Post Reply 
 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
SSLVerifyClient optional
2018-05-11, 19:49
Post: #2
RE: SSLVerifyClient optional
(2018-05-11 19:07)eric Wrote:  Does iPXE support "SSLVerifyClient optional"? Or is it expected that the server only be configured with "SSLVerifyClient none" or "SSLVerifyClient require"?

Interesting catch. iPXE will attempt to send a certificate only if the server sends us a certificate request, and should also correctly handle renegotiation requests. This allows us to handle servers where client certificates are required on a per-directory basis.

Your configuration is different: from a quick rescan of RFC5246, it looks as though when no local private key is available, we should handle a CertificateRequest by responding with an empty Certificate and no CertificateVerify. We don't currently have code to handle this, but it wouldn't be difficult to add.

Michael
Visit this user's website Find all posts by this user
Quote this message in a reply
Post Reply 


Messages In This Thread
SSLVerifyClient optional - eric - 2018-05-11, 19:07
RE: SSLVerifyClient optional - mcb30 - 2018-05-11 19:49



User(s) browsing this thread: 1 Guest(s)