diff options
author | Alan Kuo <Alan_Kuo@quantatw.com> | 2020-11-26 06:15:29 +0300 |
---|---|---|
committer | Ed Tanous <ed@tanous.net> | 2020-12-12 04:46:28 +0300 |
commit | a82207087d79c4dd85447bdacfd4de91be4e7166 (patch) | |
tree | e452ce36b3df5889bafeae2f163a7f599c02d398 /src | |
parent | 9e319cf0c5ee714cdd879a1d2a6e5b5ac96c7f1d (diff) | |
download | bmcweb-a82207087d79c4dd85447bdacfd4de91be4e7166.tar.xz |
Add hostname listener for generating self-signed HTTPS certificate
- Add a hostname listener that will create a self-signed HTTPS
certificate with the appropriate subject when the BMC gets its
hostname assigned via IPMI. The "insecure-disable-ssl" must be
disabled for this feature to take effect.
Note:
- New self-signed certificate subject: C=US, O=OpenBMC, CN=${hostname}
- If the same hostname is assigned, it will not be triggered
- Only the self-signed certificate with Netscape Comment of
"Generated from OpenBMC service" will be replaced
Details about certificate key usage:
- NID_basic_constraints
The CA boolean indicates whether the certified public key may be
used to verify certificate signatures.
Refer to: https://tools.ietf.org/html/rfc5280#section-4.2.1.9
- NID_subject_alt_name
Although the use of the Common Name is existing practice, it is
deprecated and Certification Authorities are encouraged to use the
dNSName instead.
Refer to: https://tools.ietf.org/html/rfc2818#section-3.1
- NID_subject_key_identifier
The subject key identifier extension provides a means of
identifying certificates that contain a particular public key.
Refer to: https://tools.ietf.org/html/rfc5280#section-4.2.1.2
- NID_authority_key_identifier
The authority key identifier extension provides a means of
identifying the public key corresponding to the private key used
to sign a certificate.
Refer to: https://tools.ietf.org/html/rfc5280#section-4.2.1.1
- NID_key_usage
- NID_ext_key_usage
id-kp-serverAuth
-- TLS WWW server authentication
-- Key usage bits that may be consistent: digitalSignature,
-- keyEncipherment or keyAgreement
Refer to: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
Refer to: https://tools.ietf.org/html/rfc5280#section-4.2.1.12
Tested:
- To test and verify the service is functionally working correctly,
we can use `openssl` and `ipmitool` to execute the following
commands:
- Assign BMC hostname
ipmitool -H $IP -I lanplus -U root -P 0penBmc -C 17 dcmi
set_mc_id_string $hostname
- Get BMC server certificate infomation
echo quit | openssl s_client -showcerts -servername $IP -connect
$IP:443
Signed-off-by: Alan Kuo <Alan_Kuo@quantatw.com>
Change-Id: I24aeb4d2fb46ff5f0cc1c6aa65984f46b0e1d3e2
Diffstat (limited to 'src')
-rw-r--r-- | src/webserver_main.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/webserver_main.cpp b/src/webserver_main.cpp index 3e796c29e5..b5bc28cac9 100644 --- a/src/webserver_main.cpp +++ b/src/webserver_main.cpp @@ -4,6 +4,7 @@ #include <boost/asio/io_context.hpp> #include <dbus_monitor.hpp> #include <dbus_singleton.hpp> +#include <hostname_monitor.hpp> #include <ibm/management_console_rest.hpp> #include <image_upload.hpp> #include <kvm_websocket.hpp> @@ -124,6 +125,11 @@ int main(int /*argc*/, char** /*argv*/) } #endif +#ifdef BMCWEB_ENABLE_SSL + BMCWEB_LOG_INFO << "Start Hostname Monitor Service..."; + crow::hostname_monitor::registerHostnameSignal(); +#endif + app.run(); io->run(); |