Bug 60186 - Adding a SSL Verify directive to accept expired client certificate
Summary: Adding a SSL Verify directive to accept expired client certificate
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.5-HEAD
Hardware: All All
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-28 22:25 UTC by Bertrand C
Modified: 2016-09-29 23:44 UTC (History)
1 user (show)



Attachments
Patch file (8.17 KB, patch)
2016-09-28 22:25 UTC, Bertrand C
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Bertrand C 2016-09-28 22:25:17 UTC
Created attachment 34311 [details]
Patch file

A new SSL directive SSLVerifyAcceptExpiredClient (on/off) would allow the SSL engine to accept a client certificate with an expired notAfter date.

The motivation is to allow some client (old embedded, non upgradable device) to still access a server.

The attached patch build over httpd trunk 2.5 creates a new directive and corresponding flags in the server and directory configuration structures. The expiration error bypass is performed in ssl_callback_SSLVerify (ssl_engine_kernel.c)