Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
SSLVerifyClient optional
2018-05-11, 19:07
Post: #1
SSLVerifyClient optional
I'm using the latest version of iPXE with HTTPS enabled and without any embedded client certificate. If the HTTPS server is configured with "SSLVerifyClient optional", when an HTTPS file transfer is initiated, iPXE throws this error:
http://ipxe.org/err/410de3
"Error: No suitable client certificate available"

I am seeing this with Apache2 on Ubuntu. If I change the Apache2 configuration to "SSLVerifyClient none", the error goes away and the file transfer is successful. However, for my application, it cannot be assumed that the HTTPS server will not be configured with "SSLVerifyClient optional".

Does iPXE support "SSLVerifyClient optional"? Or is it expected that the server only be configured with "SSLVerifyClient none" or "SSLVerifyClient require"?

Thanks,
Eric
Find all posts by this user
Quote this message in a reply
2018-05-11, 19:49
Post: #2
RE: SSLVerifyClient optional
(2018-05-11 19:07)eric Wrote:  Does iPXE support "SSLVerifyClient optional"? Or is it expected that the server only be configured with "SSLVerifyClient none" or "SSLVerifyClient require"?

Interesting catch. iPXE will attempt to send a certificate only if the server sends us a certificate request, and should also correctly handle renegotiation requests. This allows us to handle servers where client certificates are required on a per-directory basis.

Your configuration is different: from a quick rescan of RFC5246, it looks as though when no local private key is available, we should handle a CertificateRequest by responding with an empty Certificate and no CertificateVerify. We don't currently have code to handle this, but it wouldn't be difficult to add.

Michael
Visit this user's website Find all posts by this user
Quote this message in a reply
Post Reply 




User(s) browsing this thread: 1 Guest(s)