commit 90cd2e1d2e2228b0c575c9a3b6b2dc75eac9eb68
author Ed Tanous <etanous@nvidia.com> Mon Nov 18 16:58:51 2024 -0500
committer Ed Tanous <ed@tanous.net> Fri Jun 06 20:03:21 2025 +0000
tree d9afd946847949f9d7ae111f9f88c571e1c7ee4b
parent c6b7cae2d7864507ced3924d5f3c664123a5683d

ssl_key_handler: enable verify_peer for Meta TLS mode

Meta does not use TLSStrict, due to wanting optional password
authentication, but does need mTLS support.  463a0e3 broke this
functionality in order to fix asking for client certificates on the
webui side.  Revert to the old behavior only if the webui is not
installed.

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Signed-off-by: Ed Tanous <etanous@nvidia.com>
Change-Id: Iae2e62faa5e8341c0422ab0521dea340d4e927b2

src/ssl_key_handler.cpp

diff --git a/src/ssl_key_handler.cpp b/src/ssl_key_handler.cpp
index cc11360..128d1f2 100644
--- a/src/ssl_key_handler.cpp
+++ b/src/ssl_key_handler.cpp
@@ -4,6 +4,7 @@
 
 #include "bmcweb_config.h"
 
+#include "forward_unauthorized.hpp"
 #include "logging.hpp"
 #include "ossl_random.hpp"
 #include "sessions.hpp"
@@ -545,19 +546,34 @@
     const persistent_data::AuthConfigMethods& c =
         persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
 
+    boost::asio::ssl::verify_mode mode = boost::asio::ssl::verify_none;
     if (c.tlsStrict)
     {
-        BMCWEB_LOG_DEBUG("Setting verify peer");
-        boost::asio::ssl::verify_mode mode =
-            boost::asio::ssl::verify_peer |
-            boost::asio::ssl::verify_fail_if_no_peer_cert;
-        boost::system::error_code ec;
-        sslCtx.set_verify_mode(mode, ec);
-        if (ec)
-        {
-            BMCWEB_LOG_DEBUG("Failed to set verify mode {}", ec.message());
-            return nullptr;
-        }
+        BMCWEB_LOG_DEBUG("Setting verify peer and fail if no peer cert");
+        mode |= boost::asio::ssl::verify_peer;
+        mode |= boost::asio::ssl::verify_fail_if_no_peer_cert;
+    }
+    else if (!forward_unauthorized::hasWebuiRoute)
+    {
+        // This is a HACK
+        // If the webui is installed, and TLSSTrict is false, we don't want to
+        // force the mtls popup to occur, which would happen if we requested a
+        // client cert by setting verify_peer. But, if the webui isn't
+        // installed, we'd like clients to be able to optionally log in with
+        // MTLS, which won't happen if we don't expose the MTLS client cert
+        // request.  So, in this case detect if the webui is installed, and
+        // only request peer authentication if it's not present.
+        // This will likely need revisited in the future.
+        BMCWEB_LOG_DEBUG("Setting verify peer only");
+        mode |= boost::asio::ssl::verify_peer;
+    }
+
+    boost::system::error_code ec;
+    sslCtx.set_verify_mode(mode, ec);
+    if (ec)
+    {
+        BMCWEB_LOG_DEBUG("Failed to set verify mode {}", ec.message());
+        return nullptr;
     }
 
     SSL_CTX_set_options(sslCtx.native_handle(), SSL_OP_NO_RENEGOTIATION);