Verify client certificate, but ignore expiration date

I wanted to know whether I can configure nginx to verify client
certificates and reject them if invalid.

However I would like to exclude the expiration date from the validation
step.

The context is rather simple.

I have some embedded devices trying to connect to a server. The client
certificate for these devices expired and for a certain time I will be
unable to update them.

Instead of disabling client certificates I would like to ‘just’ ignore
the expiration date.

Ideally I’d like to just ignore the expiration date of a few given
certificates, but in my current setup even ignoring all expiration dates
would be an option.

Is there any setup allowing this?

Thanks in advance for any suggestion of how to achieve this.

Hmm no reaction to this question so far.
Does this mean it is impossible:

On 12/27/2011 01:34 PM, Gelonida wrote:

they will be returned for maintenance
Instead of disabling client certificates globally I would like to ‘just’ ignore
the expiration date of a selected list of devices

Ideally I’d like to just ignore the expiration date of a few given
certificates, but in my current setup even ignoring all expiration dates
would be an option untill all devices were updated with new certificats

Is there any setup allowing this?

Alternatively I’d be willing to change the C source of nginx if this
would help me to solve above mentioned issue.

Thanks for any pointers and suggestions.

P.S. I know, that the ‘real’ answer would be to just avoid above
situation and renew certificates prior to their expiration. However this
is unfortunately not possible for the already deployed devices.

Am 27.12.2011 um 13:34 schrieb Gelonida:

Ideally I’d like to just ignore the expiration date of a few given certificates,
but in my current setup even ignoring all expiration dates would be an option.

Is there any setup allowing this?

Thanks in advance for any suggestion of how to achieve this.

I would suspect that most (all?) validation is done in the
SSL-libraries.

As such, you would probably have modify the openssl-source.

I’m no programmer (sitting in a glass house here), but I’d say if you
knew how to do that, you wouldn’t have asked the original question
anyway.

Instead of trying to find a “quick fix”, I would accelerate the project
to update the clients.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs