Bug 60028 - mod_ssl does not accept expired client certificates even with SSLVerifyClient optional_no_ca
Summary: mod_ssl does not accept expired client certificates even with SSLVerifyClient...
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.4.23
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-08-22 07:30 UTC by Pascal Ermster
Modified: 2016-08-22 07:31 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Pascal Ermster 2016-08-22 07:30:29 UTC
mod_ssl does not accept expired client certificates even if the SSLVerifyClient directive is set to "optional_no_ca". Self-signed certificates are accepted, but expired certificates are not.

IMHO this doesn't match the description in the official manual and is thus a bug:

"optional_no_ca: the client may present a valid Certificate but it need not to be (successfully) verifiable"

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslverifyclient