I am working on migrating an application to httpd 2.4 on AL2023. The application uses client certificates, which will be expiring before they can all be rotated with new expirations. I am attempting to configure httpd 2.4 to continue requiring client certificates, but change the configuration to accept them if they are expired. I have not been able to figure out how to accept expired client certificates, however, I did find some info from the following:
https://blog.fem.tu-ilmenau.de/archives/1025-Accepting-expired-client-certificates-with-apache-2.4.html
I tried the method suggested and built the shared library mysslverify.so, and placed the drop in service mysslverify.conf at /etc/systemd/system/httpd.service.d with contents:
[Service]
Environment="LD_PRELOAD=/etc/httpd/conf/mysslverify.so"
To reload the service file and restart httpd I issued:
$ systemctl daemon-reload
$ systemctl restart httpd
For which there were no errors, and I confirmed mysslverify.so was loaded as follows:
$ ps aux | grep httpd
root 347549 0.8 0.1 35256 15144 ? Ss 23:34 0:00 /usr/sbin/httpd -DFOREGROUND
apache 347558 0.0 0.0 46212 5300 ? S 23:34 0:00 /usr/sbin/httpd -DFOREGROUND
apache 347559 0.0 0.1 1572936 8620 ? Sl 23:34 0:00 /usr/sbin/httpd -DFOREGROUND
apache 347560 0.0 0.1 1572936 8640 ? Sl 23:34 0:00 /usr/sbin/httpd -DFOREGROUND
apache 347561 0.0 0.1 1736840 8684 ? Sl 23:34 0:00 /usr/sbin/httpd -DFOREGROUND
root 347738 0.0 0.0 222312 2156 pts/5 S+ 23:34 0:00 grep --color=auto httpd
$ cat /proc/347549/maps | grep mysslverify.so
7fec37187000-7fec37188000 r--p 00000000 103:01 226492593 /etc/httpd/conf/mysslverify.so
7fec37188000-7fec37189000 r-xp 00001000 103:01 226492593 /etc/httpd/conf/mysslverify.so
7fec37189000-7fec3718a000 r--p 00002000 103:01 226492593 /etc/httpd/conf/mysslverify.so
7fec3718a000-7fec3718b000 r--p 00002000 103:01 226492593 /etc/httpd/conf/mysslverify.so
7fec3718b000-7fec3718c000 rw-p 00003000 103:01 226492593 /etc/httpd/conf/mysslverify.so
After making this configuration change, expired certificates continued to be rejected.
Issuing the openssl s_client command to test results in:
003E67F4887F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1605:SSL alert number 45
Clients using non-expired certificates can connect ok.
Also, at https://httpd.apache.org/support.html , I repeatedly attempted to go to the "archives" link that we are supposed to consult before posting. However, clicking on that link resulted in the error: httpd.markmail.ort took too long to respond (ERR_CONNECTION_TIMED_OUT). I found another link to the archive that is http://mail-archives.apache.org/mod_mbox/httpd-users/ , and that results in error too:
mail-archives.apache.org took too long to respond (ERR_TIMED_OUT).
Please advise on how I can get expired client certificates to be accepted by an httpd 2.4 server running on AL2023.