[ipxe-devel] Small bug report re: ssl_verify_client optional w/o iPXE client cert
Robin Smidsrød
robin at smidsrod.no
Sat Feb 21 08:41:31 UTC 2015
On 20.02.2015 22:03, Harry Coin wrote:
> But, if the SSL enabled server does ask for a client certificate but
> only in an optional way, e.g. nginx example:
>
> ssl_verify_client optional;
>
> Then iPXE fails trying to find a non-existent cert:
> in tls.c
>
> /* Determine client certificate to be sent */
> tls->cert = certstore_find_key ( &private_key );
> if ( ! tls->cert ) {
> DBGC ( tls, "TLS %p could not find certificate
> corresponding "
> "to private key\n", tls );
> return -EPERM_CLIENT_CERT;
>
> The correct response is not to fail the tls session when asked for an
> optional client cert doesn't exist, only when an required client cert
> doesn't exist.
it seems to me like your bug report is valid, but I kinda fail to see
the use-case where client certificates are optional. I've always thought
of it like this: either you care about the client's identity, or you
don't. I can't think of a use-case where that info is "nice to have".
Hopefully one of the core developers will report back on whether or not
a fix can be included, or if this goes in the "not-really-supported" bin.
-- Robin
More information about the ipxe-devel
mailing list