60028 – mod_ssl does not accept expired client certificates even with SSLVerifyClient optional_no_ca

Bug 60028 - mod_ssl does not accept expired client certificates even with SSLVerifyClient optional_no_ca

Summary: mod_ssl does not accept expired client certificates even with SSLVerifyClient...

Status:	NEW

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	mod_ssl (show other bugs)
Version:	2.4.23
Hardware:	All All

Importance:	P2 normal (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-08-22 07:30 UTC by Pascal Ermster
Modified:	2016-08-22 07:31 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Pascal Ermster 2016-08-22 07:30:29 UTC

mod_ssl does not accept expired client certificates even if the SSLVerifyClient directive is set to "optional_no_ca". Self-signed certificates are accepted, but expired certificates are not.

IMHO this doesn't match the description in the official manual and is thus a bug:

"optional_no_ca: the client may present a valid Certificate but it need not to be (successfully) verifiable"

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslverifyclient