I am working on migrating an application to httpd 2.4 on AL2023. The
application uses client certificates, which will be expiring before they can
all be rotated with new expirations. I am attempting to configure httpd 2.4 to
continue requiring client certificates, but change the configuration to accept
them if they are expired. I have not been able to figure out how to accept
expired client certificates, however, I did find some info from the following:
https://blog.fem.tu-ilmenau.de/archives/1025-Accepting-expired-client-certificates-with-apache-2.4.html
I tried the method suggested and built the shared library mysslverify.so, and
placed the drop in service mysslverify.conf at
/etc/systemd/system/httpd.service.d with contents:
[Service]Environment="LD_PRELOAD=/etc/httpd/conf/mysslverify.so"
To reload the service file and restart httpd I issued:
$ systemctl daemon-reload$ systemctl restart httpd
For which there were no errors, and I confirmed mysslverify.so was loaded as
follows:
$ ps aux | grep httpdroot 347549 0.8 0.1 35256 15144 ? Ss
23:34 0:00 /usr/sbin/httpd -DFOREGROUNDapache 347558 0.0 0.0 46212
5300 ? S 23:34 0:00 /usr/sbin/httpd -DFOREGROUNDapache 347559
0.0 0.1 1572936 8620 ? Sl 23:34 0:00 /usr/sbin/httpd
-DFOREGROUNDapache 347560 0.0 0.1 1572936 8640 ? Sl 23:34 0:00
/usr/sbin/httpd -DFOREGROUNDapache 347561 0.0 0.1 1736840 8684 ? Sl
23:34 0:00 /usr/sbin/httpd -DFOREGROUNDroot 347738 0.0 0.0 222312
2156 pts/5 S+ 23:34 0:00 grep --color=auto httpd$ cat /proc/347549/maps
| grep mysslverify.so7fec37187000-7fec37188000 r--p 00000000 103:01 226492593
/etc/httpd/conf/mysslverify.so7fec37188000-7fec37189000 r-xp
00001000 103:01 226492593
/etc/httpd/conf/mysslverify.so7fec37189000-7fec3718a000 r--p 00002000 103:01
226492593
/etc/httpd/conf/mysslverify.so7fec3718a000-7fec3718b000 r--p 00002000 103:01
226492593
/etc/httpd/conf/mysslverify.so7fec3718b000-7fec3718c000 rw-p 00003000 103:01
226492593 /etc/httpd/conf/mysslverify.so
After making this configuration change, expired certificates continued to be
rejected.Issuing the openssl s_client command to test results in:
003E67F4887F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert
certificate expired:ssl/record/rec_layer_s3.c:1605:SSL alert number 45
Clients using non-expired certificates can connect ok.
Also, at https://httpd.apache.org/support.html , I repeatedly attempted to go
to the "archives" link that we are supposed to consult before posting. However,
clicking on that link resulted in the error: httpd.markmail.ort took too long
to respond (ERR_CONNECTION_TIMED_OUT). I found another link to the archive that
is http://mail-archives.apache.org/mod_mbox/httpd-users/ , and that results in
error too:mail-archives.apache.org took too long to respond (ERR_TIMED_OUT).
Please advise on how I can get expired client certificates to be accepted by an
httpd 2.4 server running on AL2023.
