You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "jose.celestino@gmail.com" <jo...@gmail.com> on 2021/11/09 11:56:40 UTC
[users@httpd] SSLVerifyClient optional_no_ca behaviour with expired self-signed certificates
Hello All,
What's the expected behaviour of "SSLVerifyClient optional_no_ca" with
client self-signed certificates that are expired?
Wouldn't guess from the mod_ssl documentation and was expecting that
the certificate was verified OK. That's the behaviour, for instance,
for an expired certificate where the issuing CA is not present (maybe
the "no_ca" in "optional_no_ca" is to be taken at face value?).
Instead it fails.
A quick look at the code, and ssl debug, seems that it verifies OK on
the first iteration, by being self-signed, then goes up the chain,
checking the certificate again (as an issuer of itself?) and fails
because it is expired.
Is it supposed to be like that or is it a bug?
Any way of accepting those certificates (to be used by an upstream app)?
Thank you.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org