Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / e7d1a1cfd59ed69cd11d1db76e2ae4a9a8771407^! / . / http / http_connection.h
commite7d1a1cfd59ed69cd11d1db76e2ae4a9a8771407[log] [tgz]
authorEd Tanous <ed@tanous.net>Mon Sep 28 09:36:35 2020 -0700
committerEd Tanous <ed@tanous.net>Tue Sep 29 21:56:23 2020 +0000
tree6ca5197b77e42bfcfa0607567fcdd5a988a9bf3e
parent2c70f8004afdc27bd42968b8bf7480f2e534974c [diff] [blame]
Remove Server header from responses

The HTTP Server header allows potential attackers to fingerprint the BMC
much easier than they could otherwise, as the bmc essentially reports
its name to requests.

From section 7.4.2 of RFC7231:
"An origin server MAY generate a Server field in its responses."

This patchset moves bmcwebs position that it will not publish the server
field, as it does not contain useful data for the client.

It should be noted, it looks like OpenSSL was using the server name for
its connection ID.  It's not clear this is correct, or desired, but I've
inlined the old value (to avoid changing behavior).  Also, it was
missing a return code check, so I added it.

Tested:
Will verify in the webui (TBD)

Signed-off-by: Ed Tanous <ed@tanous.net>
Change-Id: Ieee6f15d8299e76517952514ff196008a563b63c

diff --git a/http/http_connection.h b/http/http_connection.h
index 3459d55..689b60a 100644
--- a/http/http_connection.h
+++ b/http/http_connection.h

@@ -61,12 +61,12 @@
     public std::enable_shared_from_this<Connection<Adaptor, Handler>>
 {
   public:
-    Connection(Handler* handlerIn, const std::string& ServerNameIn,
+    Connection(Handler* handlerIn,
                std::function<std::string()>& get_cached_date_str_f,
                detail::TimerQueue& timerQueueIn, Adaptor adaptorIn) :
         adaptor(std::move(adaptorIn)),
-        handler(handlerIn), serverName(ServerNameIn),
-        getCachedDateStr(get_cached_date_str_f), timerQueue(timerQueueIn)
+        handler(handlerIn), getCachedDateStr(get_cached_date_str_f),
+        timerQueue(timerQueueIn)
     {
         parser.emplace(std::piecewise_construct, std::make_tuple());
         parser->body_limit(httpReqBodyLimit);
@@ -81,11 +81,15 @@
                                .tls)
         {
             adaptor.set_verify_mode(boost::asio::ssl::verify_peer);
-            SSL_set_session_id_context(
+            std::string id = "bmcweb";
+            int ret = SSL_set_session_id_context(
                 adaptor.native_handle(),
-                reinterpret_cast<const unsigned char*>(serverName.c_str()),
-                static_cast<unsigned int>(serverName.length()));
-            BMCWEB_LOG_DEBUG << this << " TLS is enabled on this connection.";
+                reinterpret_cast<const unsigned char*>(id.c_str()),
+                static_cast<unsigned int>(id.length()));
+            if (ret == 0)
+            {
+                BMCWEB_LOG_ERROR << this << " failed to set SSL id";
+            }
         }
 
         adaptor.set_verify_callback([this](
@@ -447,7 +451,6 @@
             res.body().clear();
         }
 
-        res.addHeader(boost::beast::http::field::server, serverName);
         res.addHeader(boost::beast::http::field::date, getCachedDateStr());
 
         res.keepAlive(req->keepAlive());
@@ -744,8 +747,6 @@
 
     std::weak_ptr<persistent_data::UserSession> session;
 
-    const std::string& serverName;
-
     std::optional<size_t> timerCancelKey;
 
     bool needToCallAfterHandlers{};