Explicitly set verify_none

As reported, there are cases where a valid certificate isn't present, but a browser still prompts for an MTLS cert. Fix that by explicitly setting verify_none if strict tls isn't enabled. Unclear what impacts this will have elsewhere: Tested (not yet done on this patch): with a self-signed certificate, logging into chrome no longer prompts the certificate screen. Change-Id: Iaf7d25fec15ad547a6c741c9410995e19ba22016 Signed-off-by: Ed Tanous <[email protected]>
openbmc · Oct 24, 2024 · 463a0e3 · 463a0e3
1 parent a0969c7
commit 463a0e3
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 9 deletions.
diff --git a/http/http_connection.hpp b/http/http_connection.hpp
@@ -108,6 +108,9 @@ class Connection :
             persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
         if (c.tlsStrict)
         {
+            BMCWEB_LOG_DEBUG(
+                "{} TLS is in strict mode, returning preverified as is.",
+                logPtr(this));
             return preverified;
         }
         // If tls strict mode is disabled

diff --git a/src/ssl_key_handler.cpp b/src/ssl_key_handler.cpp
@@ -545,20 +545,21 @@ std::shared_ptr<boost::asio::ssl::context> getSslServerContext()
     const persistent_data::AuthConfigMethods& c =
         persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
 
-    boost::asio::ssl::verify_mode mode = boost::asio::ssl::verify_peer;
     if (c.tlsStrict)
     {
         BMCWEB_LOG_DEBUG("Setting verify peer");
-        mode |= boost::asio::ssl::verify_fail_if_no_peer_cert;
+        boost::asio::ssl::verify_mode mode =
+            boost::asio::ssl::verify_peer |
+            boost::asio::ssl::verify_fail_if_no_peer_cert;
+        boost::system::error_code ec;
+        sslCtx.set_verify_mode(mode, ec);
+        if (ec)
+        {
+            BMCWEB_LOG_DEBUG("Failed to set verify mode {}", ec.message());
+            return nullptr;
+        }
     }
 
-    boost::system::error_code ec;
-    sslCtx.set_verify_mode(mode, ec);
-    if (ec)
-    {
-        BMCWEB_LOG_DEBUG("Failed to set verify mode {}", ec.message());
-        return nullptr;
-    }
     SSL_CTX_set_options(sslCtx.native_handle(), SSL_OP_NO_RENEGOTIATION);
 
     if constexpr (BMCWEB_EXPERIMENTAL_HTTP2)