Explicitly set verify_none
As reported, there are cases where a valid certificate isn't present,
but a browser still prompts for an MTLS cert. Fix that by explicitly
setting verify_none if strict tls isn't enabled. Unclear what impacts
this will have elsewhere:
Tested (not yet done on this patch): with a self-signed certificate,
logging into chrome no longer prompts the certificate screen.
Change-Id: Iaf7d25fec15ad547a6c741c9410995e19ba22016
Signed-off-by: Ed Tanous <etanous@nvidia.com>
diff --git a/http/http_connection.hpp b/http/http_connection.hpp
index bea10aa..29d4fc8 100644
--- a/http/http_connection.hpp
+++ b/http/http_connection.hpp
@@ -108,6 +108,9 @@
persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
if (c.tlsStrict)
{
+ BMCWEB_LOG_DEBUG(
+ "{} TLS is in strict mode, returning preverified as is.",
+ logPtr(this));
return preverified;
}
// If tls strict mode is disabled
diff --git a/src/ssl_key_handler.cpp b/src/ssl_key_handler.cpp
index e967e96..c82922c 100644
--- a/src/ssl_key_handler.cpp
+++ b/src/ssl_key_handler.cpp
@@ -545,20 +545,21 @@
const persistent_data::AuthConfigMethods& c =
persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
- boost::asio::ssl::verify_mode mode = boost::asio::ssl::verify_peer;
if (c.tlsStrict)
{
BMCWEB_LOG_DEBUG("Setting verify peer");
- mode |= boost::asio::ssl::verify_fail_if_no_peer_cert;
+ boost::asio::ssl::verify_mode mode =
+ boost::asio::ssl::verify_peer |
+ boost::asio::ssl::verify_fail_if_no_peer_cert;
+ boost::system::error_code ec;
+ sslCtx.set_verify_mode(mode, ec);
+ if (ec)
+ {
+ BMCWEB_LOG_DEBUG("Failed to set verify mode {}", ec.message());
+ return nullptr;
+ }
}
- boost::system::error_code ec;
- sslCtx.set_verify_mode(mode, ec);
- if (ec)
- {
- BMCWEB_LOG_DEBUG("Failed to set verify mode {}", ec.message());
- return nullptr;
- }
SSL_CTX_set_options(sslCtx.native_handle(), SSL_OP_NO_RENEGOTIATION);
if constexpr (BMCWEB_EXPERIMENTAL_HTTP2)