Bug 60028

Summary: mod_ssl does not accept expired client certificates even with SSLVerifyClient optional_no_ca
Product: Apache httpd-2 Reporter: Pascal Ermster <pascal.ernster>
Component: mod_sslAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: normal    
Priority: P2    
Version: 2.4.23   
Target Milestone: ---   
Hardware: All   
OS: All   

Description Pascal Ermster 2016-08-22 07:30:29 UTC 
mod_ssl does not accept expired client certificates even if the SSLVerifyClient directive is set to "optional_no_ca". Self-signed certificates are accepted, but expired certificates are not.

IMHO this doesn't match the description in the official manual and is thus a bug:

"optional_no_ca: the client may present a valid Certificate but it need not to be (successfully) verifiable"

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslverifyclient