Hello All, What's the expected behaviour of "SSLVerifyClient optional_no_ca" with client self-signed certificates that are expired? Wouldn't guess from the mod_ssl documentation and was expecting that the certificate was verified OK. That's the behaviour, for instance, for an expired certificate where the issuing CA is not present (maybe the "no_ca" in "optional_no_ca" is to be taken at face value?). Instead it fails. A quick look at the code, and ssl debug, seems that it verifies OK on the first iteration, by being self-signed, then goes up the chain, checking the certificate again (as an issuer of itself?) and fails because it is expired. Is it supposed to be like that or is it a bug? Any way of accepting those certificates (to be used by an upstream app)? Thank you. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|