id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
2319	"""ssl_verify_client: optional"" no longer forwards ""FAILED"" result on expired certificate"	lbodtke@…		"When using following parameter in the module ngx_http_ssl_module
{{{
ssl_verify_client: optional
}}}
nginx used to forward the request to the backend, with 
{{{$ssl_client_verify}}} containing ""FAILED: ..."".
This also matched the documentation at:
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#var_ssl_client_verify

(same applies to optional_no_ca)


Now, this is no longer working. When the client provides an expired certificate, nginx returns a HTTP 400 Certificate Error page instead of passing the request to the backend.

The root cause for this issue seems to be a change in OpenSSL, see:
https://github.com/openssl/openssl/issues/14036

Is this change in behaviour considered a bug in nginx, or will it stay this way and is there any other workaround for this?

Versions used:
OpenSSL 1.1.1l 24 Aug 2021
nginx version: nginx/1.19.9"	defect	closed	minor		nginx-module	1.19.x	duplicate	ngx_http_ssl_module, openssl, ssl_verify_client	lbodtke@…		nginx version: nginx/1.19.9