > } > > Yes, I also thought the key is that the self-signed certificate is not in > the trusted store. > However, the self-signed CA certificate I uploaded using the Redfish API > and modify the code to another "set_verify_mode" is actually useless. > > On Thu, Apr 30, 2020 at 12:09 PM Zhenfei Tai wrote: > >> Also, with that change in http_connection.h, it still accepts any client >> certificate provided in curl. >> >> Here's what I did: >> 1. Disable BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION >> 2. Uncommented ssl_key_handler.hpp:315 and added the >> boost::asio::ssl::verify_fail_if_no_peer_cert >> >> Behavior after change: >> 1. Rejects curl without client certificate. >> 2. Returns when client certificate matches the one authority directory. >> 3. Rejects when client sends other certificates. >> >> The change is just for testing purposes, I guess the original intention >> was not to mTLS every request. >> >> It works :D > > On Thu, Apr 30, 2020 at 11:34 AM Zhenfei Tai wrote: >> >>> Hi P.K. >>> >>> I tried the same thing. >>> >>> Could you share which url you tested? >>> With that change, if I access the https://${bmc}/redfish/v1 url in >>> chrome, it prompts to choose a client certificate, but will also work i= f no >>> certificate is chosen. >>> >>> Thanks, >>> Zhenfei >>> >>> On Thu, Apr 30, 2020 at 6:27 AM P. K. Lee (=E6=9D=8E=E6=9F=8F=E5=AF=AC)= >>> wrote: >>> >>>> I found a way to fix this issue, but it needs to be modified to the >>>> source code. In two steps: >>>> >>>> Step 1. >>>> The source code >>>> "adaptor.set_verify_mode(boost::asio::ssl::verify_peer);" in >>>> http_connection.h is replaced with >>>> "adaptor.set_verify_mode(boost::asio::ssl::verify_peer | >>>> boost::asio::ssl::verify_fail_if_no_peer_cert);" >>>> >>>> Step 2. >>>> AccountService->Oem->OpenBMC->AuthMethods->TLS is set. (false by >>>> default) >>>> >>>> It will enable enforce mTLS authentication. >>>> >>>> Best, >>>> P.K. >>>> >>>> > -----Original Message----- >>>> > From: Wiktor Go=C5=82gowski >>>> > Sent: Saturday, April 25, 2020 1:03 AM >>>> > To: Richard Hanley ; Zhenfei Tai >>> > >>>> > Cc: openbmc@lists.ozlabs.org; P. K. Lee (=E6=9D=8E=E6=9F=8F=E5=AF=AC= ) ; >>>> > jrey@linux.ibm.com; P. K. Lee (=E6=9D=8E=E6=9F=8F=E5=AF=AC) ; Joseph >>>> > Reynolds >>>> > Subject: Re: mTLS on bmcweb >>>> > >>>> > >>>> > >>>> > On 4/23/20 7:35 PM, Richard Hanley wrote: >>>> > > My guess is that somehow the root cert used to validate clients >>>> isn't installed >>>> > correctly, and so it's defaulting to basic auth. >>>> > > >>>> > > At least that's my reading of this review >>>> > > https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270 >>>> > > >>>> > >>>> > I think this would be the case. If the client certificate is not >>>> provided, TLS >>>> > connection is still established, just without authenticating the >>>> client. This >>>> > allows upper layer to provide other authentication methods (e.g. >>>> Basic Auth). >>>> > > >>>> > > On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai >>> > > wrote: >>>> > > >>>> > > I guess part of my question is how to configure the mTLS certs >>>> to make >>>> > it work properly. >>>> > > >>>> > > So far only https works (server side TLS). >>>> > > >>>> > > Thanks, >>>> > > Zhenfei >>>> > > >>>> > > On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds < >>>> jrey@linux.ibm.com >>>> > > wrote: >>>> > > >>>> > > On 4/23/20 5:47 AM, P. K. Lee (=E6=9D=8E=E6=9F=8F=E5=AF=AC= ) wrote: >>>> > > > Hi, >>>> > > > >>>> > > > I encountered the same issue when using Redfish to >>>> replace the >>>> > certificate. >>>> > > > Regardless of whether the parameters include --cert --ke= y >>>> > --cacert or only --cacert, the authentication can still succeed. >>>> > > > >>>> > > > Best, >>>> > > > P.K. >>>> > > > >>>> > > >> Date: Wed, 22 Apr 2020 14:58:06 -0700 >>>> > > >> From: Zhenfei Tai >>> > > >>>> > > >> To: openbmc@lists.ozlabs.org >>>> > >>>> > > >> Subject: mTLS on bmcweb >>>> > > >> Message-ID: >>>> > > >>>> > >> >>> > mail.g >>>> > > >> mail.com > >>>> > > >> Content-Type: text/plain; charset=3D"utf-8" >>>> > > >> >>>> > > >> Hi, >>>> > > >> >>>> > > >> I'm trying out bmcweb mTLS which should be enabled by >>>> > default by >>>> > > >> >>>> > https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89 >>>> > > >> >>>> > > >> In my test, I created a self signed key and certificate >>>> pair, >>>> > stacked them >>>> > > >> up into server.pem in /etc/ssl/certs/https that bmcweb >>>> uses. >>>> > > >> >>>> > > >> However when I tried to curl bmcweb service, I was able >>>> to get >>>> > response by >>>> > > >> only supplying the cert. >>>> > > >> >>>> > > >> curl --cacert cert.pem https://${bmc}/redfish/v1 >>>> > > >> >>>> > > >> With the mTLS enabled, I expected it should error out >>>> since no >>>> > client >>>> > > >> certificate is provided. >>>> > > >> >>>> > >>>> > As mentioned, if you did not provide a client certificate, connectio= n >>>> was >>>> > established to allow for Basic Auth. And as the Service Root require= s >>>> no >>>> > authentication, you got a response. >>>> > >>>> > - Wiktor >>>> > >>>> > > >> Could someone with relevant knowledge help with my >>>> > question? >>>> > > >>>> > > I'm not sure what you are asking. Are you asking how to >>>> install >>>> > mTLS >>>> > > certs into the BMC and then use them to connect? I am sti= ll >>>> > waiting for >>>> > > documentation that describes how to configure and use the >>>> mTLS >>>> > feature. >>>> > > >>>> > > I've added an entry to the security working group as a >>>> reminder to >>>> > do >>>> > > this. (I don't have the skill to document this feature.) >>>> > > >>>> > > - Joseph >>>> > > >>>> > > >> >>>> > > >> Thanks, >>>> > > >> Zhenfei >>>> > > >>>> >>> > --0000000000007d7bf705a4f8dc66 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi, proper=C2=A0documentation that = describes how to configure and use the mTLS feature is in progress and soon= will appear in OpenBmc docs.
Thanks for your patience=C2=A0:)


pon., 4 maj 2020 o 04:29=C2=A0P. K. Lee (=E6=9D=8E=E6=9F= =8F=E5=AF=AC) <P.K.Lee@quantatw.= com> napisa=C5=82(a):

On May 1, 2020, at 07:39, Zhenfei Tai <ztai@google.com> wrote:

I did more testing and found the reason why it accepts any= client certification.
The error is due to the self signed certificate=C2=A0cannot be found i= n the list of trusted certificates.
Without the user defined verify callback function, it works as expecte= d.

#define=C2=A0 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED= _CERT=C2=A0=C2=A0=C2=A018

// Check if certificate is OK
int error =3D X509_STORE_CTX_get_error(cts);
if (error !=3D X509_V_OK= )
{
return true;
}

Yes, I also thought the key is that the self-signed certificate is not= in the trusted store.=C2=A0
However, the self-signed CA certificate I uploaded using the Redfish A= PI and modify the code to another "set_verify_mode" is actually u= seless.

On Thu, Apr 30, 2020 at 12:09 PM Zhen= fei Tai <ztai@googl= e.com> wrote:
Also, with that change in http_connection.h, it still acce= pts any client certificate provided in curl.

Here's what I did:
1. Disable=C2=A0BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
2. Uncommented ssl_key_handler.hpp:315 and added the boost::asio::ssl:= :verify_fail_if_no_peer_cert

Behavior after change:
1. Rejects curl without client certificate.
2. Returns when client certificate matches the one authority directory= .
3. Rejects when client sends other=C2=A0certificates.=C2=A0

The change is just for testing=C2=A0purposes, I guess the original int= ention was not to mTLS every request.

It works :D

On Thu, Apr 30, 2020 at 11:34 AM Zhen= fei Tai <ztai@googl= e.com> wrote:
Hi P.K.

I tried the same thing.=C2=A0

Could you share which url you tested?
With that change, if I access the https://${bmc}/redfish/v1 url in chrome, it prompts to choose a client = certificate, but will also work if no certificate is chosen.

Thanks,
Zhenfei

On Thu, Apr 30, 2020 at 6:27 AM P. K.= Lee (=E6=9D=8E=E6=9F=8F=E5=AF=AC) <P.K.Lee@quantatw.com> wrote:
I found a way to fix this issue, but it needs to be modified to the source = code. In two steps:

Step 1.
The source code "adaptor.set_verify_mode(boost::asio::ssl::verify_peer= );" in http_connection.h is replaced with
"adaptor.set_verify_mode(boost::asio::ssl::verify_peer | boost::asio::= ssl::verify_fail_if_no_peer_cert);"

Step 2.
AccountService->Oem->OpenBMC->AuthMethods->TLS is set. (false b= y default)

It will enable enforce mTLS authentication.

Best,
P.K.

> -----Original Message-----
> From: Wiktor Go=C5=82gowski <wiktor.golgowski@linux.intel.com> > Sent: Saturday, April 25, 2020 1:03 AM
> To: Richard Hanley <rhanley@google.com>; Zhenfei Tai <ztai@google.com>
> Cc: open= bmc@lists.ozlabs.org; P. K. Lee (=E6=9D=8E=E6=9F=8F=E5=AF=AC) <P.K.Lee@quantatw.com>;
> jrey@linux.ibm= .com; P. K. Lee (=E6=9D=8E=E6=9F=8F=E5=AF=AC) <P.K.Lee@quantatw.com>; Joseph > Reynolds <j= rey@linux.ibm.com>
> Subject: Re: mTLS on bmcweb
>
>
>
> On 4/23/20 7:35 PM, Richard Hanley wrote:
> > My guess is that somehow the root cert used to validate clients i= sn't installed
> correctly, and so it's defaulting to basic auth.
> >
> > At least that's my reading of this review
> > https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270
> >
>
> I think this would be the case. If the client certificate is not provi= ded, TLS
> connection is still established, just without authenticating the clien= t. This
> allows upper layer to provide other authentication methods (e.g. Basic= Auth).
> >
> > On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai <ztai@google.com
> <mailto:ztai@g= oogle.com>> wrote:
> >
> >=C2=A0 =C2=A0 =C2=A0I guess part of my question is how to configur= e the mTLS certs to make
> it work properly.
> >
> >=C2=A0 =C2=A0 =C2=A0So far only https works (server side TLS).
> >
> >=C2=A0 =C2=A0 =C2=A0Thanks,
> >=C2=A0 =C2=A0 =C2=A0Zhenfei
> >
> >=C2=A0 =C2=A0 =C2=A0On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynold= s <jrey@linux.ib= m.com
> <mailto:jre= y@linux.ibm.com>> wrote:
> >
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0On 4/23/20 5:47 AM, P. K. Lee (= =E6=9D=8E=E6=9F=8F=E5=AF=AC) wrote:
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0> Hi,
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0> I encountered the same issu= e when using Redfish to replace the
> certificate.
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0> Regardless of whether the p= arameters include --cert --key
> --cacert or only --cacert, the authentication can still succeed.
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0> Best,
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0> P.K.
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> Date: Wed, 22 Apr 2020 = 14:58:06 -0700
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> From: Zhenfei Tai <<= a href=3D"mailto:ztai@google.com" target=3D"_blank">ztai@google.com
> <mailto:ztai@g= oogle.com>>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> To: openbmc@lists.ozlabs.org
> <mailto:openbmc@lists.ozlabs.org>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> Subject: mTLS on bmcweb=
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> Message-ID:
> >
> >>=C2=A0 =C2=A0 =C2=A0 <CAMXw96Pp511sUO=3Dq1XLz2uJzh4S6D7tUwm= kvpbnq_yU-iJfiKg@
> mail.g
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> mail.com <http://mail.com>>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> Content-Type: text/plai= n; charset=3D"utf-8"
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> Hi,
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> I'm trying out bmcw= eb mTLS which should be enabled by
> default by
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>>
> https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> In my test, I created a= self signed key and certificate pair,
> stacked them
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> up into server.pem in /= etc/ssl/certs/https that bmcweb uses.
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> However when I tried to= curl bmcweb service, I was able to get
> response by
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> only supplying the cert= .
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> curl --cacert cert.pem= =C2=A0 https://${bmc}/redfish/v1
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> With the mTLS enabled, = I expected it should error out since no
> client
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> certificate is provided= .
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>>
>
> As mentioned, if you did not provide a client certificate, connection = was
> established to allow for Basic Auth. And as the Service Root requires = no
> authentication, you got a response.
>
> - Wiktor
>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> Could someone with rele= vant knowledge help with my
> question?
> >
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0I'm not sure what you are as= king.=C2=A0 Are you asking how to install
> mTLS
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0certs into the BMC and then use = them to connect?=C2=A0 I am still
> waiting for
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0documentation that describes how= to configure and use the mTLS
> feature.
> >
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0I've added an entry to the s= ecurity working group as a reminder to
> do
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0this.=C2=A0 (I don't have th= e skill to document this feature.)
> >
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0- Joseph
> >
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> Thanks,
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> Zhenfei
> >

--0000000000007d7bf705a4f8dc66--