[ipxe-devel] Small bug report re: ssl_verify_client optional w/o iPXE client cert

Harry Coin hcoin at quietfountain.com
Fri Feb 20 21:03:47 UTC 2015

Hello and much appreciation for the iPXE effort.

Kindly notice that when iPXE is built with only a certificate authority 
to trust (no cert + key), and
the iPXE shell does an https://.... request of any kind, and
the SSL enabled server explicitly does not ask for a client certificate then
-- all is well.

But, if the SSL enabled server does ask for a client certificate but 
only in an optional way, e.g. nginx example:

ssl_verify_client optional;

Then iPXE fails trying to find a non-existent cert:
in tls.c

         /* Determine client certificate to be sent */
         tls->cert = certstore_find_key ( &private_key );
         if ( ! tls->cert ) {
                 DBGC ( tls, "TLS %p could not find certificate 
corresponding "
                        "to private key\n", tls );
                 return -EPERM_CLIENT_CERT;

The correct response is not to fail the tls session when asked for an 
optional client cert doesn't exist, only when an required client cert 
doesn't exist.

I tested this, setting the server to explicitly not ask for a client 
cert when one didn't exist allowed normal operations.  Setting it to 
optionally validate the client cert when one didn't exist failed on the 
iPXE end.

More information about the ipxe-devel mailing list