iPXE discussion forum / iPXE user forums / General v / SSLVerifyClient optional

Post Reply 
 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
SSLVerifyClient optional
2018-05-11, 19:49
Post: #2
mcb30 Offline
Lead Developer
*******
 		Posts: 543
Joined: 2011-Apr
Reputation: 30
RE: SSLVerifyClient optional
(2018-05-11 19:07)eric Wrote:  Does iPXE support "SSLVerifyClient optional"? Or is it expected that the server only be configured with "SSLVerifyClient none" or "SSLVerifyClient require"?

Interesting catch. iPXE will attempt to send a certificate only if the server sends us a certificate request, and should also correctly handle renegotiation requests. This allows us to handle servers where client certificates are required on a per-directory basis.

Your configuration is different: from a quick rescan of RFC5246, it looks as though when no local private key is available, we should handle a CertificateRequest by responding with an empty Certificate and no CertificateVerify. We don't currently have code to handle this, but it wouldn't be difficult to add.

Michael
Visit this user's website Find all posts by this user
Quote this message in a reply
Post Reply 


Messages In This Thread
SSLVerifyClient optional - eric - 2018-05-11, 19:07
RE: SSLVerifyClient optional - mcb30 - 2018-05-11 19:49



User(s) browsing this thread: 2 Guest(s)

Contact Us | iPXE home page | Return to Top | Return to Content | Lite (Archive) Mode | RSS Syndication