Bug 60186

Summary: Adding a SSL Verify directive to accept expired client certificate
Product: Apache httpd-2 Reporter: Bertrand C <bchauvaux>
Component: mod_sslAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: enhancement CC: mitchell
Priority: P2    
Version: 2.5-HEAD   
Target Milestone: ---   
Hardware: All   
OS: All   
Attachments: Patch file

Description Bertrand C 2016-09-28 22:25:17 UTC
Created attachment 34311 [details]
Patch file

A new SSL directive SSLVerifyAcceptExpiredClient (on/off) would allow the SSL engine to accept a client certificate with an expired notAfter date.

The motivation is to allow some client (old embedded, non upgradable device) to still access a server.

The attached patch build over httpd trunk 2.5 creates a new directive and corresponding flags in the server and directory configuration structures. The expiration error bypass is performed in ssl_callback_SSLVerify (ssl_engine_kernel.c)