[ipxe-devel] Small bug report re: ssl_verify_client optional w/o iPXE client cert
Harry Coin
hcoin at quietfountain.com
Fri Feb 20 21:03:47 UTC 2015
Hello and much appreciation for the iPXE effort.
Kindly notice that when iPXE is built with only a certificate authority
to trust (no cert + key), and
the iPXE shell does an https://.... request of any kind, and
the SSL enabled server explicitly does not ask for a client certificate then
-- all is well.
But, if the SSL enabled server does ask for a client certificate but
only in an optional way, e.g. nginx example:
ssl_verify_client optional;
Then iPXE fails trying to find a non-existent cert:
in tls.c
/* Determine client certificate to be sent */
tls->cert = certstore_find_key ( &private_key );
if ( ! tls->cert ) {
DBGC ( tls, "TLS %p could not find certificate
corresponding "
"to private key\n", tls );
return -EPERM_CLIENT_CERT;
The correct response is not to fail the tls session when asked for an
optional client cert doesn't exist, only when an required client cert
doesn't exist.
I tested this, setting the server to explicitly not ask for a client
cert when one didn't exist allowed normal operations. Setting it to
optionally validate the client cert when one didn't exist failed on the
iPXE end.
More information about the ipxe-devel
mailing list