[ipxe-devel] Small bug report re: ssl_verify_client optional w/o iPXE client cert

Robin Smidsrød robin at smidsrod.no
Sat Feb 21 08:41:31 UTC 2015

On 20.02.2015 22:03, Harry Coin wrote:
> But, if the SSL enabled server does ask for a client certificate but
> only in an optional way, e.g. nginx example:
> ssl_verify_client optional;
> Then iPXE fails trying to find a non-existent cert:
> in tls.c
>         /* Determine client certificate to be sent */
>         tls->cert = certstore_find_key ( &private_key );
>         if ( ! tls->cert ) {
>                 DBGC ( tls, "TLS %p could not find certificate
> corresponding "
>                        "to private key\n", tls );
>                 return -EPERM_CLIENT_CERT;
> The correct response is not to fail the tls session when asked for an
> optional client cert doesn't exist, only when an required client cert
> doesn't exist.

it seems to me like your bug report is valid, but I kinda fail to see
the use-case where client certificates are optional. I've always thought
of it like this: either you care about the client's identity, or you
don't. I can't think of a use-case where that info is "nice to have".

Hopefully one of the core developers will report back on whether or not
a fix can be included, or if this goes in the "not-really-supported" bin.

-- Robin

More information about the ipxe-devel mailing list