SSL Client Verification Errors

[Peter Volpe <le...@gmail.com>]

Right now when you use SSLVerifyClient optional_no_ca, and the client
presents a certificate that is either not ready, expired, or revoked then
the handshake fails and the connection is cut. Most of the time it's not
really clear to the client why that happened. I'd like to have a debug sort
of option where when one of those problems are encountered, rather than
cutting the connection it would continue to serve the request but the
SSL_CLIENT_VERIFY would of course be FAILED.

I'd like to work on a patch that would accomplish this and wanted to see if
it would be considered acceptable to simply expand the optional_no_ca option
to skip these extra errors (perhaps renaming it?), or if I should add
another option to SSLVerifyClient.