[ipxe-devel] Small bug report re: ssl_verify_client optional w/o iPXE client cert
Harry Coin
hcoin at quietfountain.com
Sat Feb 21 13:51:08 UTC 2015
On February 21, 2015 2:41:31 AM CST, "Robin Smidsrød" <robin at smidsrod.no> wrote:
>
>On 20.02.2015 22:03, Harry Coin wrote:
>> But, if the SSL enabled server does ask for a client certificate but
>> only in an optional way, e.g. nginx example:
>>
>> ssl_verify_client optional;
>>
>> Then iPXE fails trying to find a non-existent cert:
>> in tls.c
>>
>> /* Determine client certificate to be sent */
>> tls->cert = certstore_find_key ( &private_key );
>> if ( ! tls->cert ) {
>> DBGC ( tls, "TLS %p could not find certificate
>> corresponding "
>> "to private key\n", tls );
>> return -EPERM_CLIENT_CERT;
>>
>> The correct response is not to fail the tls session when asked for an
>> optional client cert doesn't exist, only when an required client cert
>> doesn't exist.
>
>it seems to me like your bug report is valid, but I kinda fail to see
>the use-case where client certificates are optional. I've always
>thought
>of it like this: either you care about the client's identity, or you
>don't. I can't think of a use-case where that info is "nice to have".
>
>Hopefully one of the core developers will report back on whether or not
>a fix can be included, or if this goes in the "not-really-supported"
>bin.
>
>-- Robin
>_______________________________________________
>ipxe-devel mailing list
>ipxe-devel at lists.ipxe.org
>https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel
There are those who would offer identified clients added services than randomly attached clients, however they would also serve randomly attached clients with such as diagnostics and open source OS installs.
Certainly this obscure message in response to a feature supported for the aforementioned similar reason by all major https servers needs improving.
Harry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20150221/d9bef2a8/attachment.htm>
More information about the ipxe-devel
mailing list