Re: BMCWeb policy for HTTPS site identity certificate

[Michael Richardson <mcr@sandelman.ca>]

[-- Attachment #1: Type: text/plain, Size: 1435 bytes --]


Patrick Williams <patrick@stwcx.xyz> wrote:
    > On Thu, Jul 23, 2020 at 10:25:40AM -0500, Joseph Reynolds wrote:
    >> 2. certificate is good but expired or not yet valid - Use the
    >> certificate and log a warning.

    > I suspect that "not yet valid" is a more common case than might be
    > assumed on the surface.  I agree with the recommended action.

    > Many of the Facebook server designs do not have a hardware RTC available
    > to the BMC.  We have an RTC accessible by the BIOS and we also sync with
    > NTP.  That means there is always a period of time after we first plug in
    > the rack where the servers in the rack have a date that is way wrong.

    > It is reasonable to assume the date is just wrong and the certificate is
    > valid.  The clients can validate a certificate which is actually out of
    > date.

An additional design idea if you think you have no valid time, is to set the
time to be the notBefore of the certificate you have.  It's probably at least
that date :-)

    > I'm less settled on using a certificate which is clearly expired, but it
    > is still likely better than using a newly-generated self-signed
    > certificate.

+1.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]