EventDestination: Implement VerifyCertificate
VerifyCertificate is a property on the Redfish EventDestination schema.
It specifies that this property is:
``` An indication of whether the service will verify the certificate of
the server referenced by the `Destination` property prior to sending the
event ```
To keep prior behavior, and to ensure behavior that's secure by default,
if the user omits the property, it is assumed to be true. This property
is also persisted and restored.
Tested:
Redfish-Event-Listener succeeds with the following procedure
Start Redfish-Event-Listener
PATCH /redfish/v1/Subscriptions/<subid> VerifyCertificate: false
POST /redfish/v1/EventService/Actions/EventService.SubmitTestEvent
Redfish-Event-Listener then hits an internal error, due to an encoding
compatibility unrelated to this patch, but is documented in the receiver
[1]
POST of a subscription with VerifyCertificate: false set, succeeds.
[1] https://github.com/DMTF/Redfish-Event-Listener/blob/6f3f98beafc89fa9bbf86aa4f8cac6c1987390fb/RedfishEventListener_v1.py#L61
Change-Id: I27e0a3fe87b4dbd0432bfaa22ebf593c3955db11
Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>
Signed-off-by: Ed Tanous <etanous@nvidia.com>
diff --git a/include/ssl_key_handler.hpp b/include/ssl_key_handler.hpp
index ce1e638..97e9929 100644
--- a/include/ssl_key_handler.hpp
+++ b/include/ssl_key_handler.hpp
@@ -636,7 +636,14 @@
return std::make_shared<boost::asio::ssl::context>(std::move(sslCtx));
}
-inline std::optional<boost::asio::ssl::context> getSSLClientContext()
+enum class VerifyCertificate
+{
+ Verify,
+ NoVerify
+};
+
+inline std::optional<boost::asio::ssl::context>
+ getSSLClientContext(VerifyCertificate verifyCertificate)
{
namespace fs = std::filesystem;
@@ -662,8 +669,14 @@
return std::nullopt;
}
+ int mode = boost::asio::ssl::verify_peer;
+ if (verifyCertificate == VerifyCertificate::NoVerify)
+ {
+ mode = boost::asio::ssl::verify_none;
+ }
+
// Verify the remote server's certificate
- sslCtx.set_verify_mode(boost::asio::ssl::verify_peer, ec);
+ sslCtx.set_verify_mode(mode, ec);
if (ec)
{
BMCWEB_LOG_ERROR("SSL context set_verify_mode failed");