Certificate expiration verification

[Bertrand Chauvaux <bc...@intertrust.com>]

Hi,

On an httpd server configured for SSL with required client authentication via certificate, I’m trying to provide an option to make client certificate expiration date verification optional using a new mod_ssl option.

My httpd server is at the top of the trunk, configured for SSL with my own CA and site certificate. The client certificates are issued by the same CA as the site. In my test used 2 client certificates one with a 10 years lifetime and another one recently expired. Both were issued by the same CA. The request goes through with the non-expired certificate but is rejected when using the expired certificate.

I tried to modify the callback registered by httpd on openSSL: ssl_callback_SSLVerify (ssl_engine_kernel.c) to return TRUE in the case of a certificate expiration error. Looking at openSSL code x509_vfy.c x509_check_cert_time(), returning TRUE on the verification callback should allow expired certificate to be accepted.
This does not seem to work and expired client certificate are still rejected. Despite stepping into the code I can’t seem to find why the request does not go through: ssl_hook_access() is never called.

Any help would be much appreciated.

Thank you.