400 bad request with ssl_verify_client optional

Maxim Dounin mdounin at mdounin.ru
Thu Jun 28 13:27:25 UTC 2018


On Wed, Jun 27, 2018 at 08:25:38PM -0400, Danomi Czaski wrote:

> I get 400 bad request when client certs are used early even though I
> have ssl_verify_client optional.
> nginx: [info] 9612#0: *338 client SSL certificate verify error:
> (9:certificate is not yet valid) while reading client request headers,
> Is there anyway to ignore the time check?

The only thing you can do if client presents an invalid certificate is 
to handle this via the error_page directive, see here:


In the error_page you can even recover to normal request handling, 
but I wouldn't recommend doing this, as this can easily result in 
security problems if a configuration uses $ssl_client_* 
variables without checking $ssl_client_verify first.

Maxim Dounin

More information about the nginx mailing list