+- iPXE discussion forum (https://forum.ipxe.org)
+-- Forum: iPXE user forums (/forumdisplay.php?fid=1)
+--- Forum: General (/forumdisplay.php?fid=2)
+--- Thread: Problem with certificates (/showthread.php?tid=7334)
Pages: 1 2
RE: Problem with certificates - mcb30 - 2014-07-28 13:21
(2014-07-23 13:12)welty Wrote: woowwwww, it works with "SSLVerifyClient require" and "SSLVerifyDepth 1" directives outside of the <Directory> !!
That makes some sense. If the SSLVerifyClient applies only to a specific directory (either via .htaccess or via <Directory>), then the server won't ask for a certificate until after it knows which directory the client is trying to access. At that point it would have to renegotiate, since there's no other way to ask for a client certificate once the TLS session has already been established.
There is a known plaintext-injection attack when renegotiation is enabled. Implementing renegotiation in iPXE would be relatively straightforward, but I'm not sure if it would substantially weaken the security, so I don't really want to do it until I understand the implications.
Michael