Hello and much appreciation for the iPXE effort.
Kindly notice that when iPXE is built with only a certificate authority
to trust (no cert + key), and
the iPXE shell does an https://.... request of any kind, and
the SSL enabled server explicitly does not ask for a client certificate then
-- all is well.
But, if the SSL enabled server does ask for a client certificate but
only in an optional way, e.g. nginx example:
ssl_verify_client optional;
Then iPXE fails trying to find a non-existent cert:
in tls.c
/* Determine client certificate to be sent */
tls->cert = certstore_find_key ( &private_key );
if ( ! tls->cert ) {
DBGC ( tls, "TLS %p could not find certificate
corresponding "
"to private key\n", tls );
return -EPERM_CLIENT_CERT;
The correct response is not to fail the tls session when asked for an
optional client cert doesn't exist, only when an required client cert
doesn't exist.
I tested this, setting the server to explicitly not ask for a client
cert when one didn't exist allowed normal operations. Setting it to
optionally validate the client cert when one didn't exist failed on the
iPXE end.
_______________________________________________
ipxe-devel mailing list
ipxe-devel@lists.ipxe.org
https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel
