Re: mTLS on bmcweb

[Zhenfei Tai <ztai@google.com>]

[-- Attachment #1: Type: text/plain, Size: 5870 bytes --]

Also, with that change in http_connection.h, it still accepts any client
certificate provided in curl.

Here's what I did:
1. Disable BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
2. Uncommented ssl_key_handler.hpp:315 and added the
boost::asio::ssl::verify_fail_if_no_peer_cert

Behavior after change:
1. Rejects curl without client certificate.
2. Returns when client certificate matches the one authority directory.
3. Rejects when client sends other certificates.

The change is just for testing purposes, I guess the original intention was
not to mTLS every request.

On Thu, Apr 30, 2020 at 11:34 AM Zhenfei Tai <ztai@google.com> wrote:

> Hi P.K.
>
> I tried the same thing.
>
> Could you share which url you tested?
> With that change, if I access the https://${bmc}/redfish/v1 url in
> chrome, it prompts to choose a client certificate, but will also work if no
> certificate is chosen.
>
> Thanks,
> Zhenfei
>
> On Thu, Apr 30, 2020 at 6:27 AM P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>
> wrote:
>
>> I found a way to fix this issue, but it needs to be modified to the
>> source code. In two steps:
>>
>> Step 1.
>> The source code "adaptor.set_verify_mode(boost::asio::ssl::verify_peer);"
>> in http_connection.h is replaced with
>> "adaptor.set_verify_mode(boost::asio::ssl::verify_peer |
>> boost::asio::ssl::verify_fail_if_no_peer_cert);"
>>
>> Step 2.
>> AccountService->Oem->OpenBMC->AuthMethods->TLS is set. (false by default)
>>
>> It will enable enforce mTLS authentication.
>>
>> Best,
>> P.K.
>>
>> > -----Original Message-----
>> > From: Wiktor Gołgowski <wiktor.golgowski@linux.intel.com>
>> > Sent: Saturday, April 25, 2020 1:03 AM
>> > To: Richard Hanley <rhanley@google.com>; Zhenfei Tai <ztai@google.com>
>> > Cc: openbmc@lists.ozlabs.org; P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>;
>> > jrey@linux.ibm.com; P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>; Joseph
>> > Reynolds <jrey@linux.ibm.com>
>> > Subject: Re: mTLS on bmcweb
>> >
>> >
>> >
>> > On 4/23/20 7:35 PM, Richard Hanley wrote:
>> > > My guess is that somehow the root cert used to validate clients isn't
>> installed
>> > correctly, and so it's defaulting to basic auth.
>> > >
>> > > At least that's my reading of this review
>> > > https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270
>> > >
>> >
>> > I think this would be the case. If the client certificate is not
>> provided, TLS
>> > connection is still established, just without authenticating the
>> client. This
>> > allows upper layer to provide other authentication methods (e.g. Basic
>> Auth).
>> > >
>> > > On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai <ztai@google.com
>> > <mailto:ztai@google.com>> wrote:
>> > >
>> > >     I guess part of my question is how to configure the mTLS certs to
>> make
>> > it work properly.
>> > >
>> > >     So far only https works (server side TLS).
>> > >
>> > >     Thanks,
>> > >     Zhenfei
>> > >
>> > >     On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds <
>> jrey@linux.ibm.com
>> > <mailto:jrey@linux.ibm.com>> wrote:
>> > >
>> > >         On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote:
>> > >         > Hi,
>> > >         >
>> > >         > I encountered the same issue when using Redfish to replace
>> the
>> > certificate.
>> > >         > Regardless of whether the parameters include --cert --key
>> > --cacert or only --cacert, the authentication can still succeed.
>> > >         >
>> > >         > Best,
>> > >         > P.K.
>> > >         >
>> > >         >> Date: Wed, 22 Apr 2020 14:58:06 -0700
>> > >         >> From: Zhenfei Tai <ztai@google.com
>> > <mailto:ztai@google.com>>
>> > >         >> To: openbmc@lists.ozlabs.org
>> > <mailto:openbmc@lists.ozlabs.org>
>> > >         >> Subject: mTLS on bmcweb
>> > >         >> Message-ID:
>> > >
>> > >>      <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@
>> > mail.g
>> > >         >> mail.com <http://mail.com>>
>> > >         >> Content-Type: text/plain; charset="utf-8"
>> > >         >>
>> > >         >> Hi,
>> > >         >>
>> > >         >> I'm trying out bmcweb mTLS which should be enabled by
>> > default by
>> > >         >>
>> > https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89
>> > >         >>
>> > >         >> In my test, I created a self signed key and certificate
>> pair,
>> > stacked them
>> > >         >> up into server.pem in /etc/ssl/certs/https that bmcweb
>> uses.
>> > >         >>
>> > >         >> However when I tried to curl bmcweb service, I was able to
>> get
>> > response by
>> > >         >> only supplying the cert.
>> > >         >>
>> > >         >> curl --cacert cert.pem  https://${bmc}/redfish/v1
>> > >         >>
>> > >         >> With the mTLS enabled, I expected it should error out
>> since no
>> > client
>> > >         >> certificate is provided.
>> > >         >>
>> >
>> > As mentioned, if you did not provide a client certificate, connection
>> was
>> > established to allow for Basic Auth. And as the Service Root requires no
>> > authentication, you got a response.
>> >
>> > - Wiktor
>> >
>> > >         >> Could someone with relevant knowledge help with my
>> > question?
>> > >
>> > >         I'm not sure what you are asking.  Are you asking how to
>> install
>> > mTLS
>> > >         certs into the BMC and then use them to connect?  I am still
>> > waiting for
>> > >         documentation that describes how to configure and use the mTLS
>> > feature.
>> > >
>> > >         I've added an entry to the security working group as a
>> reminder to
>> > do
>> > >         this.  (I don't have the skill to document this feature.)
>> > >
>> > >         - Joseph
>> > >
>> > >         >>
>> > >         >> Thanks,
>> > >         >> Zhenfei
>> > >
>>
>

[-- Attachment #2: Type: text/html, Size: 9039 bytes --]