How are client certificate expired CRLs handled?

DankMemes nginx-forum at
Thu Nov 26 04:58:19 UTC 2015

If any of the concatenated CRLs in the file provided to ssl_crl have expired
(root or intermediate), what is the Nginx behavior (assuming
ssl_verify_client is on)? Does it result in failing verification of the
client certificate (chain), or does it just log a warning, or nothing
happens? If it does fail verification, how can I detect that specific
problems and still perform the rest of verification (valid certificate which
itself has not expired and chain of trust can be established to the
verification depth) (the CA I'm using to generate the CRLs is on the same
server, so it's not a problem if it's actually expired -- though a warning
message would be nice as a reminder to the admin).

Posted at Nginx Forum:,263087,263087#msg-263087

More information about the nginx mailing list