+- iPXE discussion forum (https://forum.ipxe.org)
+-- Forum: iPXE user forums (/forumdisplay.php?fid=1)
+--- Forum: General (/forumdisplay.php?fid=2)
+--- Thread: SSLVerifyClient optional (/showthread.php?tid=11171)
SSLVerifyClient optional - eric - 2018-05-11 19:07
I'm using the latest version of iPXE with HTTPS enabled and without any embedded client certificate. If the HTTPS server is configured with "SSLVerifyClient optional", when an HTTPS file transfer is initiated, iPXE throws this error:
http://ipxe.org/err/410de3
"Error: No suitable client certificate available"
I am seeing this with Apache2 on Ubuntu. If I change the Apache2 configuration to "SSLVerifyClient none", the error goes away and the file transfer is successful. However, for my application, it cannot be assumed that the HTTPS server will not be configured with "SSLVerifyClient optional".
Does iPXE support "SSLVerifyClient optional"? Or is it expected that the server only be configured with "SSLVerifyClient none" or "SSLVerifyClient require"?
Thanks,
Eric
RE: SSLVerifyClient optional - mcb30 - 2018-05-11 19:49
(2018-05-11 19:07)eric Wrote: Does iPXE support "SSLVerifyClient optional"? Or is it expected that the server only be configured with "SSLVerifyClient none" or "SSLVerifyClient require"?
Interesting catch. iPXE will attempt to send a certificate only if the server sends us a certificate request, and should also correctly handle renegotiation requests. This allows us to handle servers where client certificates are required on a per-directory basis.
Your configuration is different: from a quick rescan of RFC5246, it looks as though when no local private key is available, we should handle a CertificateRequest by responding with an empty Certificate and no CertificateVerify. We don't currently have code to handle this, but it wouldn't be difficult to add.
Michael