From: Zhenfei Tai <ztai@google.com>
To: Joseph Reynolds <jrey@linux.ibm.com>
Cc: "P. K. Lee (李柏寬)" <P.K.Lee@quantatw.com>,
"openbmc@lists.ozlabs.org" <openbmc@lists.ozlabs.org>
Subject: Re: mTLS on bmcweb
Date: Thu, 23 Apr 2020 09:36:39 -0700 [thread overview]
Message-ID: <CAMXw96NDQ7CrY_pTZH+NugOD_6Z0HiKw1dO4vKkpaiRauFgVyQ@mail.gmail.com> (raw)
In-Reply-To: <c34fc105-657d-1e33-e3fc-90cb5afba75a@linux.ibm.com>
[-- Attachment #1: Type: text/plain, Size: 1966 bytes --]
I guess part of my question is how to configure the mTLS certs to make it
work properly.
So far only https works (server side TLS).
Thanks,
Zhenfei
On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds <jrey@linux.ibm.com> wrote:
> On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote:
> > Hi,
> >
> > I encountered the same issue when using Redfish to replace the
> certificate.
> > Regardless of whether the parameters include --cert --key --cacert or
> only --cacert, the authentication can still succeed.
> >
> > Best,
> > P.K.
> >
> >> Date: Wed, 22 Apr 2020 14:58:06 -0700
> >> From: Zhenfei Tai <ztai@google.com>
> >> To: openbmc@lists.ozlabs.org
> >> Subject: mTLS on bmcweb
> >> Message-ID:
> >> <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@mail.g
> >> mail.com>
> >> Content-Type: text/plain; charset="utf-8"
> >>
> >> Hi,
> >>
> >> I'm trying out bmcweb mTLS which should be enabled by default by
> >> https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89
> >>
> >> In my test, I created a self signed key and certificate pair, stacked
> them
> >> up into server.pem in /etc/ssl/certs/https that bmcweb uses.
> >>
> >> However when I tried to curl bmcweb service, I was able to get response
> by
> >> only supplying the cert.
> >>
> >> curl --cacert cert.pem https://${bmc}/redfish/v1
> >>
> >> With the mTLS enabled, I expected it should error out since no client
> >> certificate is provided.
> >>
> >> Could someone with relevant knowledge help with my question?
>
> I'm not sure what you are asking. Are you asking how to install mTLS
> certs into the BMC and then use them to connect? I am still waiting for
> documentation that describes how to configure and use the mTLS feature.
>
> I've added an entry to the security working group as a reminder to do
> this. (I don't have the skill to document this feature.)
>
> - Joseph
>
> >>
> >> Thanks,
> >> Zhenfei
>
>
[-- Attachment #2: Type: text/html, Size: 2916 bytes --]
next prev parent reply other threads:[~2020-04-23 16:36 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <mailman.1237.1587601186.5884.openbmc@lists.ozlabs.org>
2020-04-23 10:47 ` mTLS on bmcweb P. K. Lee (李柏寬)
2020-04-23 15:50 ` Joseph Reynolds
2020-04-23 16:36 ` Zhenfei Tai [this message]
2020-04-23 17:35 ` Richard Hanley
2020-04-24 17:03 ` Wiktor Gołgowski
2020-04-30 13:27 ` P. K. Lee (李柏寬)
2020-04-30 18:34 ` Zhenfei Tai
2020-04-30 19:09 ` Zhenfei Tai
2020-04-30 23:39 ` Zhenfei Tai
2020-05-04 2:27 ` P. K. Lee (李柏寬)
2020-05-06 11:13 ` Zbyszek
2020-06-08 2:48 Ed Tanous
2020-06-10 3:50 ` Zhenfei Tai
-- strict thread matches above, loose matches on Subject: below --
2020-04-22 21:58 Zhenfei Tai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAMXw96NDQ7CrY_pTZH+NugOD_6Z0HiKw1dO4vKkpaiRauFgVyQ@mail.gmail.com \
--to=ztai@google.com \
--cc=P.K.Lee@quantatw.com \
--cc=jrey@linux.ibm.com \
--cc=openbmc@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.