diff options
| author | Michal Orzel <michalx.orzel@intel.com> | 2023-08-18 17:59:11 +0300 |
|---|---|---|
| committer | Ed Tanous <ed@tanous.net> | 2023-08-20 01:24:09 +0300 |
| commit | 7aa9ab0be913a433a42f4815d2ec49111abc9e4d (patch) | |
| tree | 07565c03d3e3f24b15034ac7ed1809e0b4407cbd /http | |
| parent | e334466e707876cdeedcda16e7072b2f4e978695 (diff) | |
| download | bmcweb-7aa9ab0be913a433a42f4815d2ec49111abc9e4d.tar.xz | |
mTLS: Fix handshake failures
Change introduced in [1] has exposed significant problem in mTLS
verification process, during which an attempt to an uninitialized object
was made. This change removes that attempt and replaces it with resource
that is available at this specific moment of connection lifetime.
Tested:
1. Created and uploaded a set of certificates by following instructions
from TLS Configuration guide [2].
2. Attempted to access /redfish/v1/SessionService/Sessions endpoint
using mTLS authentication method.
With this fix connection has been successful.
[1] https://github.com/openbmc/bmcweb/commit/e01d0c36af115ed46d54b5dbbacfe3ad92226bd3
[2] https://github.com/openbmc/docs/blob/master/security/TLS-configuration.md
Change-Id: I434dbf27169d7ea0207dfd139868d5bf398d24b0
Signed-off-by: Michal Orzel <michalx.orzel@intel.com>
Diffstat (limited to 'http')
| -rw-r--r-- | http/http_connection.hpp | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/http/http_connection.hpp b/http/http_connection.hpp index ba4af3f747..2a6afeb635 100644 --- a/http/http_connection.hpp +++ b/http/http_connection.hpp @@ -94,11 +94,13 @@ class Connection : // don't require auth if (preverified) { - if (!req) + boost::asio::ip::address ipAddress; + if (getClientIp(ipAddress)) { - return false; + return true; } - mtlsSession = verifyMtlsUser(req->ipAddress, ctx); + + mtlsSession = verifyMtlsUser(ipAddress, ctx); if (mtlsSession) { BMCWEB_LOG_DEBUG("{} Generating TLS session: {}", logPtr(this), |