From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=google.com (client-ip=2607:f8b0:4864:20::c2e; helo=mail-oo1-xc2e.google.com; envelope-from=ztai@google.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.a=rsa-sha256 header.s=20161025 header.b=MWWAkGlP; dkim-atps=neutral Received: from mail-oo1-xc2e.google.com (mail-oo1-xc2e.google.com [IPv6:2607:f8b0:4864:20::c2e]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 49CsL96TwgzDr0d for ; Fri, 1 May 2020 09:39:45 +1000 (AEST) Received: by mail-oo1-xc2e.google.com with SMTP id t12so370337oot.2 for ; Thu, 30 Apr 2020 16:39:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iX8mxavo3gsacrX9Va3SJmUVjOCEtbOUu16JIeCp6UU=; b=MWWAkGlP34H11W8HkmAFwog2MJUUCZj5VQu9nWJ4lgHWxVgS+gB+A8l6AJpLdmkq/7 UucYU6D/6VRxbviN9FducW+UEc5H5AkhE3E1V/yCKBAlWw5CY6IfIl5v2JIZ2fpuMcZS vDMGB88Z35A0gc0C8je9P3if/4wOUkWqu0XLrztPbb9y90H7U7V/X/ovXCDpkWSaDMI+ 6BGWTbCveGn9Mpm0f3l6OfPWebvB0/mnhwTf0K2COfrD+uFHNnJ3VBnjsL0qpeieW8w2 WXc6JNYPqmApoKnjQtZQ/Db6HUJ0R3HDvD6nd1rqZTKzz0iF8+UhaZlvbsUdKpGr1ahc KOJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iX8mxavo3gsacrX9Va3SJmUVjOCEtbOUu16JIeCp6UU=; b=oj6lcUmzwv5ptueCy2fj6c7QwlPRiyn51np4+mnnZFz7b5boNOpFpY9RxRP54ai7pn 6M1RZZgiB6XCDbHc97sx2zV19x5Es7DiDyCfroWQBwF7JcTUgRlGKua0QI0C+6NF5ezY T31Bhrz0q82VNbsDw/DsL0PW7IYmPC0n0GB9BucisEJ8bz27wGLetmyh4hV69q34Gklb SMUNENLSizx1EF+arDvOX2ZxF/Fg/IJ+5jVwAwG7pioUVL+kjJ4SSOagqYVJYzHOJdkh zbIEnNgfm6aHXQ5YekzC7mqosH0gFSv4qmgJ2ytO3KSR6cNncWeSmPmUcO4/ygcJISB9 YaQw== X-Gm-Message-State: AGi0PuZ1sXRwN+gwLTZH7TmvlnqMISgQVhNgeCB4jR115oI9Rzeflz2/ z7Dk8vgZbg48gJ8BrWd7RQGw9a3T7KITm3OUXUHOtGj5FpU= X-Google-Smtp-Source: APiQypIUyGg93MgpPyTC1K5lFI/fayIQHy/NffwAgxC+8Q8excW/BtD34L4AlODQ+OopgQ99R8kVS4RgTw0gevWnGXQ= X-Received: by 2002:a4a:d0d6:: with SMTP id u22mr1469293oor.63.1588289981247; Thu, 30 Apr 2020 16:39:41 -0700 (PDT) MIME-Version: 1.0 References: <1DF7E55B-29E9-43A2-9981-F67521B2B3E2@quantatw.com> <1251a083-2d63-aa7e-32f4-cf876dde8e4e@linux.intel.com> <894c0142737c45d891953801468135d1@quantatw.com> In-Reply-To: From: Zhenfei Tai Date: Thu, 30 Apr 2020 16:39:30 -0700 Message-ID: Subject: Re: mTLS on bmcweb To: =?UTF-8?B?UC4gSy4gTGVlICjmnY7mn4/lr6wp?= Cc: =?UTF-8?Q?Wiktor_Go=C5=82gowski?= , Richard Hanley , "openbmc@lists.ozlabs.org" , "jrey@linux.ibm.com" Content-Type: multipart/alternative; boundary="00000000000022445105a48a946d" X-BeenThere: openbmc@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development list for OpenBMC List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Apr 2020 23:39:46 -0000 --00000000000022445105a48a946d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I did more testing and found the reason why it accepts any client certification. The error is due to the self signed certificate cannot be found in the list of trusted certificates. Without the user defined verify callback function, it works as expected. #define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT 18 // Check if certificate is OK int error =3D X509_STORE_CTX_get_error(cts); if (error !=3D X509_V_OK) { return true; } On Thu, Apr 30, 2020 at 12:09 PM Zhenfei Tai wrote: > Also, with that change in http_connection.h, it still accepts any client > certificate provided in curl. > > Here's what I did: > 1. Disable BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION > 2. Uncommented ssl_key_handler.hpp:315 and added the > boost::asio::ssl::verify_fail_if_no_peer_cert > > Behavior after change: > 1. Rejects curl without client certificate. > 2. Returns when client certificate matches the one authority directory. > 3. Rejects when client sends other certificates. > > The change is just for testing purposes, I guess the original intention > was not to mTLS every request. > > On Thu, Apr 30, 2020 at 11:34 AM Zhenfei Tai wrote: > >> Hi P.K. >> >> I tried the same thing. >> >> Could you share which url you tested? >> With that change, if I access the https://${bmc}/redfish/v1 url in >> chrome, it prompts to choose a client certificate, but will also work if= no >> certificate is chosen. >> >> Thanks, >> Zhenfei >> >> On Thu, Apr 30, 2020 at 6:27 AM P. K. Lee (=E6=9D=8E=E6=9F=8F=E5=AF=AC) = >> wrote: >> >>> I found a way to fix this issue, but it needs to be modified to the >>> source code. In two steps: >>> >>> Step 1. >>> The source code >>> "adaptor.set_verify_mode(boost::asio::ssl::verify_peer);" in >>> http_connection.h is replaced with >>> "adaptor.set_verify_mode(boost::asio::ssl::verify_peer | >>> boost::asio::ssl::verify_fail_if_no_peer_cert);" >>> >>> Step 2. >>> AccountService->Oem->OpenBMC->AuthMethods->TLS is set. (false by defaul= t) >>> >>> It will enable enforce mTLS authentication. >>> >>> Best, >>> P.K. >>> >>> > -----Original Message----- >>> > From: Wiktor Go=C5=82gowski >>> > Sent: Saturday, April 25, 2020 1:03 AM >>> > To: Richard Hanley ; Zhenfei Tai >>> > Cc: openbmc@lists.ozlabs.org; P. K. Lee (=E6=9D=8E=E6=9F=8F=E5=AF=AC)= ; >>> > jrey@linux.ibm.com; P. K. Lee (=E6=9D=8E=E6=9F=8F=E5=AF=AC) ; Joseph >>> > Reynolds >>> > Subject: Re: mTLS on bmcweb >>> > >>> > >>> > >>> > On 4/23/20 7:35 PM, Richard Hanley wrote: >>> > > My guess is that somehow the root cert used to validate clients >>> isn't installed >>> > correctly, and so it's defaulting to basic auth. >>> > > >>> > > At least that's my reading of this review >>> > > https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/27270 >>> > > >>> > >>> > I think this would be the case. If the client certificate is not >>> provided, TLS >>> > connection is still established, just without authenticating the >>> client. This >>> > allows upper layer to provide other authentication methods (e.g. Basi= c >>> Auth). >>> > > >>> > > On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai >> > > wrote: >>> > > >>> > > I guess part of my question is how to configure the mTLS certs >>> to make >>> > it work properly. >>> > > >>> > > So far only https works (server side TLS). >>> > > >>> > > Thanks, >>> > > Zhenfei >>> > > >>> > > On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynolds < >>> jrey@linux.ibm.com >>> > > wrote: >>> > > >>> > > On 4/23/20 5:47 AM, P. K. Lee (=E6=9D=8E=E6=9F=8F=E5=AF=AC)= wrote: >>> > > > Hi, >>> > > > >>> > > > I encountered the same issue when using Redfish to replac= e >>> the >>> > certificate. >>> > > > Regardless of whether the parameters include --cert --key >>> > --cacert or only --cacert, the authentication can still succeed. >>> > > > >>> > > > Best, >>> > > > P.K. >>> > > > >>> > > >> Date: Wed, 22 Apr 2020 14:58:06 -0700 >>> > > >> From: Zhenfei Tai >> > > >>> > > >> To: openbmc@lists.ozlabs.org >>> > >>> > > >> Subject: mTLS on bmcweb >>> > > >> Message-ID: >>> > > >>> > >> >> > mail.g >>> > > >> mail.com > >>> > > >> Content-Type: text/plain; charset=3D"utf-8" >>> > > >> >>> > > >> Hi, >>> > > >> >>> > > >> I'm trying out bmcweb mTLS which should be enabled by >>> > default by >>> > > >> >>> > https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt#L89 >>> > > >> >>> > > >> In my test, I created a self signed key and certificate >>> pair, >>> > stacked them >>> > > >> up into server.pem in /etc/ssl/certs/https that bmcweb >>> uses. >>> > > >> >>> > > >> However when I tried to curl bmcweb service, I was able >>> to get >>> > response by >>> > > >> only supplying the cert. >>> > > >> >>> > > >> curl --cacert cert.pem https://${bmc}/redfish/v1 >>> > > >> >>> > > >> With the mTLS enabled, I expected it should error out >>> since no >>> > client >>> > > >> certificate is provided. >>> > > >> >>> > >>> > As mentioned, if you did not provide a client certificate, connection >>> was >>> > established to allow for Basic Auth. And as the Service Root requires >>> no >>> > authentication, you got a response. >>> > >>> > - Wiktor >>> > >>> > > >> Could someone with relevant knowledge help with my >>> > question? >>> > > >>> > > I'm not sure what you are asking. Are you asking how to >>> install >>> > mTLS >>> > > certs into the BMC and then use them to connect? I am stil= l >>> > waiting for >>> > > documentation that describes how to configure and use the >>> mTLS >>> > feature. >>> > > >>> > > I've added an entry to the security working group as a >>> reminder to >>> > do >>> > > this. (I don't have the skill to document this feature.) >>> > > >>> > > - Joseph >>> > > >>> > > >> >>> > > >> Thanks, >>> > > >> Zhenfei >>> > > >>> >> --00000000000022445105a48a946d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I did more testing and found the reason why it accepts any= client certification.
The error is due to the self signed certificate= =C2=A0cannot be found in the list of trusted certificates.
Withou= t the user defined verify callback function, it works as expected.

#define=C2=A0X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT=C2=A0=C2=A0=C2= =A018

// Check if certif= icate is OK
int error =3D X509_STORE_= CTX_get_error(cts);
if (error !=3D X509_V_OK)
{
=
return <= span style=3D"color:rgb(86,156,214)">true;
}

On Thu, Apr 30, 2020 at 12:09 PM Zhenfei Tai <ztai@google.com> wrote:
Also, with t= hat change in http_connection.h, it still accepts any client certificate pr= ovided in curl.

Here's what I did:
1. Disa= ble=C2=A0BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
2. Uncommented s= sl_key_handler.hpp:315 and added the boost::asio::ssl::verify_fail_if_no_pe= er_cert

Behavior after change:
1. Reject= s curl without client certificate.
2. Returns when client certifi= cate matches the one authority directory.
3. Rejects when client = sends other=C2=A0certificates.=C2=A0

The change is= just for testing=C2=A0purposes, I guess the original intention was not to = mTLS every request.

On Thu, Apr 30, 2020 at 11:34 AM Zhenfei Tai <<= a href=3D"mailto:ztai@google.com" target=3D"_blank">ztai@google.com>= wrote:
Hi P.K.

I tried the same thing.=C2=A0

Could you share which url you tested?
With that c= hange, if I access the https://${bmc}/redfish/v1 url in chrome, it prompts = to choose a client certificate, but will also work if no certificate is cho= sen.

Thanks,
Zhenfei

On Thu, Apr 30, 2020 at 6= :27 AM P. K. Lee (=E6=9D=8E=E6=9F=8F=E5=AF=AC) <P.K.Lee@quantatw.com> wrote:
I found a way to fix = this issue, but it needs to be modified to the source code. In two steps:
Step 1.
The source code "adaptor.set_verify_mode(boost::asio::ssl::verify_peer= );" in http_connection.h is replaced with
"adaptor.set_verify_mode(boost::asio::ssl::verify_peer | boost::asio::= ssl::verify_fail_if_no_peer_cert);"

Step 2.
AccountService->Oem->OpenBMC->AuthMethods->TLS is set. (false b= y default)

It will enable enforce mTLS authentication.

Best,
P.K.

> -----Original Message-----
> From: Wiktor Go=C5=82gowski <wiktor.golgowski@linux.intel.com> > Sent: Saturday, April 25, 2020 1:03 AM
> To: Richard Hanley <rhanley@google.com>; Zhenfei Tai <ztai@google.com>
> Cc: open= bmc@lists.ozlabs.org; P. K. Lee (=E6=9D=8E=E6=9F=8F=E5=AF=AC) <P.K.Lee@quantatw.com>;
> jrey@linux.ibm= .com; P. K. Lee (=E6=9D=8E=E6=9F=8F=E5=AF=AC) <P.K.Lee@quantatw.com>; Joseph > Reynolds <j= rey@linux.ibm.com>
> Subject: Re: mTLS on bmcweb
>
>
>
> On 4/23/20 7:35 PM, Richard Hanley wrote:
> > My guess is that somehow the root cert used to validate clients i= sn't installed
> correctly, and so it's defaulting to basic auth.
> >
> > At least that's my reading of this review
> > https://gerrit.openbmc-project.= xyz/c/openbmc/bmcweb/+/27270
> >
>
> I think this would be the case. If the client certificate is not provi= ded, TLS
> connection is still established, just without authenticating the clien= t. This
> allows upper layer to provide other authentication methods (e.g. Basic= Auth).
> >
> > On Thu, Apr 23, 2020 at 9:47 AM Zhenfei Tai <ztai@google.com
> <mailto:ztai@g= oogle.com>> wrote:
> >
> >=C2=A0 =C2=A0 =C2=A0I guess part of my question is how to configur= e the mTLS certs to make
> it work properly.
> >
> >=C2=A0 =C2=A0 =C2=A0So far only https works (server side TLS).
> >
> >=C2=A0 =C2=A0 =C2=A0Thanks,
> >=C2=A0 =C2=A0 =C2=A0Zhenfei
> >
> >=C2=A0 =C2=A0 =C2=A0On Thu, Apr 23, 2020 at 8:50 AM Joseph Reynold= s <jrey@linux.ib= m.com
> <mailto:jre= y@linux.ibm.com>> wrote:
> >
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0On 4/23/20 5:47 AM, P. K. Lee (= =E6=9D=8E=E6=9F=8F=E5=AF=AC) wrote:
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0> Hi,
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0> I encountered the same issu= e when using Redfish to replace the
> certificate.
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0> Regardless of whether the p= arameters include --cert --key
> --cacert or only --cacert, the authentication can still succeed.
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0> Best,
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0> P.K.
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> Date: Wed, 22 Apr 2020 = 14:58:06 -0700
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> From: Zhenfei Tai <<= a href=3D"mailto:ztai@google.com" target=3D"_blank">ztai@google.com
> <mailto:ztai@g= oogle.com>>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> To: openbmc@lists.ozlabs.org
> <mailto:openbmc@lists.ozlabs.org>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> Subject: mTLS on bmcweb=
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> Message-ID:
> >
> >>=C2=A0 =C2=A0 =C2=A0 <CAMXw96Pp511sUO=3Dq1XLz2uJzh4S6D7tUwm= kvpbnq_yU-iJfiKg@
> mail.g
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> mail.com <http://mail.com>>= ;
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> Content-Type: text/plai= n; charset=3D"utf-8"
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> Hi,
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> I'm trying out bmcw= eb mTLS which should be enabled by
> default by
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>>
> https://github.com/openbmc/bmcw= eb/blob/master/CMakeLists.txt#L89
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> In my test, I created a= self signed key and certificate pair,
> stacked them
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> up into server.pem in /= etc/ssl/certs/https that bmcweb uses.
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> However when I tried to= curl bmcweb service, I was able to get
> response by
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> only supplying the cert= .
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> curl --cacert cert.pem= =C2=A0 https://${bmc}/redfish/v1
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> With the mTLS enabled, = I expected it should error out since no
> client
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> certificate is provided= .
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>>
>
> As mentioned, if you did not provide a client certificate, connection = was
> established to allow for Basic Auth. And as the Service Root requires = no
> authentication, you got a response.
>
> - Wiktor
>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> Could someone with rele= vant knowledge help with my
> question?
> >
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0I'm not sure what you are as= king.=C2=A0 Are you asking how to install
> mTLS
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0certs into the BMC and then use = them to connect?=C2=A0 I am still
> waiting for
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0documentation that describes how= to configure and use the mTLS
> feature.
> >
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0I've added an entry to the s= ecurity working group as a reminder to
> do
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0this.=C2=A0 (I don't have th= e skill to document this feature.)
> >
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0- Joseph
> >
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>>
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> Thanks,
> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0>> Zhenfei
> >
--00000000000022445105a48a946d--