httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bertrand Chauvaux <>
Subject Certificate expiration verification
Date Mon, 26 Sep 2016 18:22:45 GMT

On an httpd server configured for SSL with required client authentication via certificate,
I’m trying to provide an option to make client certificate expiration date verification
optional using a new mod_ssl option.

My httpd server is at the top of the trunk, configured for SSL with my own CA and site certificate.
The client certificates are issued by the same CA as the site. In my test used 2 client certificates
one with a 10 years lifetime and another one recently expired. Both were issued by the same
CA. The request goes through with the non-expired certificate but is rejected when using the
expired certificate.

I tried to modify the callback registered by httpd on openSSL: ssl_callback_SSLVerify (ssl_engine_kernel.c)
to return TRUE in the case of a certificate expiration error. Looking at openSSL code x509_vfy.c
x509_check_cert_time(), returning TRUE on the verification callback should allow expired certificate
to be accepted.
This does not seem to work and expired client certificate are still rejected. Despite stepping
into the code I can’t seem to find why the request does not go through: ssl_hook_access()
is never called.

Any help would be much appreciated.

Thank you.

View raw message