edtanous
commented
3 hours ago Thanks for filing this.
Technically 463a0e3e880340a119bf986bab039d1afbe1a432 was a partial revert to fix a previous regression. To my understanding there has never been a mode where:
- The browser doesn't prompt for a certificate.
- Automation (curl etc) can optionally provide a certificate if it's available
Given that the number of users of mtls is very low and the number of people that use the webui is quite high, I picked the lesser of two evils.
Openssl man pages shows that there's an option, SSL_VERIFY_POST_HANDSHAKE, that might be able to handle this use case, but it appears to be more complex than just enabling the option, and requires some level of connection code to handle it.
Alternatively, we could try to detect the browser at the TLS connection, but a wireshark dump of the data didn't show anything obvious that we could use to identify "this is a browser".
Would love some help to fix this for all use cases.
williamspatrick
Is this the right place to submit this?
Bug Description
Running Redfish operations with mTLS enabled currently
401 Unauthorized, unless explicitly settingTLSStrict: truein thebmcweb_persistent_data.json.curl --include --key $KEY_PATH --cert $CERT_PATH https://bmcdevice/redfish/v1/Systems/systemThis was introduced with 463a0e3e880340a119bf986bab039d1afbe1a432 and appears to be fixed by reverting.
The current bmcweb compile modifications and
PACKAGECONFIGcan be seen at https://github.com/openbmc/openbmc/blob/56a1db99ffbce908d8e78e0f5540f5db55cb546f/meta-facebook/recipes-phosphor/interfaces/bmcweb_%25.bbappend#L4 .Version
Additional Information
No response