| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The previous commit 90cd2e1 [1] causes WebUI to fail to load and
connect. It is because a global static var (`hasWebuiRoute`) is
instantiated per compile unit and it ends up causing the inconsistency
of the value of it.
Tested:
- Verify WebUI to load successful
- Redfish Service Validator passes
[1] https://github.com/openbmc/bmcweb/commit/90cd2e1d2e2228b0c575c9a3b6b2dc75eac9eb68
Change-Id: I09c3a9a831528e25c09299b0ee15993974d94d88
Signed-off-by: Myung Bae <myungbae@us.ibm.com>
|
|
Http2 support in bmcweb has been relatively stable for a while. The
http2 implementation passes all known Redfish tests (some of which
require ported to httpx to support http2), the UI loads, and so far as
the project is concerned, is a complete improvement over the existing
http1 stack.
This commit removes the experimental classification from http2, and
declares it ready for production use, while enabling it by default.
note, that enabling this by default only makes the server advertise that
http2 is available. Http2 must still be supported by the client to
enable ALPN negotiation, so existing http1 clients that only support
http1 will continue to function as they did before.
Tested: Enabled http option and saw http2 advertised, http2 now takes
effect.
Change-Id: I92843a3afc532f0b2a64904bb872e5d84a1a54fe
Signed-off-by: Ed Tanous <etanous@nvidia.com>
|
|
Meta does not use TLSStrict, due to wanting optional password
authentication, but does need mTLS support. 463a0e3 broke this
functionality in order to fix asking for client certificates on the
webui side. Revert to the old behavior only if the webui is not
installed.
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Signed-off-by: Ed Tanous <etanous@nvidia.com>
Change-Id: Iae2e62faa5e8341c0422ab0521dea340d4e927b2
|
|
Replace use_certificate with use_certificate_chain to properly handle
both single certificates and certificate chains. This allows loading
and sending the complete certificate chain during TLS handshake,
improving client validation.
Tested with generate_user_auth.py
Change-Id: I8ef1665307ee2e401901a662ac9ee6df7b50937d
Signed-off-by: Ben Peled <bpeled@nvidia.com>
|
|
This commit attempts to add the concept of an SSL detector from beast,
and add the capability into bmcweb. This allows directing multiple
socket files to the bmcweb instance, and bmcweb will automatically sort
out whether or not they're SSL, and give the correct response. This
allows users to plug in erroneous urls like "https://mybmc:80" and they
will forward and work correctly.
Some key design points:
The HTTP side of bmcweb implements the exact same http headers as the
HTTPS side, with the exception of HSTS, which is explicitly disallowed.
This is for consistency and security.
The above allows bmcweb builds to "select" the appropriate security
posture (http, https, or both) for a given channel using the
FileDescriptorName field within a socket file. Items ending in:
both: Will support both HTTPS and HTTP redirect to HTTPS
https: Will support HTTPS only
http: will support HTTP only
Given the flexibility in bind statements, this allows administrators to
support essentially any security posture they like. The openbmc
defaults are:
HTTPS + Redirect on both ports 443 and port 80 if http-redirect is
enabled
And HTTPS only if http-redirect is disabled.
This commit adds the following meson options that each take an array of
strings, indexex on the port.
additional-ports
Adds additional ports that bmcweb should listen to. This is always
required when adding new ports.
additional-protocol
Specifies 'http', 'https', or 'both' for whether or not tls is enfoced
on this socket. 'both' allows bmcweb to detect whether a user has
specified tls or not on a given connection and give the correct
response.
additional-bind-to-device
Accepts values that fill the SO_BINDTODEVICE flag in systemd/linux,
and allows binding to a specific device
additional-auth
Accepts values of 'auth' or 'noauth' that determines whether this
socket should apply the normal authentication routines, or treat the
socket as unauthenticated.
Tested:
Previous commits ran the below tests.
Ran the server with options enabled. Tried:
```
curl -vvvv --insecure --user root:0penBmc http://192.168.7.2/redfish/v1/Managers/bmc
* Trying 192.168.7.2:80...
* Connected to 192.168.7.2 (192.168.7.2) port 80 (#0)
* Server auth using Basic with user 'root'
> GET /redfish/v1/Managers/bmc HTTP/1.1
> Host: 192.168.7.2
> Authorization: Basic cm9vdDowcGVuQm1j
> User-Agent: curl/7.72.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Location: https://192.168.7.2
< X-Frame-Options: DENY
< Pragma: no-cache
< Cache-Control: no-Store,no-Cache
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Content-Security-Policy: default-src 'none'; img-src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:
< Date: Fri, 08 Jan 2021 01:43:49 GMT
< Connection: close
< Content-Length: 0
<
* Closing connection 0
```
Observe above:
webserver returned 301 redirect.
webserver returned the appropriate security headers
webserver immediately closed the connection.
The same test above over https:// returns the values as expected
Loaded the webui to test static file hosting. Webui logs in and works
as expected.
Used the scripts/websocket_test.py to verify that websockets work.
Sensors report as expected.
Change-Id: Ib5733bbe5473fed6e0e27c56cdead0bffedf2993
Signed-off-by: Ed Tanous <ed@tanous.net>
|
|
Copy the latest format file from the docs repository and apply.
Change-Id: I2f0b9d0fb6e01ed36a2f34c750ba52de3b6d15d1
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
|
|
SPDX identifiers are simpler, and reduce the amount of cruft we have in
code files. They are recommended by linux foundation, and therefore we
should do as they allow.
This patchset does not intend to modify any intent on any existing
copyrights or licenses, only to standardize their inclusion.
[1] https://www.linuxfoundation.org/blog/blog/copyright-notices-in-open-source-software-projects
Change-Id: I935c7c0156caa78fc368c929cebd0f068031e830
Signed-off-by: Ed Tanous <etanous@nvidia.com>
|
|
As reported, there are cases where a valid certificate isn't present,
but a browser still prompts for an MTLS cert. Fix that by explicitly
setting verify_none if strict tls isn't enabled. Unclear what impacts
this will have elsewhere:
Tested (not yet done on this patch): with a self-signed certificate,
logging into chrome no longer prompts the certificate screen.
Change-Id: Iaf7d25fec15ad547a6c741c9410995e19ba22016
Signed-off-by: Ed Tanous <etanous@nvidia.com>
|
|
This commit is automatically generated by enabling clang-include-fixer.
Tested: Code compiles.
Change-Id: I475d7b9d43e95bbdeeaadf11905d3b2a60aa8ef3
Signed-off-by: Ed Tanous <etanous@nvidia.com>
|
|
clang-format-18 isn't compatible with the clang-format-17 output, so we
need to reformat the code with the latest version. The way clang-18
handles lambda formatting also changed, so we have made changes to the
organization default style format to better handle lambda formatting.
See I5e08687e696dd240402a2780158664b7113def0e for updated style.
See Iea0776aaa7edd483fa395e23de25ebf5a6288f71 for clang-18 enablement.
Change-Id: Iceec1dc95b6c908ec6c21fb40093de9dd18bf11a
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
|
|
nghttp2 has added a new callback[1] which solves the issue we were
seeing previously with const. This cleans up some NOLINT markers, but
should have no functional changes
[1] https://nghttp2.org/documentation/nghttp2_select_alpn.html#c.nghttp2_select_alpn
Tested:
Curl shows HTTP2 upgrade works properly.
* ALPN, offering h2
* ALPN, offering http/1.1
* ALPN, server accepted to use h2
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
Change-Id: Ic41754c58e6166aac22ed5afca5371661db959da
Signed-off-by: Ed Tanous <etanous@nvidia.com>
|
|
This commit allows for no code to have to pull in openssl headers
directly. All openssl code is now included in compile units, or
transitively from boost.
Because http2 is optional, no-unneeded-internal-declaration is needed to
prevent clang from marking the functions as unused. Chromium has
disabled this as well[1]
Tested:
Redfish service validator passes.
[1] https://issues.chromium.org/issues/40340369
Change-Id: I327e8ffa45941c2282db804d0be56cf64155e67d
Signed-off-by: Ed Tanous <ed@tanous.net>
|
