commit | 6a3e18261cc713409bf11382c472c7301d6d9770 | [log] [tgz] |
---|---|---|
author | James Feist <james.feist@linux.intel.com> | Wed Nov 06 13:46:35 2019 -0800 |
committer | James Feist <james.feist@linux.intel.com> | Tue Nov 12 19:32:43 2019 +0000 |
tree | ea6dd9db206139d9946c840d8bffcc0a35968d42 | |
parent | be380cb11299957665d061b65df4afe03e4218d1 [diff] |
Disable SSL renegotiation This disables ssl renegotiaion based on the potential DOS attack here: https://www.cvedetails.com/cve/CVE-2011-1473/ Tested: testssl shows it as disabled https://github.com/drwetter/testssl.sh validator passed Fixes https://github.com/openbmc/openbmc/issues/3624 Change-Id: I4bfbd770d25ba5d1a7292421f1ccad2b2e73d3a6 Signed-off-by: James Feist <james.feist@linux.intel.com>
This component attempts to be a "do everything" embedded webserver for openbmc.
At this time, the webserver implements a few interfaces:
BMCWeb is configured by setting -D
flags that correspond to options in bmcweb/CMakeLists.txt
and then compiling. For example, cmake -DBMCWEB_ENABLE_KVM=NO ...
followed by make
. The option names become C++ preprocessor symbols that control which code is compiled into the program.
When BMCWeb starts running, it reads persistent configuration data (such as UUID and session data) from a local file. If this is not usable, it generates a new configuration.
When BMCWeb SSL support is enabled and a usable certificate is not found, it will generate a self-sign a certificate before launching the server. The keys are generated by the prime256v1
algorithm. The certificate
C=US, O=OpenBMC, CN=testhost
,SHA-256
algorithm.