From e5a19d43e026533a802b96d88f0a83301f20643e Mon Sep 17 00:00:00 2001
From: Joe Orton <jorton@apache.org>
Date: Wed, 25 Jun 2025 07:55:26 +0000
Subject: [PATCH] mod_ssl: Accept expired client certs with optional_no_ca
 mode.

* modules/ssl/ssl_private.h (ssl_verify_error_is_optional): Add
  X509_V_ERR_CERT_HAS_EXPIRED to the list of error exceptions
  permitted for "optional_no_ca" mode.

Submitted by: Naveen Albert <apache2 phreaknet.org>
PR: 60028
Github: closes #509


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1926714 13f79535-47bb-0310-9956-ffa450edef68
---
 changes-entries/pr60028.txt | 3 +++
 modules/ssl/ssl_private.h   | 3 ++-
 2 files changed, 5 insertions(+), 1 deletion(-)
 create mode 100644 changes-entries/pr60028.txt

diff --git a/changes-entries/pr60028.txt b/changes-entries/pr60028.txt
new file mode 100644
index 0000000000..8d57e50afd
--- /dev/null
+++ b/changes-entries/pr60028.txt
@@ -0,0 +1,3 @@
+  *) mod_ssl: For "SSLVerifyClient optional_no_ca" mode, accept
+     expired client certificates.  PR 60028
+     [Naveen Albert <apache2 phreaknet.org>]
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index e3e41b7dff..7ebd3b48b3 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -459,7 +459,8 @@ typedef enum {
     || (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \
     || (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \
     || (errnum == X509_V_ERR_CERT_UNTRUSTED) \
-    || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
+    || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) \
+    || (errnum == X509_V_ERR_CERT_HAS_EXPIRED))
 
 /**
   * CRL checking mask (mode | flags)