I guess part of my question is how to configure the mTLS certs to make it work properly. So far only https works (server side TLS). Thanks, Zhenfei On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds wrote: > On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote: > > Hi, > > > > I encountered the same issue when using Redfish to replace the > certificate. > > Regardless of whether the parameters include --cert --key --cacert or > only --cacert, the authentication can still succeed. > > > > Best, > > P.K. > > > >> Date: Wed, 22 Apr 2020 14:58:06 -0700 > >> From: Zhenfei Tai > >> To: openbmc@lists.ozlabs.org > >> Subject: mTLS on bmcweb > >> Message-ID: > >> >> mail.com> > >> Content-Type: text/plain; charset="utf-8" > >> > >> Hi, > >> > >> I'm trying out bmcweb mTLS which should be enabled by default by > >> https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89 > >> > >> In my test, I created a self signed key and certificate pair, stacked > them > >> up into server.pem in /etc/ssl/certs/https that bmcweb uses. > >> > >> However when I tried to curl bmcweb service, I was able to get response > by > >> only supplying the cert. > >> > >> curl --cacert cert.pem https://${bmc}/redfish/v1 > >> > >> With the mTLS enabled, I expected it should error out since no client > >> certificate is provided. > >> > >> Could someone with relevant knowledge help with my question? > > I'm not sure what you are asking. Are you asking how to install mTLS > certs into the BMC and then use them to connect? I am still waiting for > documentation that describes how to configure and use the mTLS feature. > > I've added an entry to the security working group as a reminder to do > this. (I don't have the skill to document this feature.) > > - Joseph > > >> > >> Thanks, > >> Zhenfei > >