"ssl_verify_client: optional" no longer forwards "FAILED" result on expired certificate

[lbodtke@…]

When using following parameter in the module ngx_http_ssl_module

ssl_verify_client: optional

nginx used to forward the request to the backend, with
$ssl_client_verify containing "FAILED: ...".
This also matched the documentation at:
​https://nginx.org/en/docs/http/ngx_http_ssl_module.html#var_ssl_client_verify

(same applies to optional_no_ca)

Now, this is no longer working. When the client provides an expired certificate, nginx returns a HTTP 400 Certificate Error page instead of passing the request to the backend.

The root cause for this issue seems to be a change in OpenSSL, see:
​https://github.com/openssl/openssl/issues/14036

Is this change in behaviour considered a bug in nginx, or will it stay this way and is there any other workaround for this?

Versions used:
OpenSSL 1.1.1l 24 Aug 2021
nginx version: nginx/1.19.9

[Maxim Dounin]

The ssl_verify_client optional; never allowed expired certificates, and always generated ​error 495 on any certificate errors.

You probably mean optional_no_ca instead: indeed, if there were multiple reasons for the certificate validation to fail, nginx might not know if the certificate is expired or not, depending on the OpenSSL version and exact configuration being used. The optional_no_ca is expected to allow certificates which are not signed by a known CA, but not certificates which are otherwise invalid as long as nginx knows it. If you want nginx to continue processing of requests with such invalid certificates, consider appropriate ​error_page configuration (see #1386 for an example).

This is actually already outlined by myself in the ​OpenSSL ticket referenced in the ticket description.

Closing this as a duplicate of #338.

[lbodtke@…]

Thanks for the feedback and the reference to error page solution :)