Re: mTLS on bmcweb

Re: mTLS on bmcweb

[P. K. Lee (李柏寬)]

Hi,

I encountered the same issue when using Redfish to replace the certificate.
Regardless of whether the parameters include --cert --key --cacert or only --cacert, the authentication can still succeed.

Best,
P.K.

> Date: Wed, 22 Apr 2020 14:58:06 -0700
> From: Zhenfei Tai <ztai@google.com>
> To: openbmc@lists.ozlabs.org
> Subject: mTLS on bmcweb
> Message-ID:
> 	<CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@mail.g
> mail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> Hi,
> 
> I'm trying out bmcweb mTLS which should be enabled by default by
> https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89
> 
> In my test, I created a self signed key and certificate pair, stacked them
> up into server.pem in /etc/ssl/certs/https that bmcweb uses.
> 
> However when I tried to curl bmcweb service, I was able to get response by
> only supplying the cert.
> 
> curl --cacert cert.pem  https://${bmc}/redfish/v1
> 
> With the mTLS enabled, I expected it should error out since no client
> certificate is provided.
> 
> Could someone with relevant knowledge help with my question?
> 
> Thanks,
> Zhenfei

Re: mTLS on bmcweb

[Joseph Reynolds]

On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote:
> Hi,
>
> I encountered the same issue when using Redfish to replace the certificate.
> Regardless of whether the parameters include --cert --key --cacert or only --cacert, the authentication can still succeed.
>
> Best,
> P.K.
>
>> Date: Wed, 22 Apr 2020 14:58:06 -0700
>> From: Zhenfei Tai <ztai@google.com>
>> To: openbmc@lists.ozlabs.org
>> Subject: mTLS on bmcweb
>> Message-ID:
>> 	<CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@mail.g
>> mail.com>
>> Content-Type: text/plain; charset="utf-8"
>>
>> Hi,
>>
>> I'm trying out bmcweb mTLS which should be enabled by default by
>> https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89
>>
>> In my test, I created a self signed key and certificate pair, stacked them
>> up into server.pem in /etc/ssl/certs/https that bmcweb uses.
>>
>> However when I tried to curl bmcweb service, I was able to get response by
>> only supplying the cert.
>>
>> curl --cacert cert.pem  https://${bmc}/redfish/v1
>>
>> With the mTLS enabled, I expected it should error out since no client
>> certificate is provided.
>>
>> Could someone with relevant knowledge help with my question?

I'm not sure what you are asking.  Are you asking how to install mTLS 
certs into the BMC and then use them to connect?  I am still waiting for 
documentation that describes how to configure and use the mTLS feature.

I've added an entry to the security working group as a reminder to do 
this.  (I don't have the skill to document this feature.)

- Joseph

>>
>> Thanks,
>> Zhenfei

Re: mTLS on bmcweb

[Zhenfei Tai]

[-- Attachment #1: Type: text/plain, Size: 1966 bytes --]

I guess part of my question is how to configure the mTLS certs to make it
work properly.

So far only https works (server side TLS).

Thanks,
Zhenfei

On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds <jrey@linux.ibm.com> wrote:

> On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote:
> > Hi,
> >
> > I encountered the same issue when using Redfish to replace the
> certificate.
> > Regardless of whether the parameters include --cert --key --cacert or
> only --cacert, the authentication can still succeed.
> >
> > Best,
> > P.K.
> >
> >> Date: Wed, 22 Apr 2020 14:58:06 -0700
> >> From: Zhenfei Tai <ztai@google.com>
> >> To: openbmc@lists.ozlabs.org
> >> Subject: mTLS on bmcweb
> >> Message-ID:
> >>      <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@mail.g
> >> mail.com>
> >> Content-Type: text/plain; charset="utf-8"
> >>
> >> Hi,
> >>
> >> I'm trying out bmcweb mTLS which should be enabled by default by
> >> https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89
> >>
> >> In my test, I created a self signed key and certificate pair, stacked
> them
> >> up into server.pem in /etc/ssl/certs/https that bmcweb uses.
> >>
> >> However when I tried to curl bmcweb service, I was able to get response
> by
> >> only supplying the cert.
> >>
> >> curl --cacert cert.pem  https://${bmc}/redfish/v1
> >>
> >> With the mTLS enabled, I expected it should error out since no client
> >> certificate is provided.
> >>
> >> Could someone with relevant knowledge help with my question?
>
> I'm not sure what you are asking.  Are you asking how to install mTLS
> certs into the BMC and then use them to connect?  I am still waiting for
> documentation that describes how to configure and use the mTLS feature.
>
> I've added an entry to the security working group as a reminder to do
> this.  (I don't have the skill to document this feature.)
>
> - Joseph
>
> >>
> >> Thanks,
> >> Zhenfei
>
>

[-- Attachment #2: Type: text/html, Size: 2916 bytes --]

Re: mTLS on bmcweb

[Richard Hanley]

[-- Attachment #1: Type: text/plain, Size: 2354 bytes --]

My guess is that somehow the root cert used to validate clients isn't
installed correctly, and so it's defaulting to basic auth.

At least that's my reading of this review
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270



On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai <ztai@google.com> wrote:

> I guess part of my question is how to configure the mTLS certs to make it
> work properly.
>
> So far only https works (server side TLS).
>
> Thanks,
> Zhenfei
>
> On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds <jrey@linux.ibm.com>
> wrote:
>
>> On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote:
>> > Hi,
>> >
>> > I encountered the same issue when using Redfish to replace the
>> certificate.
>> > Regardless of whether the parameters include --cert --key --cacert or
>> only --cacert, the authentication can still succeed.
>> >
>> > Best,
>> > P.K.
>> >
>> >> Date: Wed, 22 Apr 2020 14:58:06 -0700
>> >> From: Zhenfei Tai <ztai@google.com>
>> >> To: openbmc@lists.ozlabs.org
>> >> Subject: mTLS on bmcweb
>> >> Message-ID:
>> >>      <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@mail.g
>> >> mail.com>
>> >> Content-Type: text/plain; charset="utf-8"
>> >>
>> >> Hi,
>> >>
>> >> I'm trying out bmcweb mTLS which should be enabled by default by
>> >> https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89
>> >>
>> >> In my test, I created a self signed key and certificate pair, stacked
>> them
>> >> up into server.pem in /etc/ssl/certs/https that bmcweb uses.
>> >>
>> >> However when I tried to curl bmcweb service, I was able to get
>> response by
>> >> only supplying the cert.
>> >>
>> >> curl --cacert cert.pem  https://${bmc}/redfish/v1
>> >>
>> >> With the mTLS enabled, I expected it should error out since no client
>> >> certificate is provided.
>> >>
>> >> Could someone with relevant knowledge help with my question?
>>
>> I'm not sure what you are asking.  Are you asking how to install mTLS
>> certs into the BMC and then use them to connect?  I am still waiting for
>> documentation that describes how to configure and use the mTLS feature.
>>
>> I've added an entry to the security working group as a reminder to do
>> this.  (I don't have the skill to document this feature.)
>>
>> - Joseph
>>
>> >>
>> >> Thanks,
>> >> Zhenfei
>>
>>

[-- Attachment #2: Type: text/html, Size: 3644 bytes --]

Re: mTLS on bmcweb

[Wiktor Gołgowski]

On 4/23/20 7:35 PM, Richard Hanley wrote:
> My guess is that somehow the root cert used to validate clients isn't installed correctly, and so it's defaulting to basic auth.
> 
> At least that's my reading of this review https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270
> 

I think this would be the case. If the client certificate is not provided, TLS connection is 
still established, just without authenticating the client. This allows upper layer to provide
other authentication methods (e.g. Basic Auth).
>  
> On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai <ztai@google.com <mailto:ztai@google.com>> wrote:
> 
>     I guess part of my question is how to configure the mTLS certs to make it work properly.
> 
>     So far only https works (server side TLS).
> 
>     Thanks,
>     Zhenfei
> 
>     On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds <jrey@linux.ibm.com <mailto:jrey@linux.ibm.com>> wrote:
> 
>         On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote:
>         > Hi,
>         >
>         > I encountered the same issue when using Redfish to replace the certificate.
>         > Regardless of whether the parameters include --cert --key --cacert or only --cacert, the authentication can still succeed.
>         >
>         > Best,
>         > P.K.
>         >
>         >> Date: Wed, 22 Apr 2020 14:58:06 -0700
>         >> From: Zhenfei Tai <ztai@google.com <mailto:ztai@google.com>>
>         >> To: openbmc@lists.ozlabs.org <mailto:openbmc@lists.ozlabs.org>
>         >> Subject: mTLS on bmcweb
>         >> Message-ID:
>         >>      <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@mail.g
>         >> mail.com <http://mail.com>>
>         >> Content-Type: text/plain; charset="utf-8"
>         >>
>         >> Hi,
>         >>
>         >> I'm trying out bmcweb mTLS which should be enabled by default by
>         >> https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89
>         >>
>         >> In my test, I created a self signed key and certificate pair, stacked them
>         >> up into server.pem in /etc/ssl/certs/https that bmcweb uses.
>         >>
>         >> However when I tried to curl bmcweb service, I was able to get response by
>         >> only supplying the cert.
>         >>
>         >> curl --cacert cert.pem  https://${bmc}/redfish/v1
>         >>
>         >> With the mTLS enabled, I expected it should error out since no client
>         >> certificate is provided.
>         >>

As mentioned, if you did not provide a client certificate, connection was established to
allow for Basic Auth. And as the Service Root requires no authentication, you got
a response.

- Wiktor

>         >> Could someone with relevant knowledge help with my question?
> 
>         I'm not sure what you are asking.  Are you asking how to install mTLS
>         certs into the BMC and then use them to connect?  I am still waiting for
>         documentation that describes how to configure and use the mTLS feature.
> 
>         I've added an entry to the security working group as a reminder to do
>         this.  (I don't have the skill to document this feature.)
> 
>         - Joseph
> 
>         >>
>         >> Thanks,
>         >> Zhenfei
> 

RE: mTLS on bmcweb

[P. K. Lee (李柏寬)]

I found a way to fix this issue, but it needs to be modified to the source code. In two steps:

Step 1.
The source code "adaptor.set_verify_mode(boost::asio::ssl::verify_peer);" in http_connection.h is replaced with 
"adaptor.set_verify_mode(boost::asio::ssl::verify_peer | boost::asio::ssl::verify_fail_if_no_peer_cert);"

Step 2.
AccountService->Oem->OpenBMC->AuthMethods->TLS is set. (false by default)

It will enable enforce mTLS authentication.

Best,
P.K.

> -----Original Message-----
> From: Wiktor Gołgowski <wiktor.golgowski@linux.intel.com>
> Sent: Saturday, April 25, 2020 1:03 AM
> To: Richard Hanley <rhanley@google.com>; Zhenfei Tai <ztai@google.com>
> Cc: openbmc@lists.ozlabs.org; P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>;
> jrey@linux.ibm.com; P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>; Joseph
> Reynolds <jrey@linux.ibm.com>
> Subject: Re: mTLS on bmcweb
> 
> 
> 
> On 4/23/20 7:35 PM, Richard Hanley wrote:
> > My guess is that somehow the root cert used to validate clients isn't installed
> correctly, and so it's defaulting to basic auth.
> >
> > At least that's my reading of this review
> > https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270
> >
> 
> I think this would be the case. If the client certificate is not provided, TLS
> connection is still established, just without authenticating the client. This
> allows upper layer to provide other authentication methods (e.g. Basic Auth).
> >
> > On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai <ztai@google.com
> <mailto:ztai@google.com>> wrote:
> >
> >     I guess part of my question is how to configure the mTLS certs to make
> it work properly.
> >
> >     So far only https works (server side TLS).
> >
> >     Thanks,
> >     Zhenfei
> >
> >     On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds <jrey@linux.ibm.com
> <mailto:jrey@linux.ibm.com>> wrote:
> >
> >         On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote:
> >         > Hi,
> >         >
> >         > I encountered the same issue when using Redfish to replace the
> certificate.
> >         > Regardless of whether the parameters include --cert --key
> --cacert or only --cacert, the authentication can still succeed.
> >         >
> >         > Best,
> >         > P.K.
> >         >
> >         >> Date: Wed, 22 Apr 2020 14:58:06 -0700
> >         >> From: Zhenfei Tai <ztai@google.com
> <mailto:ztai@google.com>>
> >         >> To: openbmc@lists.ozlabs.org
> <mailto:openbmc@lists.ozlabs.org>
> >         >> Subject: mTLS on bmcweb
> >         >> Message-ID:
> >
> >>      <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@
> mail.g
> >         >> mail.com <http://mail.com>>
> >         >> Content-Type: text/plain; charset="utf-8"
> >         >>
> >         >> Hi,
> >         >>
> >         >> I'm trying out bmcweb mTLS which should be enabled by
> default by
> >         >>
> https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89
> >         >>
> >         >> In my test, I created a self signed key and certificate pair,
> stacked them
> >         >> up into server.pem in /etc/ssl/certs/https that bmcweb uses.
> >         >>
> >         >> However when I tried to curl bmcweb service, I was able to get
> response by
> >         >> only supplying the cert.
> >         >>
> >         >> curl --cacert cert.pem  https://${bmc}/redfish/v1
> >         >>
> >         >> With the mTLS enabled, I expected it should error out since no
> client
> >         >> certificate is provided.
> >         >>
> 
> As mentioned, if you did not provide a client certificate, connection was
> established to allow for Basic Auth. And as the Service Root requires no
> authentication, you got a response.
> 
> - Wiktor
> 
> >         >> Could someone with relevant knowledge help with my
> question?
> >
> >         I'm not sure what you are asking.  Are you asking how to install
> mTLS
> >         certs into the BMC and then use them to connect?  I am still
> waiting for
> >         documentation that describes how to configure and use the mTLS
> feature.
> >
> >         I've added an entry to the security working group as a reminder to
> do
> >         this.  (I don't have the skill to document this feature.)
> >
> >         - Joseph
> >
> >         >>
> >         >> Thanks,
> >         >> Zhenfei
> >

Re: mTLS on bmcweb

[Zhenfei Tai]

[-- Attachment #1: Type: text/plain, Size: 5039 bytes --]

Hi P.K.

I tried the same thing.

Could you share which url you tested?
With that change, if I access the https://${bmc}/redfish/v1 url in chrome,
it prompts to choose a client certificate, but will also work if no
certificate is chosen.

Thanks,
Zhenfei

On Thu, Apr 30, 2020 at 6:27 AM P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>
wrote:

> I found a way to fix this issue, but it needs to be modified to the source
> code. In two steps:
>
> Step 1.
> The source code "adaptor.set_verify_mode(boost::asio::ssl::verify_peer);"
> in http_connection.h is replaced with
> "adaptor.set_verify_mode(boost::asio::ssl::verify_peer |
> boost::asio::ssl::verify_fail_if_no_peer_cert);"
>
> Step 2.
> AccountService->Oem->OpenBMC->AuthMethods->TLS is set. (false by default)
>
> It will enable enforce mTLS authentication.
>
> Best,
> P.K.
>
> > -----Original Message-----
> > From: Wiktor Gołgowski <wiktor.golgowski@linux.intel.com>
> > Sent: Saturday, April 25, 2020 1:03 AM
> > To: Richard Hanley <rhanley@google.com>; Zhenfei Tai <ztai@google.com>
> > Cc: openbmc@lists.ozlabs.org; P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>;
> > jrey@linux.ibm.com; P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>; Joseph
> > Reynolds <jrey@linux.ibm.com>
> > Subject: Re: mTLS on bmcweb
> >
> >
> >
> > On 4/23/20 7:35 PM, Richard Hanley wrote:
> > > My guess is that somehow the root cert used to validate clients isn't
> installed
> > correctly, and so it's defaulting to basic auth.
> > >
> > > At least that's my reading of this review
> > > https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270
> > >
> >
> > I think this would be the case. If the client certificate is not
> provided, TLS
> > connection is still established, just without authenticating the client.
> This
> > allows upper layer to provide other authentication methods (e.g. Basic
> Auth).
> > >
> > > On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai <ztai@google.com
> > <mailto:ztai@google.com>> wrote:
> > >
> > >     I guess part of my question is how to configure the mTLS certs to
> make
> > it work properly.
> > >
> > >     So far only https works (server side TLS).
> > >
> > >     Thanks,
> > >     Zhenfei
> > >
> > >     On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds <
> jrey@linux.ibm.com
> > <mailto:jrey@linux.ibm.com>> wrote:
> > >
> > >         On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote:
> > >         > Hi,
> > >         >
> > >         > I encountered the same issue when using Redfish to replace
> the
> > certificate.
> > >         > Regardless of whether the parameters include --cert --key
> > --cacert or only --cacert, the authentication can still succeed.
> > >         >
> > >         > Best,
> > >         > P.K.
> > >         >
> > >         >> Date: Wed, 22 Apr 2020 14:58:06 -0700
> > >         >> From: Zhenfei Tai <ztai@google.com
> > <mailto:ztai@google.com>>
> > >         >> To: openbmc@lists.ozlabs.org
> > <mailto:openbmc@lists.ozlabs.org>
> > >         >> Subject: mTLS on bmcweb
> > >         >> Message-ID:
> > >
> > >>      <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@
> > mail.g
> > >         >> mail.com <http://mail.com>>
> > >         >> Content-Type: text/plain; charset="utf-8"
> > >         >>
> > >         >> Hi,
> > >         >>
> > >         >> I'm trying out bmcweb mTLS which should be enabled by
> > default by
> > >         >>
> > https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89
> > >         >>
> > >         >> In my test, I created a self signed key and certificate
> pair,
> > stacked them
> > >         >> up into server.pem in /etc/ssl/certs/https that bmcweb uses.
> > >         >>
> > >         >> However when I tried to curl bmcweb service, I was able to
> get
> > response by
> > >         >> only supplying the cert.
> > >         >>
> > >         >> curl --cacert cert.pem  https://${bmc}/redfish/v1
> > >         >>
> > >         >> With the mTLS enabled, I expected it should error out since
> no
> > client
> > >         >> certificate is provided.
> > >         >>
> >
> > As mentioned, if you did not provide a client certificate, connection was
> > established to allow for Basic Auth. And as the Service Root requires no
> > authentication, you got a response.
> >
> > - Wiktor
> >
> > >         >> Could someone with relevant knowledge help with my
> > question?
> > >
> > >         I'm not sure what you are asking.  Are you asking how to
> install
> > mTLS
> > >         certs into the BMC and then use them to connect?  I am still
> > waiting for
> > >         documentation that describes how to configure and use the mTLS
> > feature.
> > >
> > >         I've added an entry to the security working group as a
> reminder to
> > do
> > >         this.  (I don't have the skill to document this feature.)
> > >
> > >         - Joseph
> > >
> > >         >>
> > >         >> Thanks,
> > >         >> Zhenfei
> > >
>

[-- Attachment #2: Type: text/html, Size: 7995 bytes --]

Re: mTLS on bmcweb

[Zhenfei Tai]

[-- Attachment #1: Type: text/plain, Size: 5870 bytes --]

Also, with that change in http_connection.h, it still accepts any client
certificate provided in curl.

Here's what I did:
1. Disable BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
2. Uncommented ssl_key_handler.hpp:315 and added the
boost::asio::ssl::verify_fail_if_no_peer_cert

Behavior after change:
1. Rejects curl without client certificate.
2. Returns when client certificate matches the one authority directory.
3. Rejects when client sends other certificates.

The change is just for testing purposes, I guess the original intention was
not to mTLS every request.

On Thu, Apr 30, 2020 at 11:34 AM Zhenfei Tai <ztai@google.com> wrote:

> Hi P.K.
>
> I tried the same thing.
>
> Could you share which url you tested?
> With that change, if I access the https://${bmc}/redfish/v1 url in
> chrome, it prompts to choose a client certificate, but will also work if no
> certificate is chosen.
>
> Thanks,
> Zhenfei
>
> On Thu, Apr 30, 2020 at 6:27 AM P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>
> wrote:
>
>> I found a way to fix this issue, but it needs to be modified to the
>> source code. In two steps:
>>
>> Step 1.
>> The source code "adaptor.set_verify_mode(boost::asio::ssl::verify_peer);"
>> in http_connection.h is replaced with
>> "adaptor.set_verify_mode(boost::asio::ssl::verify_peer |
>> boost::asio::ssl::verify_fail_if_no_peer_cert);"
>>
>> Step 2.
>> AccountService->Oem->OpenBMC->AuthMethods->TLS is set. (false by default)
>>
>> It will enable enforce mTLS authentication.
>>
>> Best,
>> P.K.
>>
>> > -----Original Message-----
>> > From: Wiktor Gołgowski <wiktor.golgowski@linux.intel.com>
>> > Sent: Saturday, April 25, 2020 1:03 AM
>> > To: Richard Hanley <rhanley@google.com>; Zhenfei Tai <ztai@google.com>
>> > Cc: openbmc@lists.ozlabs.org; P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>;
>> > jrey@linux.ibm.com; P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>; Joseph
>> > Reynolds <jrey@linux.ibm.com>
>> > Subject: Re: mTLS on bmcweb
>> >
>> >
>> >
>> > On 4/23/20 7:35 PM, Richard Hanley wrote:
>> > > My guess is that somehow the root cert used to validate clients isn't
>> installed
>> > correctly, and so it's defaulting to basic auth.
>> > >
>> > > At least that's my reading of this review
>> > > https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270
>> > >
>> >
>> > I think this would be the case. If the client certificate is not
>> provided, TLS
>> > connection is still established, just without authenticating the
>> client. This
>> > allows upper layer to provide other authentication methods (e.g. Basic
>> Auth).
>> > >
>> > > On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai <ztai@google.com
>> > <mailto:ztai@google.com>> wrote:
>> > >
>> > >     I guess part of my question is how to configure the mTLS certs to
>> make
>> > it work properly.
>> > >
>> > >     So far only https works (server side TLS).
>> > >
>> > >     Thanks,
>> > >     Zhenfei
>> > >
>> > >     On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds <
>> jrey@linux.ibm.com
>> > <mailto:jrey@linux.ibm.com>> wrote:
>> > >
>> > >         On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote:
>> > >         > Hi,
>> > >         >
>> > >         > I encountered the same issue when using Redfish to replace
>> the
>> > certificate.
>> > >         > Regardless of whether the parameters include --cert --key
>> > --cacert or only --cacert, the authentication can still succeed.
>> > >         >
>> > >         > Best,
>> > >         > P.K.
>> > >         >
>> > >         >> Date: Wed, 22 Apr 2020 14:58:06 -0700
>> > >         >> From: Zhenfei Tai <ztai@google.com
>> > <mailto:ztai@google.com>>
>> > >         >> To: openbmc@lists.ozlabs.org
>> > <mailto:openbmc@lists.ozlabs.org>
>> > >         >> Subject: mTLS on bmcweb
>> > >         >> Message-ID:
>> > >
>> > >>      <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@
>> > mail.g
>> > >         >> mail.com <http://mail.com>>
>> > >         >> Content-Type: text/plain; charset="utf-8"
>> > >         >>
>> > >         >> Hi,
>> > >         >>
>> > >         >> I'm trying out bmcweb mTLS which should be enabled by
>> > default by
>> > >         >>
>> > https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89
>> > >         >>
>> > >         >> In my test, I created a self signed key and certificate
>> pair,
>> > stacked them
>> > >         >> up into server.pem in /etc/ssl/certs/https that bmcweb
>> uses.
>> > >         >>
>> > >         >> However when I tried to curl bmcweb service, I was able to
>> get
>> > response by
>> > >         >> only supplying the cert.
>> > >         >>
>> > >         >> curl --cacert cert.pem  https://${bmc}/redfish/v1
>> > >         >>
>> > >         >> With the mTLS enabled, I expected it should error out
>> since no
>> > client
>> > >         >> certificate is provided.
>> > >         >>
>> >
>> > As mentioned, if you did not provide a client certificate, connection
>> was
>> > established to allow for Basic Auth. And as the Service Root requires no
>> > authentication, you got a response.
>> >
>> > - Wiktor
>> >
>> > >         >> Could someone with relevant knowledge help with my
>> > question?
>> > >
>> > >         I'm not sure what you are asking.  Are you asking how to
>> install
>> > mTLS
>> > >         certs into the BMC and then use them to connect?  I am still
>> > waiting for
>> > >         documentation that describes how to configure and use the mTLS
>> > feature.
>> > >
>> > >         I've added an entry to the security working group as a
>> reminder to
>> > do
>> > >         this.  (I don't have the skill to document this feature.)
>> > >
>> > >         - Joseph
>> > >
>> > >         >>
>> > >         >> Thanks,
>> > >         >> Zhenfei
>> > >
>>
>

[-- Attachment #2: Type: text/html, Size: 9039 bytes --]

Re: mTLS on bmcweb

[Zhenfei Tai]

[-- Attachment #1: Type: text/plain, Size: 6704 bytes --]

I did more testing and found the reason why it accepts any client
certification.
The error is due to the self signed certificate cannot be found in the list
of trusted certificates.
Without the user defined verify callback function, it works as expected.

#define  X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
<https://docs.huihoo.com/doxygen/openssl/1.0.1c/crypto_2x509_2x509__vfy_8h.html#aa4f5a3309eae833f85dff37c36fa039d>
   18

// Check if certificate is OK
int error = X509_STORE_CTX_get_error(cts);
if (error != X509_V_OK)
{
return true;
}

On Thu, Apr 30, 2020 at 12:09 PM Zhenfei Tai <ztai@google.com> wrote:

> Also, with that change in http_connection.h, it still accepts any client
> certificate provided in curl.
>
> Here's what I did:
> 1. Disable BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
> 2. Uncommented ssl_key_handler.hpp:315 and added the
> boost::asio::ssl::verify_fail_if_no_peer_cert
>
> Behavior after change:
> 1. Rejects curl without client certificate.
> 2. Returns when client certificate matches the one authority directory.
> 3. Rejects when client sends other certificates.
>
> The change is just for testing purposes, I guess the original intention
> was not to mTLS every request.
>
> On Thu, Apr 30, 2020 at 11:34 AM Zhenfei Tai <ztai@google.com> wrote:
>
>> Hi P.K.
>>
>> I tried the same thing.
>>
>> Could you share which url you tested?
>> With that change, if I access the https://${bmc}/redfish/v1 url in
>> chrome, it prompts to choose a client certificate, but will also work if no
>> certificate is chosen.
>>
>> Thanks,
>> Zhenfei
>>
>> On Thu, Apr 30, 2020 at 6:27 AM P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>
>> wrote:
>>
>>> I found a way to fix this issue, but it needs to be modified to the
>>> source code. In two steps:
>>>
>>> Step 1.
>>> The source code
>>> "adaptor.set_verify_mode(boost::asio::ssl::verify_peer);" in
>>> http_connection.h is replaced with
>>> "adaptor.set_verify_mode(boost::asio::ssl::verify_peer |
>>> boost::asio::ssl::verify_fail_if_no_peer_cert);"
>>>
>>> Step 2.
>>> AccountService->Oem->OpenBMC->AuthMethods->TLS is set. (false by default)
>>>
>>> It will enable enforce mTLS authentication.
>>>
>>> Best,
>>> P.K.
>>>
>>> > -----Original Message-----
>>> > From: Wiktor Gołgowski <wiktor.golgowski@linux.intel.com>
>>> > Sent: Saturday, April 25, 2020 1:03 AM
>>> > To: Richard Hanley <rhanley@google.com>; Zhenfei Tai <ztai@google.com>
>>> > Cc: openbmc@lists.ozlabs.org; P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>;
>>> > jrey@linux.ibm.com; P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>; Joseph
>>> > Reynolds <jrey@linux.ibm.com>
>>> > Subject: Re: mTLS on bmcweb
>>> >
>>> >
>>> >
>>> > On 4/23/20 7:35 PM, Richard Hanley wrote:
>>> > > My guess is that somehow the root cert used to validate clients
>>> isn't installed
>>> > correctly, and so it's defaulting to basic auth.
>>> > >
>>> > > At least that's my reading of this review
>>> > > https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270
>>> > >
>>> >
>>> > I think this would be the case. If the client certificate is not
>>> provided, TLS
>>> > connection is still established, just without authenticating the
>>> client. This
>>> > allows upper layer to provide other authentication methods (e.g. Basic
>>> Auth).
>>> > >
>>> > > On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai <ztai@google.com
>>> > <mailto:ztai@google.com>> wrote:
>>> > >
>>> > >     I guess part of my question is how to configure the mTLS certs
>>> to make
>>> > it work properly.
>>> > >
>>> > >     So far only https works (server side TLS).
>>> > >
>>> > >     Thanks,
>>> > >     Zhenfei
>>> > >
>>> > >     On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds <
>>> jrey@linux.ibm.com
>>> > <mailto:jrey@linux.ibm.com>> wrote:
>>> > >
>>> > >         On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote:
>>> > >         > Hi,
>>> > >         >
>>> > >         > I encountered the same issue when using Redfish to replace
>>> the
>>> > certificate.
>>> > >         > Regardless of whether the parameters include --cert --key
>>> > --cacert or only --cacert, the authentication can still succeed.
>>> > >         >
>>> > >         > Best,
>>> > >         > P.K.
>>> > >         >
>>> > >         >> Date: Wed, 22 Apr 2020 14:58:06 -0700
>>> > >         >> From: Zhenfei Tai <ztai@google.com
>>> > <mailto:ztai@google.com>>
>>> > >         >> To: openbmc@lists.ozlabs.org
>>> > <mailto:openbmc@lists.ozlabs.org>
>>> > >         >> Subject: mTLS on bmcweb
>>> > >         >> Message-ID:
>>> > >
>>> > >>      <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@
>>> > mail.g
>>> > >         >> mail.com <http://mail.com>>
>>> > >         >> Content-Type: text/plain; charset="utf-8"
>>> > >         >>
>>> > >         >> Hi,
>>> > >         >>
>>> > >         >> I'm trying out bmcweb mTLS which should be enabled by
>>> > default by
>>> > >         >>
>>> > https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89
>>> > >         >>
>>> > >         >> In my test, I created a self signed key and certificate
>>> pair,
>>> > stacked them
>>> > >         >> up into server.pem in /etc/ssl/certs/https that bmcweb
>>> uses.
>>> > >         >>
>>> > >         >> However when I tried to curl bmcweb service, I was able
>>> to get
>>> > response by
>>> > >         >> only supplying the cert.
>>> > >         >>
>>> > >         >> curl --cacert cert.pem  https://${bmc}/redfish/v1
>>> > >         >>
>>> > >         >> With the mTLS enabled, I expected it should error out
>>> since no
>>> > client
>>> > >         >> certificate is provided.
>>> > >         >>
>>> >
>>> > As mentioned, if you did not provide a client certificate, connection
>>> was
>>> > established to allow for Basic Auth. And as the Service Root requires
>>> no
>>> > authentication, you got a response.
>>> >
>>> > - Wiktor
>>> >
>>> > >         >> Could someone with relevant knowledge help with my
>>> > question?
>>> > >
>>> > >         I'm not sure what you are asking.  Are you asking how to
>>> install
>>> > mTLS
>>> > >         certs into the BMC and then use them to connect?  I am still
>>> > waiting for
>>> > >         documentation that describes how to configure and use the
>>> mTLS
>>> > feature.
>>> > >
>>> > >         I've added an entry to the security working group as a
>>> reminder to
>>> > do
>>> > >         this.  (I don't have the skill to document this feature.)
>>> > >
>>> > >         - Joseph
>>> > >
>>> > >         >>
>>> > >         >> Thanks,
>>> > >         >> Zhenfei
>>> > >
>>>
>>

[-- Attachment #2: Type: text/html, Size: 11292 bytes --]

Re: mTLS on bmcweb

[P. K. Lee (李柏寬)]

[-- Attachment #1: Type: text/plain, Size: 6940 bytes --]


On May 1, 2020, at 07:39, Zhenfei Tai <ztai@google.com<mailto:ztai@google.com>> wrote:

I did more testing and found the reason why it accepts any client certification.
The error is due to the self signed certificate cannot be found in the list of trusted certificates.
Without the user defined verify callback function, it works as expected.

#define         X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT<https://docs.huihoo.com/doxygen/openssl/1.0.1c/crypto_2x509_2x509__vfy_8h.html#aa4f5a3309eae833f85dff37c36fa039d>   18

// Check if certificate is OK
int error = X509_STORE_CTX_get_error(cts);
if (error != X509_V_OK)
{
return true;
}

Yes, I also thought the key is that the self-signed certificate is not in the trusted store.
However, the self-signed CA certificate I uploaded using the Redfish API and modify the code to another "set_verify_mode" is actually useless.

On Thu, Apr 30, 2020 at 12:09 PM Zhenfei Tai <ztai@google.com<mailto:ztai@google.com>> wrote:
Also, with that change in http_connection.h, it still accepts any client certificate provided in curl.

Here's what I did:
1. Disable BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
2. Uncommented ssl_key_handler.hpp:315 and added the boost::asio::ssl::verify_fail_if_no_peer_cert

Behavior after change:
1. Rejects curl without client certificate.
2. Returns when client certificate matches the one authority directory.
3. Rejects when client sends other certificates.

The change is just for testing purposes, I guess the original intention was not to mTLS every request.

It works :D

On Thu, Apr 30, 2020 at 11:34 AM Zhenfei Tai <ztai@google.com<mailto:ztai@google.com>> wrote:
Hi P.K.

I tried the same thing.

Could you share which url you tested?
With that change, if I access the https://${bmc}/redfish/v1 url in chrome, it prompts to choose a client certificate, but will also work if no certificate is chosen.

Thanks,
Zhenfei

On Thu, Apr 30, 2020 at 6:27 AM P. K. Lee (李柏寬) <P.K.Lee@quantatw.com<mailto:P.K.Lee@quantatw.com>> wrote:
I found a way to fix this issue, but it needs to be modified to the source code. In two steps:

Step 1.
The source code "adaptor.set_verify_mode(boost::asio::ssl::verify_peer);" in http_connection.h is replaced with
"adaptor.set_verify_mode(boost::asio::ssl::verify_peer | boost::asio::ssl::verify_fail_if_no_peer_cert);"

Step 2.
AccountService->Oem->OpenBMC->AuthMethods->TLS is set. (false by default)

It will enable enforce mTLS authentication.

Best,
P.K.

> -----Original Message-----
> From: Wiktor Gołgowski <wiktor.golgowski@linux.intel.com<mailto:wiktor.golgowski@linux.intel.com>>
> Sent: Saturday, April 25, 2020 1:03 AM
> To: Richard Hanley <rhanley@google.com<mailto:rhanley@google.com>>; Zhenfei Tai <ztai@google.com<mailto:ztai@google.com>>
> Cc: openbmc@lists.ozlabs.org<mailto:openbmc@lists.ozlabs.org>; P. K. Lee (李柏寬) <P.K.Lee@quantatw.com<mailto:P.K.Lee@quantatw.com>>;
> jrey@linux.ibm.com<mailto:jrey@linux.ibm.com>; P. K. Lee (李柏寬) <P.K.Lee@quantatw.com<mailto:P.K.Lee@quantatw.com>>; Joseph
> Reynolds <jrey@linux.ibm.com<mailto:jrey@linux.ibm.com>>
> Subject: Re: mTLS on bmcweb
>
>
>
> On 4/23/20 7:35 PM, Richard Hanley wrote:
> > My guess is that somehow the root cert used to validate clients isn't installed
> correctly, and so it's defaulting to basic auth.
> >
> > At least that's my reading of this review
> > https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270
> >
>
> I think this would be the case. If the client certificate is not provided, TLS
> connection is still established, just without authenticating the client. This
> allows upper layer to provide other authentication methods (e.g. Basic Auth).
> >
> > On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai <ztai@google.com<mailto:ztai@google.com>
> <mailto:ztai@google.com<mailto:ztai@google.com>>> wrote:
> >
> >     I guess part of my question is how to configure the mTLS certs to make
> it work properly.
> >
> >     So far only https works (server side TLS).
> >
> >     Thanks,
> >     Zhenfei
> >
> >     On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds <jrey@linux.ibm.com<mailto:jrey@linux.ibm.com>
> <mailto:jrey@linux.ibm.com<mailto:jrey@linux.ibm.com>>> wrote:
> >
> >         On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote:
> >         > Hi,
> >         >
> >         > I encountered the same issue when using Redfish to replace the
> certificate.
> >         > Regardless of whether the parameters include --cert --key
> --cacert or only --cacert, the authentication can still succeed.
> >         >
> >         > Best,
> >         > P.K.
> >         >
> >         >> Date: Wed, 22 Apr 2020 14:58:06 -0700
> >         >> From: Zhenfei Tai <ztai@google.com<mailto:ztai@google.com>
> <mailto:ztai@google.com<mailto:ztai@google.com>>>
> >         >> To: openbmc@lists.ozlabs.org<mailto:openbmc@lists.ozlabs.org>
> <mailto:openbmc@lists.ozlabs.org<mailto:openbmc@lists.ozlabs.org>>
> >         >> Subject: mTLS on bmcweb
> >         >> Message-ID:
> >
> >>      <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@
> mail.g
> >         >> mail.com<http://mail.com/> <http://mail.com<http://mail.com/>>>
> >         >> Content-Type: text/plain; charset="utf-8"
> >         >>
> >         >> Hi,
> >         >>
> >         >> I'm trying out bmcweb mTLS which should be enabled by
> default by
> >         >>
> https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89
> >         >>
> >         >> In my test, I created a self signed key and certificate pair,
> stacked them
> >         >> up into server.pem in /etc/ssl/certs/https that bmcweb uses.
> >         >>
> >         >> However when I tried to curl bmcweb service, I was able to get
> response by
> >         >> only supplying the cert.
> >         >>
> >         >> curl --cacert cert.pem  https://${bmc}/redfish/v1
> >         >>
> >         >> With the mTLS enabled, I expected it should error out since no
> client
> >         >> certificate is provided.
> >         >>
>
> As mentioned, if you did not provide a client certificate, connection was
> established to allow for Basic Auth. And as the Service Root requires no
> authentication, you got a response.
>
> - Wiktor
>
> >         >> Could someone with relevant knowledge help with my
> question?
> >
> >         I'm not sure what you are asking.  Are you asking how to install
> mTLS
> >         certs into the BMC and then use them to connect?  I am still
> waiting for
> >         documentation that describes how to configure and use the mTLS
> feature.
> >
> >         I've added an entry to the security working group as a reminder to
> do
> >         this.  (I don't have the skill to document this feature.)
> >
> >         - Joseph
> >
> >         >>
> >         >> Thanks,
> >         >> Zhenfei
> >


[-- Attachment #2: Type: text/html, Size: 15436 bytes --]

Re: mTLS on bmcweb

[Zbyszek]

[-- Attachment #1: Type: text/plain, Size: 7529 bytes --]

Hi, proper documentation that describes how to configure and use the mTLS
feature is in progress and soon will appear in OpenBmc docs.
Thanks for your patience :)


pon., 4 maj 2020 o 04:29 P. K. Lee (李柏寬) <P.K.Lee@quantatw.com> napisał(a):

>
> On May 1, 2020, at 07:39, Zhenfei Tai <ztai@google.com> wrote:
>
> I did more testing and found the reason why it accepts any client
> certification.
> The error is due to the self signed certificate cannot be found in the
> list of trusted certificates.
> Without the user defined verify callback function, it works as expected.
>
> #define  X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
> <https://docs.huihoo.com/doxygen/openssl/1.0.1c/crypto_2x509_2x509__vfy_8h.html#aa4f5a3309eae833f85dff37c36fa039d>
>    18
>
> // Check if certificate is OK
> int error = X509_STORE_CTX_get_error(cts);
> if (error != X509_V_OK)
> {
> return true;
> }
>
> Yes, I also thought the key is that the self-signed certificate is not in
> the trusted store.
> However, the self-signed CA certificate I uploaded using the Redfish API
> and modify the code to another "set_verify_mode" is actually useless.
>
> On Thu, Apr 30, 2020 at 12:09 PM Zhenfei Tai <ztai@google.com> wrote:
>
>> Also, with that change in http_connection.h, it still accepts any client
>> certificate provided in curl.
>>
>> Here's what I did:
>> 1. Disable BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
>> 2. Uncommented ssl_key_handler.hpp:315 and added the
>> boost::asio::ssl::verify_fail_if_no_peer_cert
>>
>> Behavior after change:
>> 1. Rejects curl without client certificate.
>> 2. Returns when client certificate matches the one authority directory.
>> 3. Rejects when client sends other certificates.
>>
>> The change is just for testing purposes, I guess the original intention
>> was not to mTLS every request.
>>
>> It works :D
>
> On Thu, Apr 30, 2020 at 11:34 AM Zhenfei Tai <ztai@google.com> wrote:
>>
>>> Hi P.K.
>>>
>>> I tried the same thing.
>>>
>>> Could you share which url you tested?
>>> With that change, if I access the https://${bmc}/redfish/v1 url in
>>> chrome, it prompts to choose a client certificate, but will also work if no
>>> certificate is chosen.
>>>
>>> Thanks,
>>> Zhenfei
>>>
>>> On Thu, Apr 30, 2020 at 6:27 AM P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>
>>> wrote:
>>>
>>>> I found a way to fix this issue, but it needs to be modified to the
>>>> source code. In two steps:
>>>>
>>>> Step 1.
>>>> The source code
>>>> "adaptor.set_verify_mode(boost::asio::ssl::verify_peer);" in
>>>> http_connection.h is replaced with
>>>> "adaptor.set_verify_mode(boost::asio::ssl::verify_peer |
>>>> boost::asio::ssl::verify_fail_if_no_peer_cert);"
>>>>
>>>> Step 2.
>>>> AccountService->Oem->OpenBMC->AuthMethods->TLS is set. (false by
>>>> default)
>>>>
>>>> It will enable enforce mTLS authentication.
>>>>
>>>> Best,
>>>> P.K.
>>>>
>>>> > -----Original Message-----
>>>> > From: Wiktor Gołgowski <wiktor.golgowski@linux.intel.com>
>>>> > Sent: Saturday, April 25, 2020 1:03 AM
>>>> > To: Richard Hanley <rhanley@google.com>; Zhenfei Tai <ztai@google.com
>>>> >
>>>> > Cc: openbmc@lists.ozlabs.org; P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>;
>>>> > jrey@linux.ibm.com; P. K. Lee (李柏寬) <P.K.Lee@quantatw.com>; Joseph
>>>> > Reynolds <jrey@linux.ibm.com>
>>>> > Subject: Re: mTLS on bmcweb
>>>> >
>>>> >
>>>> >
>>>> > On 4/23/20 7:35 PM, Richard Hanley wrote:
>>>> > > My guess is that somehow the root cert used to validate clients
>>>> isn't installed
>>>> > correctly, and so it's defaulting to basic auth.
>>>> > >
>>>> > > At least that's my reading of this review
>>>> > > https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270
>>>> > >
>>>> >
>>>> > I think this would be the case. If the client certificate is not
>>>> provided, TLS
>>>> > connection is still established, just without authenticating the
>>>> client. This
>>>> > allows upper layer to provide other authentication methods (e.g.
>>>> Basic Auth).
>>>> > >
>>>> > > On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai <ztai@google.com
>>>> > <mailto:ztai@google.com>> wrote:
>>>> > >
>>>> > >     I guess part of my question is how to configure the mTLS certs
>>>> to make
>>>> > it work properly.
>>>> > >
>>>> > >     So far only https works (server side TLS).
>>>> > >
>>>> > >     Thanks,
>>>> > >     Zhenfei
>>>> > >
>>>> > >     On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds <
>>>> jrey@linux.ibm.com
>>>> > <mailto:jrey@linux.ibm.com>> wrote:
>>>> > >
>>>> > >         On 4/23/20 5:47 AM, P. K. Lee (李柏寬) wrote:
>>>> > >         > Hi,
>>>> > >         >
>>>> > >         > I encountered the same issue when using Redfish to
>>>> replace the
>>>> > certificate.
>>>> > >         > Regardless of whether the parameters include --cert --key
>>>> > --cacert or only --cacert, the authentication can still succeed.
>>>> > >         >
>>>> > >         > Best,
>>>> > >         > P.K.
>>>> > >         >
>>>> > >         >> Date: Wed, 22 Apr 2020 14:58:06 -0700
>>>> > >         >> From: Zhenfei Tai <ztai@google.com
>>>> > <mailto:ztai@google.com>>
>>>> > >         >> To: openbmc@lists.ozlabs.org
>>>> > <mailto:openbmc@lists.ozlabs.org>
>>>> > >         >> Subject: mTLS on bmcweb
>>>> > >         >> Message-ID:
>>>> > >
>>>> > >>      <CAMXw96Pp511sUO=q1XLz2uJzh4S6D7tUwmkvpbnq_yU-iJfiKg@
>>>> > mail.g
>>>> > >         >> mail.com <http://mail.com>>
>>>> > >         >> Content-Type: text/plain; charset="utf-8"
>>>> > >         >>
>>>> > >         >> Hi,
>>>> > >         >>
>>>> > >         >> I'm trying out bmcweb mTLS which should be enabled by
>>>> > default by
>>>> > >         >>
>>>> > https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89
>>>> > >         >>
>>>> > >         >> In my test, I created a self signed key and certificate
>>>> pair,
>>>> > stacked them
>>>> > >         >> up into server.pem in /etc/ssl/certs/https that bmcweb
>>>> uses.
>>>> > >         >>
>>>> > >         >> However when I tried to curl bmcweb service, I was able
>>>> to get
>>>> > response by
>>>> > >         >> only supplying the cert.
>>>> > >         >>
>>>> > >         >> curl --cacert cert.pem  https://${bmc}/redfish/v1
>>>> > >         >>
>>>> > >         >> With the mTLS enabled, I expected it should error out
>>>> since no
>>>> > client
>>>> > >         >> certificate is provided.
>>>> > >         >>
>>>> >
>>>> > As mentioned, if you did not provide a client certificate, connection
>>>> was
>>>> > established to allow for Basic Auth. And as the Service Root requires
>>>> no
>>>> > authentication, you got a response.
>>>> >
>>>> > - Wiktor
>>>> >
>>>> > >         >> Could someone with relevant knowledge help with my
>>>> > question?
>>>> > >
>>>> > >         I'm not sure what you are asking.  Are you asking how to
>>>> install
>>>> > mTLS
>>>> > >         certs into the BMC and then use them to connect?  I am still
>>>> > waiting for
>>>> > >         documentation that describes how to configure and use the
>>>> mTLS
>>>> > feature.
>>>> > >
>>>> > >         I've added an entry to the security working group as a
>>>> reminder to
>>>> > do
>>>> > >         this.  (I don't have the skill to document this feature.)
>>>> > >
>>>> > >         - Joseph
>>>> > >
>>>> > >         >>
>>>> > >         >> Thanks,
>>>> > >         >> Zhenfei
>>>> > >
>>>>
>>>
>

[-- Attachment #2: Type: text/html, Size: 12869 bytes --]

Re: mTLS on bmcweb

[Zhenfei Tai]

[-- Attachment #1: Type: text/plain, Size: 2746 bytes --]

Hi Ed,

Thanks for the email with great details!

I came to realize that it was my misunderstanding/assumption which caused
the confusion.
I've reviewed the bmcweb TLS documentation and learned mTLS was only one
authentication option other than a requirement.

Zhenfei

On Sun, Jun 7, 2020 at 7:49 PM Ed Tanous <ed@tanous.net> wrote:

> >> I did more testing and found the reason why it accepts any client
> certification.
>
> It looks like you never got a great answer to this.
>
> There's a slight conflict between needs here.  On the one hand, bmcweb
> needs to support multiple authentication mechanisms, some of which are
> compatible with standards that are more or less set in stone (Redfish,
> Dbus-rest api, ect).  On the other hand, a lot of people looking to
> turn on mutual TLS auth are doing so to reduce the scope of code they
> have to "trust" for authentication down to only the SSL library, which
> (hopefully) is rigorously tested.  The problem arises here that there
> are modes, like Redfish and the webui, that require certain assets to
> be available without authentication.  In the case of Redfish, it
> requires the introspectable schema files, in the case of the webui,
> the static pages that make it up need to be loaded so the UI launches
> and the user sees a login page.  (Unrelated note, we make more than is
> needed available here, but that's a different problem.)
>
> When I first built the patch to do mutual TLS, my intention was to at
> least try to support as many authentication mechanisms as I could,
> hence the code you're looking at now that only uses the mutual TLS
> auth as a _possible_ authentication mechanism, leaving the final
> decision be made by the auth code in bmcweb.  One thing that seems to
> have gotten lost in translation somewhere between that code and when
> it hit master is that if mutual TLS is the only enabled authentication
> mechanism at that point in time, we know that we're not operating in
> any standards that would require static assets, and bmcweb can simply
> deny the connection on the front end, like you would expect, in the
> code that you've already found.
>
> TL;DR;
>
> Add something like this:
>
> // Get the current auth config
> AuthConfigMethods& methods =
> crow::persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
> // if only mTLS is enabled, we can close the connection immediately,
> as no other auth methods will be tried.
> if (methods. xtoken == false &&
> methods.cookie == false &&
> methods.sessionToken == false &&
> methods.basic = false &&
> methods.tls == true){
>     return false;
> }
>
> Here:
> https://github.com/openbmc/bmcweb/blame/master/http/http_connection.h#L302
>
> ...and I suspect it'll work like you want.
>

[-- Attachment #2: Type: text/html, Size: 3476 bytes --]

RE: mTLS on bmcweb

[Ed Tanous]

>> I did more testing and found the reason why it accepts any client
certification.

It looks like you never got a great answer to this.

There's a slight conflict between needs here.  On the one hand, bmcweb
needs to support multiple authentication mechanisms, some of which are
compatible with standards that are more or less set in stone (Redfish,
Dbus-rest api, ect).  On the other hand, a lot of people looking to
turn on mutual TLS auth are doing so to reduce the scope of code they
have to "trust" for authentication down to only the SSL library, which
(hopefully) is rigorously tested.  The problem arises here that there
are modes, like Redfish and the webui, that require certain assets to
be available without authentication.  In the case of Redfish, it
requires the introspectable schema files, in the case of the webui,
the static pages that make it up need to be loaded so the UI launches
and the user sees a login page.  (Unrelated note, we make more than is
needed available here, but that's a different problem.)

When I first built the patch to do mutual TLS, my intention was to at
least try to support as many authentication mechanisms as I could,
hence the code you're looking at now that only uses the mutual TLS
auth as a _possible_ authentication mechanism, leaving the final
decision be made by the auth code in bmcweb.  One thing that seems to
have gotten lost in translation somewhere between that code and when
it hit master is that if mutual TLS is the only enabled authentication
mechanism at that point in time, we know that we're not operating in
any standards that would require static assets, and bmcweb can simply
deny the connection on the front end, like you would expect, in the
code that you've already found.

TL;DR;

Add something like this:

// Get the current auth config
AuthConfigMethods& methods =
crow::persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
// if only mTLS is enabled, we can close the connection immediately,
as no other auth methods will be tried.
if (methods. xtoken == false &&
methods.cookie == false &&
methods.sessionToken == false &&
methods.basic = false &&
methods.tls == true){
    return false;
}

Here:
https://github.com/openbmc/bmcweb/blame/master/http/http_connection.h#L302

...and I suspect it'll work like you want.

mTLS on bmcweb

[Zhenfei Tai]

[-- Attachment #1: Type: text/plain, Size: 599 bytes --]

Hi,

I'm trying out bmcweb mTLS which should be enabled by default by
https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89

In my test, I created a self signed key and certificate pair, stacked them
up into server.pem in /etc/ssl/certs/https that bmcweb uses.

However when I tried to curl bmcweb service, I was able to get response by
only supplying the cert.

curl --cacert cert.pem  https://${bmc}/redfish/v1

With the mTLS enabled, I expected it should error out since no client
certificate is provided.

Could someone with relevant knowledge help with my question?

Thanks,
Zhenfei

[-- Attachment #2: Type: text/html, Size: 929 bytes --]