On 20.02.2015 22:03, Harry Coin wrote: > But, if the SSL enabled server does ask for a client certificate but > only in an optional way, e.g. nginx example: > > ssl_verify_client optional; > > Then iPXE fails trying to find a non-existent cert: > in tls.c > > /* Determine client certificate to be sent */ > tls->cert = certstore_find_key ( &private_key ); > if ( ! tls->cert ) { > DBGC ( tls, "TLS %p could not find certificate > corresponding " > "to private key\n", tls ); > return -EPERM_CLIENT_CERT; > > The correct response is not to fail the tls session when asked for an > optional client cert doesn't exist, only when an required client cert > doesn't exist.
it seems to me like your bug report is valid, but I kinda fail to see the use-case where client certificates are optional. I've always thought of it like this: either you care about the client's identity, or you don't. I can't think of a use-case where that info is "nice to have". Hopefully one of the core developers will report back on whether or not a fix can be included, or if this goes in the "not-really-supported" bin. -- Robin _______________________________________________ ipxe-devel mailing list ipxe-devel@lists.ipxe.org https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel