<html><head></head><body><br><br><div class="gmail_quote">On February 21, 2015 2:41:31 AM CST, "Robin Smidsrød" <robin@smidsrod.no> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<pre class="k9mail"><br />On 20.02.2015 22:03, Harry Coin wrote:<br /><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;"> But, if the SSL enabled server does ask for a client certificate but<br /> only in an optional way, e.g. nginx example:<br /> <br /> ssl_verify_client optional;<br /> <br /> Then iPXE fails trying to find a non-existent cert:<br /> in tls.c<br /> <br /> /* Determine client certificate to be sent */<br /> tls->cert = certstore_find_key ( &private_key );<br /> if ( ! tls->cert ) {<br /> DBGC ( tls, "TLS %p could not find certificate<br /> corresponding "<br /> "to private key\n", tls );<br /> return -EPERM_CLIENT_CERT;<br /> <br /> The correct response is not to fail the tls session when asked for an<br /> optional client cert doesn't exist, only when an required client cert<br /> doesn't exist.<br
/></blockquote><br />it seems to me like your bug report is valid, but I kinda fail to see<br />the use-case where client certificates are optional. I've always thought<br />of it like this: either you care about the client's identity, or you<br />don't. I can't think of a use-case where that info is "nice to have".<br /><br />Hopefully one of the core developers will report back on whether or not<br />a fix can be included, or if this goes in the "not-really-supported" bin.<br /><br />-- Robin<br /><hr /><br />ipxe-devel mailing list<br />ipxe-devel@lists.ipxe.org<br /><a href="https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel">https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel</a><br /></pre></blockquote></div><br>
There are those who would offer identified clients added services than randomly attached clients, however they would also serve randomly attached clients with such as diagnostics and open source OS installs.<br>
<br>
Certainly this obscure message in response to a feature supported for the aforementioned similar reason by all major https servers needs improving.<br>
<br>
Harry</body></html>