From: Alexander Tereschenko <aleksandr.v.tereschenko@linux.intel.com>
To: openbmc@lists.ozlabs.org
Subject: Re: bmcweb and certificate chains [WAS: Security working group meeting 2020-01-22]
Date: Fri, 24 Jan 2020 18:19:07 +0100 [thread overview]
Message-ID: <94fa654c-bfa6-c834-6b18-8867aee49c8f@linux.intel.com> (raw)
In-Reply-To: <f62056a8-ddc9-71ae-620f-b9ac45f3c86a@linux.ibm.com>
On 22-Jan-20 22:23, Joseph Reynolds wrote:
> Notes from the security working group meeting 2020-01-22:
> Highlights below; details in
> https://github.com/openbmc/openbmc/wiki/Security-working-group
>
>
> 1. Discuss BMCWeb’s site identity certificate handling, specifically
> intermediate certificates. See
> https://github.com/openbmc/bmcweb/#configuration
>
> Other web servers have directives to concatenate the intermediate
> certificates (excluding the root CA certificates) and send that. What
> does BMCWeb do?
> - What is BMCWeb's default default?
> - Need better docs, for example: How can a BMC admin replace
> theBMCWeb site cert? Is it okay to concatenate intermediate certs?
> Can we document this for BMCWeb?
As discussed during the meeting, I've looked into that and looks like
bmcweb doesn't support sending the cert chain at all right now. When
loading it expects the server's cert file to have just a private key and
certificate in a single file [1], just as we've discussed during the
meeting, and server's init code only loads those [2]. There's an API in
Boost.Asio that could allow loading a chain [3], but it's not used
anywhere, so for bmcweb to support that, a patch must be created.
HTH,
Alexander
[1] https://github.com/openbmc/bmcweb/blob/master/http/http_server.h#L159
[2] https://github.com/openbmc/bmcweb/blob/master/http/app.h#L158-L159
[3]
https://www.boost.org/doc/libs/1_71_0/doc/html/boost_asio/reference/ssl__context/use_certificate_chain_file.html
next prev parent reply other threads:[~2020-01-24 17:31 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-22 21:23 Security working group meeting 2020-01-22 Joseph Reynolds
2020-01-24 17:19 ` Alexander Tereschenko [this message]
2020-01-27 16:03 ` bmcweb and certificate chains [WAS: Security working group meeting 2020-01-22] Joseph Reynolds
2020-01-28 18:24 ` Alexander Tereschenko
2020-01-27 17:42 ` Security workgroup meeting times Joseph Reynolds
2020-01-28 0:24 ` Michael Richardson
2020-01-28 0:29 ` Andrew Jeffery
2020-01-28 0:50 ` Bruce Mitchell
2020-01-28 10:41 ` Alexander Tereschenko
2020-01-28 16:20 ` Bruce Mitchell
2020-05-13 18:31 ` Joseph Reynolds
2020-05-13 18:43 ` Bruce Mitchell
2020-05-13 21:50 ` Joseph Reynolds
2020-05-14 15:58 ` Michael Richardson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=94fa654c-bfa6-c834-6b18-8867aee49c8f@linux.intel.com \
--to=aleksandr.v.tereschenko@linux.intel.com \
--cc=openbmc@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.